This is page 2 of:
What Will It Take To Make Chip-and-PIN Happen In The U.S.?
Henry said the chain is hoping that U.S. consumers will then start lobbying their banks to begin offering the EMV cards because they’re more secure. But he conceded that American consumers’ legendary security apathy—fueled overwhelmingly by the card brands’ zero-liability programs—makes such a movement unlikely.
To avoid government action, the cause has to be embraced by the brands (primarily Visa) or at least by some of the largest card issuers. Wal-Mart has talked with all of them, and the reaction has been less then encouraging. That’s hardly surprising. The clout of Wal-Mart and other chains is huge, but not on this issue.
Editor’s Note:
- Page 1 of this Special Report covers Chicken And Egg: Why U.S. Chip-And-PIN Will Be So Difficult
- Page 2 covers Pushing Consumers
- Page 3 covers Will Government Intervention Happen? Would It Even Help?
Unless Wal-Mart threatens to stop accepting any MasterCard, AmericanExpress and Visa cards that are not EMV-compliant—which simply won’t happen—there’s little reason for Visa, MasterCard, Amex and the other brands to accommodate the retailer. That’s especially true when such accommodation would be extremely expensive and intrusive. Please don’t get us wrong. The card brands will almost certainly eventually make the move in the U.S., but they’ll do whatever they can to delay and drag it out. Unless, of course, something else forces their plastic rectangular hand.
Henry’s approach of getting consumers to pressure the issuing banks to make the move to Chip-and-PIN is a good one, but only on paper. What would motivate consumers to start such a campaign? Wal-Mart can’t offer consumers a discount for using Chip-and-PIN nor a special checkout lane—something that worked wonders for RFID’s EZPass during its launch mode, offering consumers lower prices coupled with faster checkout—because it sees that as a violation of its card agreement to treat all card customers equally, Henry said.
The lower card pricing would indeed almost certainly be a violation, but the dedicated checkout lanes probably would not. Still, it’s academic; those checkout lanes would likely prove too expensive in the beginning because almost no one would be able to use them.
This is a classic chicken-and-egg problem: How do you incent people to get something that almost no one has? If you offer something compelling for only those who have the card, it works well. But it needs to be something that costs you nothing—or virtually nothing—until a significant number of people get that item. Keeping a lane open only for Chip-and-PIN holders will be a rarely used huge waste of personnel until the marketshare increases sharply.
So what could retail chains offer consumers to get them to pressure issuing banks to make the move? Not much, other than the vague notion of increased security. That approach suffers from two problems.
The first—and much more important—issue is simple apathy. American credit card consumers do not care about security because they see zero liability as protecting them from fraud, which is generally a very valid belief. For debit card users, though, the situation is much different. There is a very strong and truthful argument that debit card customers are very much at risk at mag-stripe cards, an area where zero-liability protections are much weaker.
Even if the banks do ultimately offer reimbursement, a compromised consumer may have bounced lots of checks and suffered major damage to his reputation, in addition to being unable to pay bills, in the meantime. A temporary credit on a credit card avoids all of that.
But it’s almost impossible for retailers—especially Wal-Mart—to make that kind of a security argument to consumers, even for debit cards. That’s the second key problem. To do so would require them to attack the security of cards that they accept today and that represent the overwhelming majority of their sales. Retailers can’t argue that Chip-and-PIN is so much safer without telegraphing that the current cards are not safe. Not a wise move.
-Marc
May 26th, 2010 at 10:31 am
Sounds like the real resistance issue is NIH — “not invented here”.
It seems rather ironic that the US has forced other countries to abide by its requirements for RFID passports, drivers’ licenses, etc. — all effective Chip & PIN technologies. And yet it resists credit card C&P…
May 26th, 2010 at 12:16 pm
Three reasons why the US will never have chip-and-PIN without a government mandate:
1) The card brands actually make money on fraud. Virtually all fraudulent transactions are charged back to the merchants, only a tiny % must be written off. Meanwhile, the brands make revenue on interchange fees for the original transactions as well as for the reversal fees and penalties.
2) The card brands charge interchange based upon “risk”. If all transactions are chip & PIN then that basically eliminates any justification for interchange rates above what is charged for PIN debit transactions. It will probably go that way eventually, but the card brands are in no hurry to get there.
3) Near-field-communications to your cell phone is the next-generation solution (essentially, your cell phone becomes your smart card). It’s arguably better than chip-and-PIN (powerful CPU + network comms), and eliminates the need (and costs) for issuing physical cards. Unfortunately, the cell phone companies want a piece of that action, and the banks do not want to share with them (or anyone). So the current game plan is to maintain the mag stripe infrastructure for a few more years until the cell phone companies can be made to provide free or low, flat-rate fees for NFC transactions.
Paywave and other RFID cards are simply “training wheels” for a cell-phone-based NFC infrastructure, and the PCI program is mostly a stop-gap measure to buy time at the merchants’ expense while NFC becomes achievable.
May 27th, 2010 at 12:08 pm
I believe that there should be a real incentive for Walmart that will let them oppose all US credit cards industry. Whatever the reason is, It can not be a short term thing and this movement must be a part of a larger plan. So looking for immediate or short term benefits may not provide any good answers. Walmart very well knows that moving from Magstripe to Chip-and-PIN will take a lot of time (took over 5 years in Europe after everyone agreed on the plan). Some logical reasons I can think of are :
1 – Walmart may be having a huge fraud rate especially happening at self service cash registers or they may be seeing an increasing pattern that will cost a lot of money in the following years. They might want to put precautions in place before that time comes.
2 – They may be planning to use the power of chip cards for areas other than plain payments, such as special loyalty programs. However this will require them to have close connections with some issuers. Or once the movement starts they may try to push some domestic extensions to EMV, which will not violate the cards’ out of US usage and will let Walmart benefit from such extra functionalities.
3 – They may be thinking of get the return of investment on Chip enabled devices they already have in place. When migrating from mag stripe to EMV, EU region have had some incentive programs for the merchants to move, such as reduced interchange for EMV transactions and protection from certain charge back reason codes. Since it will take a lot of time for issuers and other merchants to deploy EMV compatible systems, they will be the ones heavily benefiting from such incentives which may compensate their already paid costs.
4 – They may also be looking forward to reduce their development costs for different POS systems they own in different countries/parts of the world. I think this is unlikely to be a good reason because in any case they will need to do customizations for every country with respect to local regulations.
May 28th, 2010 at 4:19 pm
My opinion as someone that works with electronic payment security is that EMV is a poor solution. The real solution is what’s already organically developing in response to financial crime and increased demand for PCI scope reduction.
Deployment of EMV (aka Chip and PIN) prevents fraud in stores that ONLY accept EMV transactions. That’s it. EMV still involves systems handling plain text track data embedded in the chip. When that data is stolen by malware, it can be used to produce counterfeit magstripe cards for use in merchant locations still accepting magstripe. Alternatively, the data can be used to commit card not present fraud (telephone and mail order/e-commerce). The merchant accepting EMV still ends up with fines for the ccard data theft and the merchant accepting card not present or magstripe transactions still ends up with the chargebacks. Look around for reports on fraud trends in countries only accepting EMV. Fraud and card data theft didn’t drop. It just shifted.
In the US where there’s thousands of card-issuing banks, is it really cost effective to spend billions migrating to EMV? Even in a country deploying electronic payments for the first time and building an infrastructure from scratch, does it make sense? The cards themselves are more expensive than magstripe cards.
How about instead, we continue deploying technologies that encrypts card data between the furthest points possible, from a tamper resistant card acceptance peripheral all the way to the payment processor. For card not present, cards can go directly from cardholder to processor, removing merchants and developers from having to touch the card data. With these scope reduction technologies, only processors, the card brands, and card issuers are left handling plain text card data.
We can adopt technology like MagnePrint that can stop fraudulent card-present transactions (What EMV does) by detecting if a card is cloned or original.
In response to a prior poster, it’s ridiculous to accuse the card brands of profiting from fraud. Everyone in the payments and banking industry loses money because of fraud. Even if all directly related costs were magically recovered through chargebacks, fines, and interchange, lost consumer confidence causes less transactions. Lawsuits and operational overhead add additional cost you’re not taking into consideration.
May 28th, 2010 at 5:50 pm
Lucas, I agree with just about everything you’ve said, EXCEPT when you threw in “cost consumer confidence causes” fewer transactions. That’s simply not the case, courtesy of zero liability. Consumers are overwhelmingly apathetic when they DO know about these incidents, which is hardly ever. Just look at any of the major chains who were hit by Gonzalez’s gang alone: JCPenney, Target, TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21, Hannaford and 7-Eleven, among others. None of those chains have reported any–not minimal, but any–revenue drops after their breaches were publicized.
The other points you raise are valid, but if we do nothing more this year than getting people to let go off that bogus belief, we’ll be quite happy.
May 28th, 2010 at 7:57 pm
Lucas clearly does not understand how EMV cards work. The statement that “EMV still involves systems handling plain text track data embedded in the chip” is simply laughable. EMV cards are not “flash memory” storage devices. They contain computer chips that perform sophisticated public-key encryption operations, and the card data is secure at all times. EMV cards are much more secure than the “tamper resistant card acceptance peripheral” approach Lucas recommends, because even a compromised terminal cannot break the EMV encryption.
And no, card fraud did not “shift” in countries with EMV, it is virtually non-existent in those locations, (the fraud shifted to other countries, and to the non-EMV cards used by American tourists). Also, because they do not rely on “tamper resistant” terminals, EMV cards can be used for secure eCommerce transactions, though technically those will be “card present”. Note, there is no way to protect against card-not-present fraud (e.g. telephone orders and mail orders). Think about it…
Finally, the banks do in fact make far more in transaction revenue from fraudulent transactions than they pay in fraud losses: Issuer fraud costs hover just over 1% of total expenses (Mercator Advisory Group report, December 2008). Even when you add their legal costs and other expenses, the fraud transaction revenue eclipses the issuers’ costs. With respect to fraud, the banks’ primary concern is to keep it below the level where merchants and/or consumers become nervous and stop using cards. Aside from that, cards are a cost-plus business for the banks, and fraud is just one small part of those costs. It is the merchants (like Wal-Mart) who bear the vast majority of the fraud losses. And, thanks to the PCI scheme, it is the merchants who are paying to prop-up an inherently insecure system that the banks have no particular motivation to actually fix.
May 29th, 2010 at 2:58 pm
PCI Guy, look in the EMV specification. There is track equivalent data embedded in the chip that gets passed to the host. Note that account number and exp date are also present which can be used to commit card not present fraud even in a world where nobody accepts magstripe. http://www.emvco.com/specifications.aspx?id=155
More in Wikipedia: http://en.wikipedia.org/wiki/EMV
Or here’s some nice Java code with examples. http://blog.saush.com/2006/09/08/getting-information-from-an-emv-chip-card/
Here’s an excellent report that not only covers EMV containing track data in the chip, but provides numbers to reflect fraud in the UK between 2004 and 2007. Google around to find more recent fraud loss numbers. “The UK, where a mix of SDA and DDA cards were issued, provides an early case study of the effect of the stronger payment authentication available on EMV cards. Total fraud losses in 2007 were actually 6 percent higher than in 2004, but the mix of fraud from various sources as well as the distribution of losses in and out of the UK changed substantially over this period.”
http://www.kansascityfed.org/Publicat/Econrev/PDF/3q08Sullivan.pdf
May 29th, 2010 at 8:56 pm
Card authentication data cannot be obtained from an EMV card. Without it, the PAN is essentially useless, and card-present fraud drops to near-zero. The only CP fraud that remains is because of continuing support for magnetic swipe data. As soon as everyone moves chip-and-pin and mag swipe goes away, card fraud will go away, too.
This of course refers to card-present transactions, and assumes dynamic authentication is used.
EMV cards do not increase or decrease the risk on Card-NOT-present transactions, but they can move eCommerce transactions into the “Card Present” category. If a card is not present then how could it provide any security?
Merchants performing card-not-present transactions understand the risk and make a business decision to accept that risk. They usually perform other types of authentication and/or have recourse to the buyer.
The Sullivan report confirms all of the above, and also explains the banks’ “revenue concerns” surrounding EMV. See for instance page 51: “bank revenue for payment services could be reduced” and page 55: “As a result, a costly effort is under way to harden the security of payment information…”
The dollar about of fraud losses increased 6% but fell sharply as a percentage dollar volume, because there was a significant increase in the number of transactions. According to the report: “Fraud declined by large margins… The reduction in fraud on lost or stolen cards was significant, proving that UK issuers achieved a major goal of EMV deployment.”
The Sullivan report (an excellent work!) pretty much confirms exactly what I stated: EMV is more secure and basically solves the problem; EMV is not being introduced into the USA because the banks would make less money, and merchants are bearing the vast majority of fraud loss costs and expenses for card security.
May 30th, 2010 at 9:02 am
Well, it’s only fair, given that I weighed in and agreed with most of Lucas’s comments (other than his consumer reticence thought) that I should do the same for PCI Guy. In general, I agree with PCI Guy’s points, too, to the extent that EMV is indeed significantly more secure than magstripe. And the business concerns are how you present them. But I have to sharply disagree with half of one of your sentences. You said “EMV is more secure and basically solved the problem.” Agreed that it’s more secure, but I have to draw the line at “solves the problem.” I’ll call your Sullivan report and raise you a Cambridge report.. No approach today is perfect and cyberthieves are well-funded, creative, patient and resourceful.
If we even briefly think that we’re solving a security problem, we’re in trouble. But like PCI itself, an approach can certainly be VERY far from perfect and still be the best option available. I’d argue that EMV is indeed that very imperfect approach, for now.
May 30th, 2010 at 3:46 pm
The hack developed by the Cambridge researchers was limited to static data authentication a.k.a. “offline transactions” whereby the EMV card alone authorizes a transaction without communicating with an issuer/host system. This feature was designed into EMV cards long ago, at a time when network communications were expensive, if even available at all, as a way to permit card usage for low-value transactions such as in vending machines. The EMV core technology of dynamic data authentication using strong public-key encryption remains unbroken. That is not to say it will never be broken, but if/when it is then we will all have a lot more to worry about than secure credit card transactions, because the same core technology is used for just about everything else including SSL data communications and access to government/military systems.
May 30th, 2010 at 5:13 pm
To anyone interested in this conversation, I advise you to read the links provided in earlier comments and educate yourself on the issue being discussed. The truth is in the referenced material. Thank you. :)
June 9th, 2010 at 1:14 am
Firstly, PCI Guy, Card companies DO NOT make money on fraud – that is just a stupid thing to say. Card Companies suffer Brand Damage as a result of fraud. Most of the Fraud is charged back to the Issuer and the Issuer is liable. The only time card fraud is charged back to the Merchant is for e-commerce and for Card not present transactions. The Card Brands DO NOT charge Interchange. The Interchange fee is what the Issuers of the cards earn for issuing the cards. Yes it is true that the Interchange fees are set based on Risk, but they flow to the Issuer.
I think that some general education in Card processing is needed before making comments like these.
Lucas, I agree that at the moment EMV only protects Card Present transactions – this is what it was designed to do.
However it can be utulised to provide Two Factor Authentication – one time password – to secure the Card Not Present space.
Further, I don’t agree that full encryption of track2 data, whether it is coming from the Chip or magstripe will eliminate Card Not Present Fraud, as the Pan and EXP date are visible on the card. What would help is for all Issuers to be checking the CVV2 value that is present on the card. CVV2 is not part of Track2, so even if you have this data you will still not be able to perform a fradulant transaction. Just this initiative would limit fraud to Lost and Stolen cards.
Also to add my two cents on the Fraud reduction with EMV. When the UK introduced EMV, fraud on Card not present transaction dropped drastically, and shifted to other countries and also shifted to Card Not Present transactions.
At the end of the day, EMV, at the moment is the best way of securing card present transactions….