This is page 3 of:
What Will It Take To Make Chip-and-PIN Happen In The U.S.?
Without consumer pressure on the issuing banks, it’s unlikely the brands and the banks will make the move to EMV on their own. PCI could force the change, but the brands still have huge control over PCI so that’s not likely to happen against the will of the brands. Wal-Mart’s lobbyists are trying to push Congress and federal regulators to get involved because, in a process of elimination, that’s probably the best shot to get Chip-and-PIN action any time soon. “Regulation is one way,” Henry said.
Editor’s Note:
- Page 1 of this Special Report covers Chicken And Egg: Why U.S. Chip-And-PIN Will Be So Difficult
- Page 2 covers Pushing Consumers
- Page 3 covers Will Government Intervention Happen? Would It Even Help?
How likely is federal action? Well, there are two types of federal action: legislative (make it a law to adopt—or to strongly encourage—Chip-and-PIN) and administrative policy (such as a procedural change from Treasury or Commerce that would provide the same kind of incentive).
Oddly enough, Wal-Mart’s Henry points to some recent legislative activity (the financial overhaul bill, just passed by the Senate and expected to be signed into law this summer) as perhaps giving the card brands some incentives to move to Chip-and-PIN. The rationale is that the new law will make it harder to increase interchange fees, which will mean that the brands might have to absorb more of the risk costs. That in turn, Henry argues, will make the brands more open to the more secure Chip-and-PIN approach.
Too many ifs and possibilities exist for the brands to be moved, though. First, the legislation could still be tweaked in committee. Second, even if the law reads pretty much as the bill does today, there are still plenty of agency interpretation points. In short, there’s no way to know whether there truly would be any additional limits on fees to cover fraud costs, nor if there will even be such a need because today’s fees already cover a generous amount of risk coverage.
With that much uncertainty, it’s unlikely Visa et al would be moved much.
What about more direct legislation dealing with Chip-and-PIN? That also seems highly unlikely. It’s not a consumer hot button, so there’s no great political reason for the administration of a member of Congress to push the issue. Even retailers will be unlikely to spend their political capital on this type of issue.
But getting relevant agencies to gently offer more flexibility for financial transactions that move through Chip-and-PIN? That seems much more likely, especially if it’s made in the context of national security. Such a step remains a bit of a reach, but not too much of one. One huge potential attack on the U.S. will be a cyber-attack on its economy. If the payment card networks are all Chip-and-PIN based, such an attack becomes slightly—admittedly only slightly—less easy.
Although no one at Visa would discuss this topic on the record, one source working with Visa offered an interesting thought. He said that Visa might be more open to an EMV-like effort if it was softened. “Why not Chip-and-not-PIN?” he asked.
That’s a perplexing suggestion. The general consensus has been that the brands are resisting EMV mostly because they want to delay going through the expense of the technology transition for as long as possible. But if this suggestion indicates Visa’s willingness to move to a chip approach—which is where almost all of the expense of the transition resides—why resist the PIN?
Surely in a new EMV environment all interchange would be subject to change, so it’s not necessarily like today’s world where signature means more money to the brands. Besides, virtually no one checks signatures anymore (not that they ever did, at least not in a meaningful and consistent way), so it seems silly to start a new system with signature.
Either way, given the comments from Wal-Mart’s Henry about signature-based charges (“As far as we are concerned, signature is a waste of time. It has to be PIN or nothing”), that doesn’t sound like an idea that will go too far with retailers.
-Marc
May 26th, 2010 at 10:31 am
Sounds like the real resistance issue is NIH — “not invented here”.
It seems rather ironic that the US has forced other countries to abide by its requirements for RFID passports, drivers’ licenses, etc. — all effective Chip & PIN technologies. And yet it resists credit card C&P…
May 26th, 2010 at 12:16 pm
Three reasons why the US will never have chip-and-PIN without a government mandate:
1) The card brands actually make money on fraud. Virtually all fraudulent transactions are charged back to the merchants, only a tiny % must be written off. Meanwhile, the brands make revenue on interchange fees for the original transactions as well as for the reversal fees and penalties.
2) The card brands charge interchange based upon “risk”. If all transactions are chip & PIN then that basically eliminates any justification for interchange rates above what is charged for PIN debit transactions. It will probably go that way eventually, but the card brands are in no hurry to get there.
3) Near-field-communications to your cell phone is the next-generation solution (essentially, your cell phone becomes your smart card). It’s arguably better than chip-and-PIN (powerful CPU + network comms), and eliminates the need (and costs) for issuing physical cards. Unfortunately, the cell phone companies want a piece of that action, and the banks do not want to share with them (or anyone). So the current game plan is to maintain the mag stripe infrastructure for a few more years until the cell phone companies can be made to provide free or low, flat-rate fees for NFC transactions.
Paywave and other RFID cards are simply “training wheels” for a cell-phone-based NFC infrastructure, and the PCI program is mostly a stop-gap measure to buy time at the merchants’ expense while NFC becomes achievable.
May 27th, 2010 at 12:08 pm
I believe that there should be a real incentive for Walmart that will let them oppose all US credit cards industry. Whatever the reason is, It can not be a short term thing and this movement must be a part of a larger plan. So looking for immediate or short term benefits may not provide any good answers. Walmart very well knows that moving from Magstripe to Chip-and-PIN will take a lot of time (took over 5 years in Europe after everyone agreed on the plan). Some logical reasons I can think of are :
1 – Walmart may be having a huge fraud rate especially happening at self service cash registers or they may be seeing an increasing pattern that will cost a lot of money in the following years. They might want to put precautions in place before that time comes.
2 – They may be planning to use the power of chip cards for areas other than plain payments, such as special loyalty programs. However this will require them to have close connections with some issuers. Or once the movement starts they may try to push some domestic extensions to EMV, which will not violate the cards’ out of US usage and will let Walmart benefit from such extra functionalities.
3 – They may be thinking of get the return of investment on Chip enabled devices they already have in place. When migrating from mag stripe to EMV, EU region have had some incentive programs for the merchants to move, such as reduced interchange for EMV transactions and protection from certain charge back reason codes. Since it will take a lot of time for issuers and other merchants to deploy EMV compatible systems, they will be the ones heavily benefiting from such incentives which may compensate their already paid costs.
4 – They may also be looking forward to reduce their development costs for different POS systems they own in different countries/parts of the world. I think this is unlikely to be a good reason because in any case they will need to do customizations for every country with respect to local regulations.
May 28th, 2010 at 4:19 pm
My opinion as someone that works with electronic payment security is that EMV is a poor solution. The real solution is what’s already organically developing in response to financial crime and increased demand for PCI scope reduction.
Deployment of EMV (aka Chip and PIN) prevents fraud in stores that ONLY accept EMV transactions. That’s it. EMV still involves systems handling plain text track data embedded in the chip. When that data is stolen by malware, it can be used to produce counterfeit magstripe cards for use in merchant locations still accepting magstripe. Alternatively, the data can be used to commit card not present fraud (telephone and mail order/e-commerce). The merchant accepting EMV still ends up with fines for the ccard data theft and the merchant accepting card not present or magstripe transactions still ends up with the chargebacks. Look around for reports on fraud trends in countries only accepting EMV. Fraud and card data theft didn’t drop. It just shifted.
In the US where there’s thousands of card-issuing banks, is it really cost effective to spend billions migrating to EMV? Even in a country deploying electronic payments for the first time and building an infrastructure from scratch, does it make sense? The cards themselves are more expensive than magstripe cards.
How about instead, we continue deploying technologies that encrypts card data between the furthest points possible, from a tamper resistant card acceptance peripheral all the way to the payment processor. For card not present, cards can go directly from cardholder to processor, removing merchants and developers from having to touch the card data. With these scope reduction technologies, only processors, the card brands, and card issuers are left handling plain text card data.
We can adopt technology like MagnePrint that can stop fraudulent card-present transactions (What EMV does) by detecting if a card is cloned or original.
In response to a prior poster, it’s ridiculous to accuse the card brands of profiting from fraud. Everyone in the payments and banking industry loses money because of fraud. Even if all directly related costs were magically recovered through chargebacks, fines, and interchange, lost consumer confidence causes less transactions. Lawsuits and operational overhead add additional cost you’re not taking into consideration.
May 28th, 2010 at 5:50 pm
Lucas, I agree with just about everything you’ve said, EXCEPT when you threw in “cost consumer confidence causes” fewer transactions. That’s simply not the case, courtesy of zero liability. Consumers are overwhelmingly apathetic when they DO know about these incidents, which is hardly ever. Just look at any of the major chains who were hit by Gonzalez’s gang alone: JCPenney, Target, TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21, Hannaford and 7-Eleven, among others. None of those chains have reported any–not minimal, but any–revenue drops after their breaches were publicized.
The other points you raise are valid, but if we do nothing more this year than getting people to let go off that bogus belief, we’ll be quite happy.
May 28th, 2010 at 7:57 pm
Lucas clearly does not understand how EMV cards work. The statement that “EMV still involves systems handling plain text track data embedded in the chip” is simply laughable. EMV cards are not “flash memory” storage devices. They contain computer chips that perform sophisticated public-key encryption operations, and the card data is secure at all times. EMV cards are much more secure than the “tamper resistant card acceptance peripheral” approach Lucas recommends, because even a compromised terminal cannot break the EMV encryption.
And no, card fraud did not “shift” in countries with EMV, it is virtually non-existent in those locations, (the fraud shifted to other countries, and to the non-EMV cards used by American tourists). Also, because they do not rely on “tamper resistant” terminals, EMV cards can be used for secure eCommerce transactions, though technically those will be “card present”. Note, there is no way to protect against card-not-present fraud (e.g. telephone orders and mail orders). Think about it…
Finally, the banks do in fact make far more in transaction revenue from fraudulent transactions than they pay in fraud losses: Issuer fraud costs hover just over 1% of total expenses (Mercator Advisory Group report, December 2008). Even when you add their legal costs and other expenses, the fraud transaction revenue eclipses the issuers’ costs. With respect to fraud, the banks’ primary concern is to keep it below the level where merchants and/or consumers become nervous and stop using cards. Aside from that, cards are a cost-plus business for the banks, and fraud is just one small part of those costs. It is the merchants (like Wal-Mart) who bear the vast majority of the fraud losses. And, thanks to the PCI scheme, it is the merchants who are paying to prop-up an inherently insecure system that the banks have no particular motivation to actually fix.
May 29th, 2010 at 2:58 pm
PCI Guy, look in the EMV specification. There is track equivalent data embedded in the chip that gets passed to the host. Note that account number and exp date are also present which can be used to commit card not present fraud even in a world where nobody accepts magstripe. http://www.emvco.com/specifications.aspx?id=155
More in Wikipedia: http://en.wikipedia.org/wiki/EMV
Or here’s some nice Java code with examples. http://blog.saush.com/2006/09/08/getting-information-from-an-emv-chip-card/
Here’s an excellent report that not only covers EMV containing track data in the chip, but provides numbers to reflect fraud in the UK between 2004 and 2007. Google around to find more recent fraud loss numbers. “The UK, where a mix of SDA and DDA cards were issued, provides an early case study of the effect of the stronger payment authentication available on EMV cards. Total fraud losses in 2007 were actually 6 percent higher than in 2004, but the mix of fraud from various sources as well as the distribution of losses in and out of the UK changed substantially over this period.”
http://www.kansascityfed.org/Publicat/Econrev/PDF/3q08Sullivan.pdf
May 29th, 2010 at 8:56 pm
Card authentication data cannot be obtained from an EMV card. Without it, the PAN is essentially useless, and card-present fraud drops to near-zero. The only CP fraud that remains is because of continuing support for magnetic swipe data. As soon as everyone moves chip-and-pin and mag swipe goes away, card fraud will go away, too.
This of course refers to card-present transactions, and assumes dynamic authentication is used.
EMV cards do not increase or decrease the risk on Card-NOT-present transactions, but they can move eCommerce transactions into the “Card Present” category. If a card is not present then how could it provide any security?
Merchants performing card-not-present transactions understand the risk and make a business decision to accept that risk. They usually perform other types of authentication and/or have recourse to the buyer.
The Sullivan report confirms all of the above, and also explains the banks’ “revenue concerns” surrounding EMV. See for instance page 51: “bank revenue for payment services could be reduced” and page 55: “As a result, a costly effort is under way to harden the security of payment information…”
The dollar about of fraud losses increased 6% but fell sharply as a percentage dollar volume, because there was a significant increase in the number of transactions. According to the report: “Fraud declined by large margins… The reduction in fraud on lost or stolen cards was significant, proving that UK issuers achieved a major goal of EMV deployment.”
The Sullivan report (an excellent work!) pretty much confirms exactly what I stated: EMV is more secure and basically solves the problem; EMV is not being introduced into the USA because the banks would make less money, and merchants are bearing the vast majority of fraud loss costs and expenses for card security.
May 30th, 2010 at 9:02 am
Well, it’s only fair, given that I weighed in and agreed with most of Lucas’s comments (other than his consumer reticence thought) that I should do the same for PCI Guy. In general, I agree with PCI Guy’s points, too, to the extent that EMV is indeed significantly more secure than magstripe. And the business concerns are how you present them. But I have to sharply disagree with half of one of your sentences. You said “EMV is more secure and basically solved the problem.” Agreed that it’s more secure, but I have to draw the line at “solves the problem.” I’ll call your Sullivan report and raise you a Cambridge report.. No approach today is perfect and cyberthieves are well-funded, creative, patient and resourceful.
If we even briefly think that we’re solving a security problem, we’re in trouble. But like PCI itself, an approach can certainly be VERY far from perfect and still be the best option available. I’d argue that EMV is indeed that very imperfect approach, for now.
May 30th, 2010 at 3:46 pm
The hack developed by the Cambridge researchers was limited to static data authentication a.k.a. “offline transactions” whereby the EMV card alone authorizes a transaction without communicating with an issuer/host system. This feature was designed into EMV cards long ago, at a time when network communications were expensive, if even available at all, as a way to permit card usage for low-value transactions such as in vending machines. The EMV core technology of dynamic data authentication using strong public-key encryption remains unbroken. That is not to say it will never be broken, but if/when it is then we will all have a lot more to worry about than secure credit card transactions, because the same core technology is used for just about everything else including SSL data communications and access to government/military systems.
May 30th, 2010 at 5:13 pm
To anyone interested in this conversation, I advise you to read the links provided in earlier comments and educate yourself on the issue being discussed. The truth is in the referenced material. Thank you. :)
June 9th, 2010 at 1:14 am
Firstly, PCI Guy, Card companies DO NOT make money on fraud – that is just a stupid thing to say. Card Companies suffer Brand Damage as a result of fraud. Most of the Fraud is charged back to the Issuer and the Issuer is liable. The only time card fraud is charged back to the Merchant is for e-commerce and for Card not present transactions. The Card Brands DO NOT charge Interchange. The Interchange fee is what the Issuers of the cards earn for issuing the cards. Yes it is true that the Interchange fees are set based on Risk, but they flow to the Issuer.
I think that some general education in Card processing is needed before making comments like these.
Lucas, I agree that at the moment EMV only protects Card Present transactions – this is what it was designed to do.
However it can be utulised to provide Two Factor Authentication – one time password – to secure the Card Not Present space.
Further, I don’t agree that full encryption of track2 data, whether it is coming from the Chip or magstripe will eliminate Card Not Present Fraud, as the Pan and EXP date are visible on the card. What would help is for all Issuers to be checking the CVV2 value that is present on the card. CVV2 is not part of Track2, so even if you have this data you will still not be able to perform a fradulant transaction. Just this initiative would limit fraud to Lost and Stolen cards.
Also to add my two cents on the Fraud reduction with EMV. When the UK introduced EMV, fraud on Card not present transaction dropped drastically, and shifted to other countries and also shifted to Card Not Present transactions.
At the end of the day, EMV, at the moment is the best way of securing card present transactions….