advertisement
advertisement

Will Senate Bill Force The U.S. To Go Chip-And-PIN?

Written by Evan Schuman
June 24th, 2010

With Wal-Mart’s recent push for Chip-and-PIN in the U.S., the debate has been what could possibly push the banks into supporting such a costly move. One financial blog is making a compelling argument that the U.S. Senate may be about to jump into the U.S. EMV case.

Todd Ablowitz, president of the Double Diamond Group and one of the more interesting payment experts in the U.S. (for us, “interesting” is someone who thinks a well-balanced presentation is where all audience members are pissed-off equally), has been sitting with lobbyists and studying the Durbin bill, currently scheduled to go before a House-Senate conference committee on Thursday (June 24). His conclusion, with a little bit of mildly tortured logic: The bill will strongly incentivize banks to accelerate their acceptance of Chip-and-PIN in the U.S.

“This bill will likely cause interchange fees to be extremely low for debit transactions, unless the issuing bank complies with fraud prevention technology meeting the standards to be set by the Federal Reserve,” Ablowitz wrote. “So banks that do not meet the standards will collect much less interchange and likely will have higher fraud losses (assuming the chosen fraud technology is effective) while banks that do meet the standards will collect much higher interchange, because it will include the technology costs of the fraud prevention, and they will lower losses due to that fraud prevention. Which would you choose?”

Thus far, that sounds solid. He then takes a leap, arguing that the only possible global payment security standard that the Fed could opt for would be EMV and almost certainly Chip-and-PIN.

“The retailers argue that banks have long had a disincentive to improve fraud protection beyond a mag-stripe and signature, because PIN debit interchange was lower (hence less revenue for the banks), and the overall fraud losses on signature debit were much lower than the interchange benefit,” he wrote. “Regardless of whether one agrees with this argument, it seems clear this legislation aims to reverse the incentives, leading the banks to adopt EMV and Chip-and-PIN technology much sooner. The chance of EMV adoption in the U.S. just went up in a big way.”

It’s certainly possible that this bill could help EMV adoption. But Washington is a political town, so many possibilities exist. The bill will certainly not specify Chip-and-PIN or EMV, leaving such matters to be determined by the Fed. In a phone call, Ablowitz said that Congress today is much more retail-friendly than bank-friendly. But the Fed, on the other hand, is a most decidedly bank-friendly environment. (The Fed is comfortable with bankers and generally distrusts large retailers, while Congress sees its constituents comfortable with retailers but suspicious of bankers.)

Given a bill that is vague at best about EMV, will the Fed really push it? Will banks convince the Fed that there are plenty of other fraud-prevention techniques, such as the ones Visa and other brands have already spent millions deploying?

There’s an interesting irony here. Retailers want Chip-and-PIN. Even MasterCard and Visa don’t really hate Chip-and-PIN, they merely want to resist it as long as they can. It’s the banks that are resisting it. But even their resistance is minimal. Just about all of the players concede that some form of EMV will inevitably come to the U.S. The question is “when?”

Even the most aggressive version doesn’t have EMV in the States—in a meaningful installed-base way—for three years and quite easily five years. Given that so many security factors will be radically different in five or more years, it’s unclear whether EMV would even be anywhere close to leading edge then.

I think Ablowitz is making a fascinating case, but the politics of Washington and the ever-changing state of security more likely mean this bill will have little near-term impact.


advertisement

4 Comments | Read Will Senate Bill Force The U.S. To Go Chip-And-PIN?

  1. Daniel Beaudoin Says:

    Interesting to think that they have had that in France since the 80’s and we are, in our advanced country, just really starting to discuss about going that way.

  2. Lucas Zaichkowsky Says:

    Daniel, it’s not at all that simple.

    The credit card system in the United States has hundreds to thousands of card issuers spanning banks of all different sizes. It’s been building since the early 70s when present day information systems and the Internet were beyond our imagination. EMV was deployed in these other countries because it made financial sense for them. Their card-present fraud rates were higher than in the US when on magstripe. They have only a handful of card issuing banks, and a smaller and newer electronic payment infrastructure. As a result, the cost to deploy a new technology for card present payments was less than eating the fraud in those countries.

    We are not in a terrible position.

    EMV implementations deployed today would be a poor choice to mimic if we were to undertake a card present infrastructure upgrade. Currently, EMV only provides a high level of confidence that chip transactions are genuine, resulting in lower fraud rates at merchant locations that only accept EMV payments. That’s it. It’s not a magic silver bullet to stopping card data theft and fraud.

    There is still track data in the card that can be stolen if systems are hacked. Even when transactions are done using the chip, track equivalent data is passed around in the clear that can be used to clone magstripe cards for use in merchant locations accepting magstripe payments. Even if the chip uses the newer iCVV value inside the track equivalent data to prevent magstripe card cloning, the card number and expiration date are still exposed in the clear which can be used for card not present (CNP) fraud. There are still many merchants that do not use AVS or CVV2 to prevent CNP fraud, especially with Mail Order/Telephone Order.

    Read this report: http://weis2010.econinfosec.org/papers/panel/weis2010_sullivan.pdf

    In my opinion, what we need is an EMV implementation that is backwards compatible with other existing implementations. But in ours, there should be a next step in security baked into our deployment. Stop transmitting track data, account number, and expiration date in plain text! The terminal should encrypt not only the encrypted PIN data used to authenticate the card and user, but also encrypt any other sensitive data that can be used for fraud. The industry is already moving to “end to end encryption” to do this with our current card present payments method. That buys us time to rollout a hybrid E2E/EMV standard. Maybe it’ll actually be developed by EMVco and presented as just a new version of EMV.

  3. Ty Hardison Says:

    Its been reported that it will costs US merchants $6.75 Billion to upgrade POS to EMV. Why will merchants make this investment to pay higher Interchange?

    Why Visa and MasterCard Should Voluntarily Lower Interchange
    Posted on June 16, 2010 04:44 by Ty Hardison

    Lately I’ve read many articles about Contactless and Near Field Communication (NFC) payments, the prospects for merchant and consumer adoption, bridge technologies and market trials. Contactless payments, which feature speed, convenience, security and more functionality that leverages the mobile network, can outperform legacy mag-stripe payment technology. NFC promises smart phones as payment devices, which in turn promise to change consumer expectations about buying everything from mass transit, fast food and concert tickets, to the retail brands themselves.

    At the same time, U.S. cardholders increasingly find it difficult to use mag-stripe cards outside the U.S. As we discussed here, the U.S. EMV strategy hinges on contactless / NFC adoption. Some believe EMV 2.0 in the U.S. will be contactless and mobile payments and serve as a disruptive technology that will usher in even more payment players from mobile carriers to Apple and Google.

    Yet contactless and NFC payment technologies face the classic “chick or egg” dilemma. Payments is a platform business and the principal of network effects is required to build a two sided market where both card issuing and merchant acceptance must compel each other forward with the prime objective to encourage use.

    So what will be required to advance contactless payments? Will it take millions of additional contactless cards to be issued (or will it take NFC smart phones to replace cards) or will it take hundreds of thousands of U.S. merchants installing devices to accept contactless payments?

    From most accounts the lack of merchant acceptance of contactless payments is a key barrier blocking NFC contactless payments. Without the widespread installation of readers, contactless is stalled. A Javelin Strategy & Research report estimated the basic cost to deploy EMV POS terminals at $6.75 Billion, not including the cost of implementation. The low percentage of merchants that accept contactless payments (I’ve seen figures from 70,000 to 200,000 U.S. merchant point of sale payment terminals that accept contactless payments) reduces the incentive for banks to issue chip cards, NFC phones, tags, stickers, etc.

    What will it take to get merchants to upgrade, replace or add devices to their existing terminals and POS systems to accept contactless payments? What’s the incentive for merchants to invest in contactless readers? The business case has evolved over the years from faster lines and replacing cash, to enabling no signature required and chargeback liability, to loyalty programs that create a more informed shopping experience. But the real fuel that contactless payments needs is in the form of incentive Interchange rates. Nothing works like financial incentive.

    Another main problem is the lack of consumer awareness, with no aggressive campaign by merchants to steer consumers who have contactless cards to use them. The presence of contactless devices alone will not guarantee usage. Merchant staff must become more adept at facilitating contactless transactions. Merchants must support effective training of employees who can in turn show and tell consumers how pleasant and easy contactless purchases can be. Think about how merchants installed PIN pads and were instrumental in steering consumers to enter their 4 digit secret PIN by asking credit or debit? Why did they do this? There was a financial incentive to do so.

    Contactless payments derailed by government intervention

    The Senate passed S. 3217, the “Restoring American Financial Stability Act” on May 20, 2010. This legislation attempts to overhaul the regulatory structure of America’s financial system through increased regulations and the restructuring of our financial regulators. Then along comes the Durbin Amendment. The Durbin Amendment attempts to impose government regulation of Interchange, setting different pricing for the same service and then trying to legislate out competitive market pressures that would naturally bring these together. Considering the importance of the payment system to our economy, consumers, businesses and banks, I feel any Interchange regulation should warrant a stand alone comprehensive approach and its own legislation (if any), not a last minute political earmark amendment.

    The unintended consequences of Interchange legislation should be a concern for all parties, but particularly for small businesses as I’ve discussed here. As it relates to disrupting contactless payments, the Durbin Amendment provides for the setting of minimum charge amounts and challenges the business case of banks issuing and managing debit card programs.

    A preemptive strike by the card companies could change the debate and advance the next generation payment technology. Instead of solely a defensive strategy against legislation and litigation, Visa and MasterCard should set a voluntary and substantial reduction in Interchange in exchange for contactless payment acceptance.

    This was the strategy in the late 80s when I first entered the payments industry. Back then merchants were using a knuckle buster to manually imprint cards and paying a 4% paper draft rate to carry them into the bank teller. We would reduce a merchant’s rate to 2% by investing in a VeriFone Zon electronic draft-capture (EDC) terminal. Sure the terminal was faster and more efficient but that’s not why merchants adopted them, they adopted them for the savings.

    Before government or court ordered Interchange intervention, the card companies would be wise invest in contactless. Visa and MasterCard could make the case that continuing to use old payment technology (mag-stripe cards) carries more risk; and therefore, justifies higher Interchange. And merchants should realize that mag-stripe payment technology will not serve their best interest in the future and that issuers who rely on Interchange income will play an important role in advancing the next generation of payments in the U.S.

  4. David Marsh Says:

    I agree that Chip & PIN will only address a very specific type of attack. There needs to be more comprehensive security built into the payment systems, starting with encryption as Lucas noted above. However, encryption alone is not enough. Tokenization should also be deployed to minimize the risk of merchant breaches.

    If the Fed is going to choose security measures that will reduce fraud, they should emphasize a layered defensive approach that will mitigate multiple types of attack. The fraud countermeasures can ensure secure transmission into the payment networks occurs and then ensure that no PAN data is returned to the merchants.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.