advertisement
advertisement

What Will It Take To Make Chip-and-PIN Happen In The U.S.?

Written by Evan Schuman
May 24th, 2010

Despite an aggressive campaign launched this month by Wal-Mart to push for its adoption, it looks increasingly likely that to have Chip-and-PIN (EMV) adopted in the U.S. will require government intervention. Wal-Mart execs and others in retail are still hoping to avoid such a federal move—knowing how much Fortune 500 boards love more regulation. But intransigence by major card brands, inertia from the biggest bank card issuers and deep-seated consumer security apathy may leave no alternative.

By early next year—and possibly by this year’s holiday season—Wal-Mart will start accepting Chip-and-PIN cards at all U.S. locations, said Jamie Henry, Wal-Mart’s director of payment services. Because of the global needs of the world’s largest retailer—its stores in much of the rest of the world already required Chip-and-PIN—Wal-Mart’s POS hardware in the States has supported Chip-and-PIN for years. (Well, Henry points out, it’s not absolutely complete yet, even hardware-wise. But it’s in place at 100 percent of the U.S. stores and 98 percent of the lanes in those stores.)

The POS software is not yet Chip-and-PIN compliant, but that should be in place “toward the end of this year or early next year,” Henry said. “It’s just a matter of coding to the specification.” Wal-Mart has been able to repurpose much of that code from other recent POS Chip-and-PIN work for other countries—such as Wal-Mart Canada—and much of the rest is dealing with the U.S. payment authentication mechanisms.

Editor’s Note:

But being able to accept such payments won’t help Wal-Mart’s security situation unless U.S. consumers start using the cards there. Right now, no card issuer in the U.S. has issued Chip-and-PIN cards so, with the exception of one specialty bank that supports United Nations employees. Most of these workers need cards that can work both in the U.S. (for when they leave the U.N. compound and venture into New York City or, heaven forbid, New Jersey) and in the countries they represent. Increasingly, non-U.S. retailers—especially in the U.K.—are strongly discouraging or even preventing the use of mag-stripe-only cards.

So when Wal-Mart is able to accept the Chip-and-PIN cards in January or so, what consumers would be in a position to offer them to get Wal-Mart goods? It’s an admittedly small set. There will be small pockets of country cross-overs from our two Chip-and-PIN accepting neighbors, Canada and Mexico. Those Canadian and Mexican consumers could impact Wal-Mart stores in regions that abut the extreme North and South. Then there are those U.N. employees, tourists and other visitors from the rest of the world. Initially, that will be about it.

At best, it’s hard to see those combined groups even breaking one percent of Wal-Mart’s U.S. purchases. What’s the plan to increase the U.S. acceptance of Chip-and-PIN?

Wal-Mart’s perspective is that it wants the U.S. financial industry to at least agree to a timetable. “The United States has made no progress. We’re not even on the field yet,” Henry said. “My concern is that, every single day, merchants are making a decision on IT. Wal-Mart is pushing for ‘Let’s get a plan. We’re going to plow ahead. We’re going to do it.'”


advertisement

12 Comments | Read What Will It Take To Make Chip-and-PIN Happen In The U.S.?

  1. Cranston Snoard Says:

    Sounds like the real resistance issue is NIH — “not invented here”.

    It seems rather ironic that the US has forced other countries to abide by its requirements for RFID passports, drivers’ licenses, etc. — all effective Chip & PIN technologies. And yet it resists credit card C&P…

  2. PCI Guy Says:

    Three reasons why the US will never have chip-and-PIN without a government mandate:
    1) The card brands actually make money on fraud. Virtually all fraudulent transactions are charged back to the merchants, only a tiny % must be written off. Meanwhile, the brands make revenue on interchange fees for the original transactions as well as for the reversal fees and penalties.
    2) The card brands charge interchange based upon “risk”. If all transactions are chip & PIN then that basically eliminates any justification for interchange rates above what is charged for PIN debit transactions. It will probably go that way eventually, but the card brands are in no hurry to get there.
    3) Near-field-communications to your cell phone is the next-generation solution (essentially, your cell phone becomes your smart card). It’s arguably better than chip-and-PIN (powerful CPU + network comms), and eliminates the need (and costs) for issuing physical cards. Unfortunately, the cell phone companies want a piece of that action, and the banks do not want to share with them (or anyone). So the current game plan is to maintain the mag stripe infrastructure for a few more years until the cell phone companies can be made to provide free or low, flat-rate fees for NFC transactions.
    Paywave and other RFID cards are simply “training wheels” for a cell-phone-based NFC infrastructure, and the PCI program is mostly a stop-gap measure to buy time at the merchants’ expense while NFC becomes achievable.

  3. Berke Baydu Says:

    I believe that there should be a real incentive for Walmart that will let them oppose all US credit cards industry. Whatever the reason is, It can not be a short term thing and this movement must be a part of a larger plan. So looking for immediate or short term benefits may not provide any good answers. Walmart very well knows that moving from Magstripe to Chip-and-PIN will take a lot of time (took over 5 years in Europe after everyone agreed on the plan). Some logical reasons I can think of are :

    1 – Walmart may be having a huge fraud rate especially happening at self service cash registers or they may be seeing an increasing pattern that will cost a lot of money in the following years. They might want to put precautions in place before that time comes.

    2 – They may be planning to use the power of chip cards for areas other than plain payments, such as special loyalty programs. However this will require them to have close connections with some issuers. Or once the movement starts they may try to push some domestic extensions to EMV, which will not violate the cards’ out of US usage and will let Walmart benefit from such extra functionalities.

    3 – They may be thinking of get the return of investment on Chip enabled devices they already have in place. When migrating from mag stripe to EMV, EU region have had some incentive programs for the merchants to move, such as reduced interchange for EMV transactions and protection from certain charge back reason codes. Since it will take a lot of time for issuers and other merchants to deploy EMV compatible systems, they will be the ones heavily benefiting from such incentives which may compensate their already paid costs.

    4 – They may also be looking forward to reduce their development costs for different POS systems they own in different countries/parts of the world. I think this is unlikely to be a good reason because in any case they will need to do customizations for every country with respect to local regulations.

  4. Lucas Zaichkowsky Says:

    My opinion as someone that works with electronic payment security is that EMV is a poor solution. The real solution is what’s already organically developing in response to financial crime and increased demand for PCI scope reduction.

    Deployment of EMV (aka Chip and PIN) prevents fraud in stores that ONLY accept EMV transactions. That’s it. EMV still involves systems handling plain text track data embedded in the chip. When that data is stolen by malware, it can be used to produce counterfeit magstripe cards for use in merchant locations still accepting magstripe. Alternatively, the data can be used to commit card not present fraud (telephone and mail order/e-commerce). The merchant accepting EMV still ends up with fines for the ccard data theft and the merchant accepting card not present or magstripe transactions still ends up with the chargebacks. Look around for reports on fraud trends in countries only accepting EMV. Fraud and card data theft didn’t drop. It just shifted.

    In the US where there’s thousands of card-issuing banks, is it really cost effective to spend billions migrating to EMV? Even in a country deploying electronic payments for the first time and building an infrastructure from scratch, does it make sense? The cards themselves are more expensive than magstripe cards.

    How about instead, we continue deploying technologies that encrypts card data between the furthest points possible, from a tamper resistant card acceptance peripheral all the way to the payment processor. For card not present, cards can go directly from cardholder to processor, removing merchants and developers from having to touch the card data. With these scope reduction technologies, only processors, the card brands, and card issuers are left handling plain text card data.

    We can adopt technology like MagnePrint that can stop fraudulent card-present transactions (What EMV does) by detecting if a card is cloned or original.

    In response to a prior poster, it’s ridiculous to accuse the card brands of profiting from fraud. Everyone in the payments and banking industry loses money because of fraud. Even if all directly related costs were magically recovered through chargebacks, fines, and interchange, lost consumer confidence causes less transactions. Lawsuits and operational overhead add additional cost you’re not taking into consideration.

  5. Evan Schuman Says:

    Lucas, I agree with just about everything you’ve said, EXCEPT when you threw in “cost consumer confidence causes” fewer transactions. That’s simply not the case, courtesy of zero liability. Consumers are overwhelmingly apathetic when they DO know about these incidents, which is hardly ever. Just look at any of the major chains who were hit by Gonzalez’s gang alone: JCPenney, Target, TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21, Hannaford and 7-Eleven, among others. None of those chains have reported any–not minimal, but any–revenue drops after their breaches were publicized.
    The other points you raise are valid, but if we do nothing more this year than getting people to let go off that bogus belief, we’ll be quite happy.

  6. PCI Guy Says:

    Lucas clearly does not understand how EMV cards work. The statement that “EMV still involves systems handling plain text track data embedded in the chip” is simply laughable. EMV cards are not “flash memory” storage devices. They contain computer chips that perform sophisticated public-key encryption operations, and the card data is secure at all times. EMV cards are much more secure than the “tamper resistant card acceptance peripheral” approach Lucas recommends, because even a compromised terminal cannot break the EMV encryption.
    And no, card fraud did not “shift” in countries with EMV, it is virtually non-existent in those locations, (the fraud shifted to other countries, and to the non-EMV cards used by American tourists). Also, because they do not rely on “tamper resistant” terminals, EMV cards can be used for secure eCommerce transactions, though technically those will be “card present”. Note, there is no way to protect against card-not-present fraud (e.g. telephone orders and mail orders). Think about it…
    Finally, the banks do in fact make far more in transaction revenue from fraudulent transactions than they pay in fraud losses: Issuer fraud costs hover just over 1% of total expenses (Mercator Advisory Group report, December 2008). Even when you add their legal costs and other expenses, the fraud transaction revenue eclipses the issuers’ costs. With respect to fraud, the banks’ primary concern is to keep it below the level where merchants and/or consumers become nervous and stop using cards. Aside from that, cards are a cost-plus business for the banks, and fraud is just one small part of those costs. It is the merchants (like Wal-Mart) who bear the vast majority of the fraud losses. And, thanks to the PCI scheme, it is the merchants who are paying to prop-up an inherently insecure system that the banks have no particular motivation to actually fix.

  7. Lucas Zaichkowsky Says:

    PCI Guy, look in the EMV specification. There is track equivalent data embedded in the chip that gets passed to the host. Note that account number and exp date are also present which can be used to commit card not present fraud even in a world where nobody accepts magstripe. http://www.emvco.com/specifications.aspx?id=155

    More in Wikipedia: http://en.wikipedia.org/wiki/EMV

    Or here’s some nice Java code with examples. http://blog.saush.com/2006/09/08/getting-information-from-an-emv-chip-card/

    Here’s an excellent report that not only covers EMV containing track data in the chip, but provides numbers to reflect fraud in the UK between 2004 and 2007. Google around to find more recent fraud loss numbers. “The UK, where a mix of SDA and DDA cards were issued, provides an early case study of the effect of the stronger payment authentication available on EMV cards. Total fraud losses in 2007 were actually 6 percent higher than in 2004, but the mix of fraud from various sources as well as the distribution of losses in and out of the UK changed substantially over this period.”
    http://www.kansascityfed.org/Publicat/Econrev/PDF/3q08Sullivan.pdf

  8. PCI Guy Says:

    Card authentication data cannot be obtained from an EMV card. Without it, the PAN is essentially useless, and card-present fraud drops to near-zero. The only CP fraud that remains is because of continuing support for magnetic swipe data. As soon as everyone moves chip-and-pin and mag swipe goes away, card fraud will go away, too.

    This of course refers to card-present transactions, and assumes dynamic authentication is used.

    EMV cards do not increase or decrease the risk on Card-NOT-present transactions, but they can move eCommerce transactions into the “Card Present” category. If a card is not present then how could it provide any security?

    Merchants performing card-not-present transactions understand the risk and make a business decision to accept that risk. They usually perform other types of authentication and/or have recourse to the buyer.

    The Sullivan report confirms all of the above, and also explains the banks’ “revenue concerns” surrounding EMV. See for instance page 51: “bank revenue for payment services could be reduced” and page 55: “As a result, a costly effort is under way to harden the security of payment information…”

    The dollar about of fraud losses increased 6% but fell sharply as a percentage dollar volume, because there was a significant increase in the number of transactions. According to the report: “Fraud declined by large margins… The reduction in fraud on lost or stolen cards was significant, proving that UK issuers achieved a major goal of EMV deployment.”

    The Sullivan report (an excellent work!) pretty much confirms exactly what I stated: EMV is more secure and basically solves the problem; EMV is not being introduced into the USA because the banks would make less money, and merchants are bearing the vast majority of fraud loss costs and expenses for card security.

  9. Evan Schuman Says:

    Well, it’s only fair, given that I weighed in and agreed with most of Lucas’s comments (other than his consumer reticence thought) that I should do the same for PCI Guy. In general, I agree with PCI Guy’s points, too, to the extent that EMV is indeed significantly more secure than magstripe. And the business concerns are how you present them. But I have to sharply disagree with half of one of your sentences. You said “EMV is more secure and basically solved the problem.” Agreed that it’s more secure, but I have to draw the line at “solves the problem.” I’ll call your Sullivan report and raise you a Cambridge report.. No approach today is perfect and cyberthieves are well-funded, creative, patient and resourceful.
    If we even briefly think that we’re solving a security problem, we’re in trouble. But like PCI itself, an approach can certainly be VERY far from perfect and still be the best option available. I’d argue that EMV is indeed that very imperfect approach, for now.

  10. PCI Guy Says:

    The hack developed by the Cambridge researchers was limited to static data authentication a.k.a. “offline transactions” whereby the EMV card alone authorizes a transaction without communicating with an issuer/host system. This feature was designed into EMV cards long ago, at a time when network communications were expensive, if even available at all, as a way to permit card usage for low-value transactions such as in vending machines. The EMV core technology of dynamic data authentication using strong public-key encryption remains unbroken. That is not to say it will never be broken, but if/when it is then we will all have a lot more to worry about than secure credit card transactions, because the same core technology is used for just about everything else including SSL data communications and access to government/military systems.

  11. Lucas Zaichkowsky Says:

    To anyone interested in this conversation, I advise you to read the links provided in earlier comments and educate yourself on the issue being discussed. The truth is in the referenced material. Thank you. :)

  12. EMV Australia Says:

    Firstly, PCI Guy, Card companies DO NOT make money on fraud – that is just a stupid thing to say. Card Companies suffer Brand Damage as a result of fraud. Most of the Fraud is charged back to the Issuer and the Issuer is liable. The only time card fraud is charged back to the Merchant is for e-commerce and for Card not present transactions. The Card Brands DO NOT charge Interchange. The Interchange fee is what the Issuers of the cards earn for issuing the cards. Yes it is true that the Interchange fees are set based on Risk, but they flow to the Issuer.

    I think that some general education in Card processing is needed before making comments like these.

    Lucas, I agree that at the moment EMV only protects Card Present transactions – this is what it was designed to do.
    However it can be utulised to provide Two Factor Authentication – one time password – to secure the Card Not Present space.

    Further, I don’t agree that full encryption of track2 data, whether it is coming from the Chip or magstripe will eliminate Card Not Present Fraud, as the Pan and EXP date are visible on the card. What would help is for all Issuers to be checking the CVV2 value that is present on the card. CVV2 is not part of Track2, so even if you have this data you will still not be able to perform a fradulant transaction. Just this initiative would limit fraud to Lost and Stolen cards.

    Also to add my two cents on the Fraud reduction with EMV. When the UK introduced EMV, fraud on Card not present transaction dropped drastically, and shifted to other countries and also shifted to Card Not Present transactions.

    At the end of the day, EMV, at the moment is the best way of securing card present transactions….

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.