advertisement
advertisement

This is page 2 of:

What Will It Take To Make Chip-and-PIN Happen In The U.S.?

May 24th, 2010

Henry said the chain is hoping that U.S. consumers will then start lobbying their banks to begin offering the EMV cards because they’re more secure. But he conceded that American consumers’ legendary security apathy—fueled overwhelmingly by the card brands’ zero-liability programs—makes such a movement unlikely.

To avoid government action, the cause has to be embraced by the brands (primarily Visa) or at least by some of the largest card issuers. Wal-Mart has talked with all of them, and the reaction has been less then encouraging. That’s hardly surprising. The clout of Wal-Mart and other chains is huge, but not on this issue.

Editor’s Note:


Unless Wal-Mart threatens to stop accepting any MasterCard, AmericanExpress and Visa cards that are not EMV-compliant—which simply won’t happen—there’s little reason for Visa, MasterCard, Amex and the other brands to accommodate the retailer. That’s especially true when such accommodation would be extremely expensive and intrusive. Please don’t get us wrong. The card brands will almost certainly eventually make the move in the U.S., but they’ll do whatever they can to delay and drag it out. Unless, of course, something else forces their plastic rectangular hand.

Henry’s approach of getting consumers to pressure the issuing banks to make the move to Chip-and-PIN is a good one, but only on paper. What would motivate consumers to start such a campaign? Wal-Mart can’t offer consumers a discount for using Chip-and-PIN nor a special checkout lane—something that worked wonders for RFID’s EZPass during its launch mode, offering consumers lower prices coupled with faster checkout—because it sees that as a violation of its card agreement to treat all card customers equally, Henry said.

The lower card pricing would indeed almost certainly be a violation, but the dedicated checkout lanes probably would not. Still, it’s academic; those checkout lanes would likely prove too expensive in the beginning because almost no one would be able to use them.

This is a classic chicken-and-egg problem: How do you incent people to get something that almost no one has? If you offer something compelling for only those who have the card, it works well. But it needs to be something that costs you nothing—or virtually nothing—until a significant number of people get that item. Keeping a lane open only for Chip-and-PIN holders will be a rarely used huge waste of personnel until the marketshare increases sharply.

So what could retail chains offer consumers to get them to pressure issuing banks to make the move? Not much, other than the vague notion of increased security. That approach suffers from two problems.

The first—and much more important—issue is simple apathy. American credit card consumers do not care about security because they see zero liability as protecting them from fraud, which is generally a very valid belief. For debit card users, though, the situation is much different. There is a very strong and truthful argument that debit card customers are very much at risk at mag-stripe cards, an area where zero-liability protections are much weaker.

Even if the banks do ultimately offer reimbursement, a compromised consumer may have bounced lots of checks and suffered major damage to his reputation, in addition to being unable to pay bills, in the meantime. A temporary credit on a credit card avoids all of that.

But it’s almost impossible for retailers—especially Wal-Mart—to make that kind of a security argument to consumers, even for debit cards. That’s the second key problem. To do so would require them to attack the security of cards that they accept today and that represent the overwhelming majority of their sales. Retailers can’t argue that Chip-and-PIN is so much safer without telegraphing that the current cards are not safe. Not a wise move.


advertisement

12 Comments | Read What Will It Take To Make Chip-and-PIN Happen In The U.S.?

  1. Cranston Snoard Says:

    Sounds like the real resistance issue is NIH — “not invented here”.

    It seems rather ironic that the US has forced other countries to abide by its requirements for RFID passports, drivers’ licenses, etc. — all effective Chip & PIN technologies. And yet it resists credit card C&P…

  2. PCI Guy Says:

    Three reasons why the US will never have chip-and-PIN without a government mandate:
    1) The card brands actually make money on fraud. Virtually all fraudulent transactions are charged back to the merchants, only a tiny % must be written off. Meanwhile, the brands make revenue on interchange fees for the original transactions as well as for the reversal fees and penalties.
    2) The card brands charge interchange based upon “risk”. If all transactions are chip & PIN then that basically eliminates any justification for interchange rates above what is charged for PIN debit transactions. It will probably go that way eventually, but the card brands are in no hurry to get there.
    3) Near-field-communications to your cell phone is the next-generation solution (essentially, your cell phone becomes your smart card). It’s arguably better than chip-and-PIN (powerful CPU + network comms), and eliminates the need (and costs) for issuing physical cards. Unfortunately, the cell phone companies want a piece of that action, and the banks do not want to share with them (or anyone). So the current game plan is to maintain the mag stripe infrastructure for a few more years until the cell phone companies can be made to provide free or low, flat-rate fees for NFC transactions.
    Paywave and other RFID cards are simply “training wheels” for a cell-phone-based NFC infrastructure, and the PCI program is mostly a stop-gap measure to buy time at the merchants’ expense while NFC becomes achievable.

  3. Berke Baydu Says:

    I believe that there should be a real incentive for Walmart that will let them oppose all US credit cards industry. Whatever the reason is, It can not be a short term thing and this movement must be a part of a larger plan. So looking for immediate or short term benefits may not provide any good answers. Walmart very well knows that moving from Magstripe to Chip-and-PIN will take a lot of time (took over 5 years in Europe after everyone agreed on the plan). Some logical reasons I can think of are :

    1 – Walmart may be having a huge fraud rate especially happening at self service cash registers or they may be seeing an increasing pattern that will cost a lot of money in the following years. They might want to put precautions in place before that time comes.

    2 – They may be planning to use the power of chip cards for areas other than plain payments, such as special loyalty programs. However this will require them to have close connections with some issuers. Or once the movement starts they may try to push some domestic extensions to EMV, which will not violate the cards’ out of US usage and will let Walmart benefit from such extra functionalities.

    3 – They may be thinking of get the return of investment on Chip enabled devices they already have in place. When migrating from mag stripe to EMV, EU region have had some incentive programs for the merchants to move, such as reduced interchange for EMV transactions and protection from certain charge back reason codes. Since it will take a lot of time for issuers and other merchants to deploy EMV compatible systems, they will be the ones heavily benefiting from such incentives which may compensate their already paid costs.

    4 – They may also be looking forward to reduce their development costs for different POS systems they own in different countries/parts of the world. I think this is unlikely to be a good reason because in any case they will need to do customizations for every country with respect to local regulations.

  4. Lucas Zaichkowsky Says:

    My opinion as someone that works with electronic payment security is that EMV is a poor solution. The real solution is what’s already organically developing in response to financial crime and increased demand for PCI scope reduction.

    Deployment of EMV (aka Chip and PIN) prevents fraud in stores that ONLY accept EMV transactions. That’s it. EMV still involves systems handling plain text track data embedded in the chip. When that data is stolen by malware, it can be used to produce counterfeit magstripe cards for use in merchant locations still accepting magstripe. Alternatively, the data can be used to commit card not present fraud (telephone and mail order/e-commerce). The merchant accepting EMV still ends up with fines for the ccard data theft and the merchant accepting card not present or magstripe transactions still ends up with the chargebacks. Look around for reports on fraud trends in countries only accepting EMV. Fraud and card data theft didn’t drop. It just shifted.

    In the US where there’s thousands of card-issuing banks, is it really cost effective to spend billions migrating to EMV? Even in a country deploying electronic payments for the first time and building an infrastructure from scratch, does it make sense? The cards themselves are more expensive than magstripe cards.

    How about instead, we continue deploying technologies that encrypts card data between the furthest points possible, from a tamper resistant card acceptance peripheral all the way to the payment processor. For card not present, cards can go directly from cardholder to processor, removing merchants and developers from having to touch the card data. With these scope reduction technologies, only processors, the card brands, and card issuers are left handling plain text card data.

    We can adopt technology like MagnePrint that can stop fraudulent card-present transactions (What EMV does) by detecting if a card is cloned or original.

    In response to a prior poster, it’s ridiculous to accuse the card brands of profiting from fraud. Everyone in the payments and banking industry loses money because of fraud. Even if all directly related costs were magically recovered through chargebacks, fines, and interchange, lost consumer confidence causes less transactions. Lawsuits and operational overhead add additional cost you’re not taking into consideration.

  5. Evan Schuman Says:

    Lucas, I agree with just about everything you’ve said, EXCEPT when you threw in “cost consumer confidence causes” fewer transactions. That’s simply not the case, courtesy of zero liability. Consumers are overwhelmingly apathetic when they DO know about these incidents, which is hardly ever. Just look at any of the major chains who were hit by Gonzalez’s gang alone: JCPenney, Target, TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, DSW, Forever 21, Hannaford and 7-Eleven, among others. None of those chains have reported any–not minimal, but any–revenue drops after their breaches were publicized.
    The other points you raise are valid, but if we do nothing more this year than getting people to let go off that bogus belief, we’ll be quite happy.

  6. PCI Guy Says:

    Lucas clearly does not understand how EMV cards work. The statement that “EMV still involves systems handling plain text track data embedded in the chip” is simply laughable. EMV cards are not “flash memory” storage devices. They contain computer chips that perform sophisticated public-key encryption operations, and the card data is secure at all times. EMV cards are much more secure than the “tamper resistant card acceptance peripheral” approach Lucas recommends, because even a compromised terminal cannot break the EMV encryption.
    And no, card fraud did not “shift” in countries with EMV, it is virtually non-existent in those locations, (the fraud shifted to other countries, and to the non-EMV cards used by American tourists). Also, because they do not rely on “tamper resistant” terminals, EMV cards can be used for secure eCommerce transactions, though technically those will be “card present”. Note, there is no way to protect against card-not-present fraud (e.g. telephone orders and mail orders). Think about it…
    Finally, the banks do in fact make far more in transaction revenue from fraudulent transactions than they pay in fraud losses: Issuer fraud costs hover just over 1% of total expenses (Mercator Advisory Group report, December 2008). Even when you add their legal costs and other expenses, the fraud transaction revenue eclipses the issuers’ costs. With respect to fraud, the banks’ primary concern is to keep it below the level where merchants and/or consumers become nervous and stop using cards. Aside from that, cards are a cost-plus business for the banks, and fraud is just one small part of those costs. It is the merchants (like Wal-Mart) who bear the vast majority of the fraud losses. And, thanks to the PCI scheme, it is the merchants who are paying to prop-up an inherently insecure system that the banks have no particular motivation to actually fix.

  7. Lucas Zaichkowsky Says:

    PCI Guy, look in the EMV specification. There is track equivalent data embedded in the chip that gets passed to the host. Note that account number and exp date are also present which can be used to commit card not present fraud even in a world where nobody accepts magstripe. http://www.emvco.com/specifications.aspx?id=155

    More in Wikipedia: http://en.wikipedia.org/wiki/EMV

    Or here’s some nice Java code with examples. http://blog.saush.com/2006/09/08/getting-information-from-an-emv-chip-card/

    Here’s an excellent report that not only covers EMV containing track data in the chip, but provides numbers to reflect fraud in the UK between 2004 and 2007. Google around to find more recent fraud loss numbers. “The UK, where a mix of SDA and DDA cards were issued, provides an early case study of the effect of the stronger payment authentication available on EMV cards. Total fraud losses in 2007 were actually 6 percent higher than in 2004, but the mix of fraud from various sources as well as the distribution of losses in and out of the UK changed substantially over this period.”
    http://www.kansascityfed.org/Publicat/Econrev/PDF/3q08Sullivan.pdf

  8. PCI Guy Says:

    Card authentication data cannot be obtained from an EMV card. Without it, the PAN is essentially useless, and card-present fraud drops to near-zero. The only CP fraud that remains is because of continuing support for magnetic swipe data. As soon as everyone moves chip-and-pin and mag swipe goes away, card fraud will go away, too.

    This of course refers to card-present transactions, and assumes dynamic authentication is used.

    EMV cards do not increase or decrease the risk on Card-NOT-present transactions, but they can move eCommerce transactions into the “Card Present” category. If a card is not present then how could it provide any security?

    Merchants performing card-not-present transactions understand the risk and make a business decision to accept that risk. They usually perform other types of authentication and/or have recourse to the buyer.

    The Sullivan report confirms all of the above, and also explains the banks’ “revenue concerns” surrounding EMV. See for instance page 51: “bank revenue for payment services could be reduced” and page 55: “As a result, a costly effort is under way to harden the security of payment information…”

    The dollar about of fraud losses increased 6% but fell sharply as a percentage dollar volume, because there was a significant increase in the number of transactions. According to the report: “Fraud declined by large margins… The reduction in fraud on lost or stolen cards was significant, proving that UK issuers achieved a major goal of EMV deployment.”

    The Sullivan report (an excellent work!) pretty much confirms exactly what I stated: EMV is more secure and basically solves the problem; EMV is not being introduced into the USA because the banks would make less money, and merchants are bearing the vast majority of fraud loss costs and expenses for card security.

  9. Evan Schuman Says:

    Well, it’s only fair, given that I weighed in and agreed with most of Lucas’s comments (other than his consumer reticence thought) that I should do the same for PCI Guy. In general, I agree with PCI Guy’s points, too, to the extent that EMV is indeed significantly more secure than magstripe. And the business concerns are how you present them. But I have to sharply disagree with half of one of your sentences. You said “EMV is more secure and basically solved the problem.” Agreed that it’s more secure, but I have to draw the line at “solves the problem.” I’ll call your Sullivan report and raise you a Cambridge report.. No approach today is perfect and cyberthieves are well-funded, creative, patient and resourceful.
    If we even briefly think that we’re solving a security problem, we’re in trouble. But like PCI itself, an approach can certainly be VERY far from perfect and still be the best option available. I’d argue that EMV is indeed that very imperfect approach, for now.

  10. PCI Guy Says:

    The hack developed by the Cambridge researchers was limited to static data authentication a.k.a. “offline transactions” whereby the EMV card alone authorizes a transaction without communicating with an issuer/host system. This feature was designed into EMV cards long ago, at a time when network communications were expensive, if even available at all, as a way to permit card usage for low-value transactions such as in vending machines. The EMV core technology of dynamic data authentication using strong public-key encryption remains unbroken. That is not to say it will never be broken, but if/when it is then we will all have a lot more to worry about than secure credit card transactions, because the same core technology is used for just about everything else including SSL data communications and access to government/military systems.

  11. Lucas Zaichkowsky Says:

    To anyone interested in this conversation, I advise you to read the links provided in earlier comments and educate yourself on the issue being discussed. The truth is in the referenced material. Thank you. :)

  12. EMV Australia Says:

    Firstly, PCI Guy, Card companies DO NOT make money on fraud – that is just a stupid thing to say. Card Companies suffer Brand Damage as a result of fraud. Most of the Fraud is charged back to the Issuer and the Issuer is liable. The only time card fraud is charged back to the Merchant is for e-commerce and for Card not present transactions. The Card Brands DO NOT charge Interchange. The Interchange fee is what the Issuers of the cards earn for issuing the cards. Yes it is true that the Interchange fees are set based on Risk, but they flow to the Issuer.

    I think that some general education in Card processing is needed before making comments like these.

    Lucas, I agree that at the moment EMV only protects Card Present transactions – this is what it was designed to do.
    However it can be utulised to provide Two Factor Authentication – one time password – to secure the Card Not Present space.

    Further, I don’t agree that full encryption of track2 data, whether it is coming from the Chip or magstripe will eliminate Card Not Present Fraud, as the Pan and EXP date are visible on the card. What would help is for all Issuers to be checking the CVV2 value that is present on the card. CVV2 is not part of Track2, so even if you have this data you will still not be able to perform a fradulant transaction. Just this initiative would limit fraud to Lost and Stolen cards.

    Also to add my two cents on the Fraud reduction with EMV. When the UK introduced EMV, fraud on Card not present transaction dropped drastically, and shifted to other countries and also shifted to Card Not Present transactions.

    At the end of the day, EMV, at the moment is the best way of securing card present transactions….

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.