Endpoint
A few smaller banks get it, and have issued EMV cards to their customers who travel abroad. But most bigger banks are still on the sidelines.
We’re still stuck with the mag stripe and all of its attendant problems because the big banks have too great a stake in the current system and too little incentive to move to EMV or something better, says Steve Mott.
Steve Mott is principal of BetterBuyDesign, a Stamford, Conn., consultancy. Reach him at stevemottusa@yahoo.com
You may have noticed that there has been a resurrection of interest in EMV chip and PIN, or smart card, technology for upgrading the tired, expensive, and fraud-prone U.S. payments system. But it seems to be lost on the big banks, raising interesting questions about how far they are willing to sacrifice security and efficiency in a relentless effort to preserve the status quo.
Indeed, EMV (named for Europay, MasterCard, and Visa, which submitted the initial specification for chip and PIN at the point of sale more than 15 years ago) is stuck in neutral in this country. Meanwhile, the rest of the world has moved their POS systems under this technology more or less into the 21st century. That keeps the U.S. banking system mired in last-century payments technology, along with banking backwater countries such as North Korea.
Securing POS transactions with chip-based encryption routines and validating the card to the cardholder by means of PIN entry have had a demonstrable effect on reducing payment fraud in many countries. More important, it has led to a liability shift whereby merchants processing an EMV-enabled card as a mag-stripe option get stuck with the fraud.
Watered Down
Merchants in this country—beset with the lion’s share of the costs of fraud, the massive expenses and fines related to compliance with the Payment Card Industry data-security standard (PCI), and the need to invest in end-to-end encryption and/or tokenization to protect the mag stripe—have finally decided that EMV is their best hope for fiscal sanity in payments. That’s even though they will have to fund up to three-quarters of the estimated $6 billion to $8 billion in conversion costs, far more than the banks or networks will pay.
Some large merchants, including Wal-Mart, Best Buy, and Home Depot, have already terminalized for EMV contact cards. And hundreds of U.S. merchants along the Canadian border are processing EMV transactions for their cross-border customers. Get rid of the mag stripe, they reason, and you get rid of fraud, PCI costs, and—perhaps—artificially high interchange fees!
They were cheered a bit by Visa’s recent announcement that merchants doing more than 75% of their transactions with EMV would no longer have to bear the expense of an annual PCI audit. But then Visa said that benefit won’t apply to the United States, as the “uncertainties” of the banking market related to the Durbin Amendment prevented it from pushing for PCI relief—or even EMV—at this time.
In many of the deployments abroad, EMV is watered down. In some, there is no requirement to generate and use a dynamic data authenticator (such as an encrypted Cardholder Verification Number, or CVN). Also, a number of implementations actually decrypt the payment account credentials from the card, and present them to the terminal just like a mag stripe does! A number make use of PIN optional. And many of these systems do not interoperate across borders. The networks claim this was what their members wanted to minimize changes to their systems.
Also, retention of the mag-stripe dual mode on EMV cards, done largely to accommodate the United States, has increased the threat of card-not-present (CNP) fraud, as well as travel-abroad fraud.
For its part, Visa favors dynamic data authentication, but just for its Cardholder Verification Value (CVV); the 16-digit Primary Account Number (PAN) and the expiration date remain in the clear throughout the processing cycle. Visa claims this protects the transaction from being replayed, but tell that to the fraudsters who use PANs and expiration dates without CVNs for online transactions all the time.
And Visa is no advocate for the PIN part of chip and PIN, as it represents a “static authenticator,” no longer useful for securing transactions in a digital, dynamic environment. Besides complicating use of PIN-based ATMs, the decision to exclude the use of PINs to bind the cardholder to the transaction feeds the growing incidence of so-called friendly fraud.
Worse, Visa says EMV contactless isn’t in its near-term plans for mobile payments, and pledges to try a proprietary course in the marketplace first.
With such dilution of the only global standard we have, meaningful reductions in fraud in the United States do not appear likely. And exoneration from odious PCI costs remains an illusion. So, merchants now wonder, where’s the payoff for their portion of the EMV conversion cost when nothing much really changes for them?
Quietly Oblivious
Fortunately, a few smaller banks are getting it, and have issued EMV cards to their customers who travel abroad. The United Nations Federal Credit Union, for example, issued EMV cards that do both contact and contactless—at very small additional costs. But bigger banks have remained largely on the sidelines.
Two exceptions emerged only last month. Wells Fargo announced it would invite up to 15,000 of its frequent travelers to test EMV cards by the end of the year. A few days later, JPMorgan Chase said it would issue some EMV cards, too—albeit signature-mode only, with no PIN. But these tentative commitments are far from what this country’s embarrassingly backwater payments system needs.
Sadly, everyone else in the payments industry, most of whom know better, remains quietly oblivious to the need and demand for a real, industrial-strength EMV solution. They seem content to preserve a share of the crumbs that fall off the banks’ payments table for as long as they can, perhaps in the increasingly vain hope that the merchants will continue to finance continued unproductive tinkering.