Digital Transactions Authoritative, insightful and timely information for payments professionals
n
Payments executives seem to find it much easier to say what they don’t want than to agree on solutions that might improve the security of card-not-present transactions, if the opinions exchanged this week at a Federal Reserve Bank of Chicago conference are indicative of general industry thinking.
n
n
About 80 payments executives and researchers met to review the status of so-called remote payment fraud at a conference co-sponsored by the Chicago Fed and the Secure Remote Payment Council, a group dedicated to improving transaction security in online and mobile payments. Participants exchanged colorful war stories and many insightful opinions, but attendees hoping for solutions to problems came away disappointed.
n
n
Attendees couldn’t agree on who, if anyone, should lead the fight, and whether some technologies should be imposed rather than merely encouraged. Though the topic was remote payments, that didn’t stop the discussion from venturing into card-present fraud in stores and at ATMs.
n
n
Without specifically mentioning the names of the general-purpose card networks, especially Visa Inc., the biggest, and MasterCard Inc., the second biggest, more than one speaker implied that they didn’t want any one entity dictating fraud-control policy. Visa in August announced a major initiative to simultaneously spur adoption of mobile payments and EMV chip cards in the U.S. as the successors to the older magnetic-stripe card, and MasterCard reportedly is encouraging ATM owners to add chip-accepting hardware to their machines. EMV cards are considered much less vulnerable at the point of sale to fraud than mag-stripe cards and have greater data storage capacity.
n
n
Terry D. Dooley, senior vice president and chief information officer of Iowa-based Shazam, one of the few electronic funds transfer networks still owned by financial institutions, agreed that EMV is coming to the U.S., the last industrialized country where chip cards aren’t already in use or being rolled out. But he criticized the idea of “one or two entities” dictating things. Dooley’s specific issue was preserving PIN-based authentication on chip cards. Visa’s proposed system would rely on so-called “dynamic authentication” using one-time transaction identifiers, and some U.S. banks favor chips coupled with signatures for authentication rather than the chip-and-PIN system common in Europe. Dynamic authentication “is good,” but still can be spoofed, according to Dooley. “You shouldn’t be told how you’re going to implement security,” he said.
n
n
Dooley followed a blistering attack on “false gods” of payments delivered by Annmarie D. “Mimi” Hart, chief executive of MagTek Inc., a Seal Beach, Calif.-based vendor of hardware and software systems for bolstering the security of magnetic-stripe card transactions. Her main target was the PCI Security Standards Council, which administers the Payment Card Industry data-security standard, with which card-accepting merchants, processors. and issuers must comply. She claimed the PCI Council is more interested in perpetuating itself than actually eliminating fraud. “After all, no fraud means no PCI,” she said, adding that, “it has and will continue to stifle innovation.”
n
n
EMV is another of Hart’s false gods. She said an EMV card costs five to 10 times as much as a mag-stripe card and still transmits data in the clear (unencrypted), meaning that a chip-card-accepting merchant would not be excused from PCI compliance. Mag-stripe cards also are capable of dynamic authentication, according to Hart, who also warned against the industry being forced onto “a centrally dictated path.”
n
n
Most other speakers agreed that EMV, despite its faults, eventually would displace mag-stripe, though no one could say when or exactly how. Robert O. Carr, chairman and chief executive of merchant acquirer Heartland Payment Systems Inc., predicted the mag stripe would be around for another 10 or 15 years. “I think the cell phone is going to cause the demise of the mag stripe,” he said. While many observers have noted that mobile devices have their own vulnerabilities when used for payments, Carr said the security issue “is manageable.”
n
n
Still, cell phones do present some scary security scenarios when they include near-field communication (NFC) chips that enable payments and other data-driven applications such as loyalty programs and even storage of medical information. Richard Rushing, senior director of information security at Libertyville, Ill.-based cell-phone maker Motorola Mobility Holdings Inc., said passengers lose 70,000 cell phones a year just in Chicago taxicabs. “You can imagine if they were credit cards,” he said.
