By Patti Murphy
The Takoma Group
Americans take great pride in being leaders. But there is at least one area in which Americans shouldn't be eager to claim leadership: vulnerability to payment card fraud. So, why is the United States so slow to implement chip and PIN technologies to protect against card fraud? It depends on who's asking and who's answering the question.
Bankers tend to blame merchants, whom they see as unwilling to pony up the cost of terminals that are compliant with Europay/MasterCard/Visa (EMV) - the international standard for chip and PIN technologies. Merchants complain about the dearth of card issuers committed to EMV. "Retailers aren't going to spend money on new equipment unless and until issuers start issuing the cards," said OB Rawls IV, Senior Vice President of Sales at TASQ Technology Inc.
Today only one of an estimated 17,000 card-issuing financial institutions in the United States is issuing EMV-compliant payment cards: the United Nations Federal Credit Union. Merrill Halpern, Card Services Manager at the $3.1 billion credit union, said UNFCU migrated its 90,000 members to chip cards in part because of complaints from individuals whose mag stripe cards were rejected overseas, especially in offline situations such as unattended kiosks and taxis.
The problem is not unique to UNFCU members. Aite Group LLC estimated that in 2008 alone, 9.7 million U.S. cardholders' mag stripe cards were rejected at overseas locations, at an estimated cost to the card industry of $3.9 billion in transactions and $447 million in related revenues.
Mercator Advisory Group calculated it would cost U.S. card issuers between $2.4 billion and $2.8 billion to replace all mag stripe cards in circulation with chip cards (also called smart cards) and that merchants would pay about $10 per terminal for EMV functionality. (Other experts interviewed for this story put the cost per terminal at between $30 and $50.)
Steve Mott, Chief Executive Officer of the consultancy BetterBuyDesign.com, believes banks that aren't planning to roll out chip cards are shortsighted. Recent legislation slashing lucrative revenue streams (debit card interchange and checking account overdraft fees) makes it imperative that banks create new money-making opportunities. "Why not pony up 2 to 3 billion [dollars] now and help bring the U.S. [card payment system] into the 21st century?" he said.
Oliver Manahan, a Vice President at MasterCard Canada Inc., expects the tide to turn toward EMV in the United States this year. "In 2011, I think there will be U.S. financial institutions issuing chip cards, especially to customers who travel to Europe frequently," he said during a presentation at the Northeast Acquirers Association's Winter Seminar in January. "And we believe the first two or three that do will probably see some shift [in accounts] to their portfolios."
George Peabody, Director of Emerging Technologies Advisory Service at Mercator, predicts at least one major U.S. bankcard issuer will begin offering EMV cards as a fee-based service for high-net-worth clients who travel overseas.
Manahan said that in Canada, where better than 90 percent of active MasterCard-branded cards are PayPass enabled, "we were fear motivated" to push chip and PIN. Card fraud was growing, and the evidence from Europe, where chip cards first took off, showed promising results, he said. Today, 50 percent of payment cards in Canada contain EMV-compatible chips, and 60 percent of POS devices are EMV compliant, he added.
PayPass uses near field communication (NFC) to exchange data between the chip and a POS device. PayPass can be issued as a card with an embedded chip or as a key fob for tap-and-go payments. Mott described PayPass and similar products (stickers and smart phones) as "a dummied-down version" of chip and PIN. Yet Mott believes these will help nudge the United States toward EMV, as happened in Canada.
Rawls agrees. "There's a lot of interest, especially within the card associations," he said.
EMV standards for chip cards and POS devices cover applications that require card contact with terminals in addition to contactless applications. The name derives from the original group of founding companies: Europay (since acquired by MasterCard Worldwide), MasterCard and Visa Inc.
Jointly owned by American Express Co., JCB International Credit Card Co., MasterCard and Visa, EMVCo LLC oversees the development and implementation of EMV standards. EMVCo estimates that two-thirds of the world's EMV cards and devices are deployed in Europe.
"EMV technology has the lead position in securing the payments perimeter today," Peabody said. "It's a standard that can be deployed in contact, contactless and mobile form factors." He believes cost constraints and reluctance on the part of the card companies to demand adoption are impeding EMV acceptance in the United States.
Mott suggested the Payment Card Industry (PCI) Data Security Standard (DSS) also plays a part in slowing EMV adoption. "Merchants have spent between $18 billion and $20 billion since 2004 getting into and staying in compliance with PCI," Mott said. And many, understandably, are not eager to invest in yet another method of fraud deterrence.
EMV chip and PIN technology is considered a powerful weapon against credit and debit card fraud, especially fraud due to stolen account numbers and card cloning. In the United Kingdom, the card fraud loss rate dropped 48 percent - from 18 basis points to 12 basis points - after bankers and merchants moved to EMV, according to EMVCo. What's good for the United Kingdom, however, isn't always good for the rest of the world. That's because payment fraud, like terrorism, seeks and attacks the weakest link.
Although Europe boasts the highest penetration of EMV, most payment cards issued there also contain mag stripes with the same information that's encrypted on the chip. So fraudsters are stealing chip cards for the mag stripe information and then cloning credit and debit cards for sale and use in the United States and other countries not yet committed to EMV. The problem has become so serious that the European Payments Council, a governing body that operates under the Single Euro Payments Area (SEPA), has proposed setting a sunset date after which mag stripe cards will no longer be issued by SEPA banks.
"You can't have mag stripe cards coexisting with chip and PIN. You have to get rid of the PIN," Mott said. Card fraud is not the work of petty criminals. The most notable cases in recent years have been the work of organized cyber gangs. And recent Web activity suggests al-Qaida terrorists are joining the fray, according to Mott. "That's the straw that's going to break the camel's back," he said, adding that it will force U.S. banks to embrace chip cards and merchants to spring for EMV-compatible PIN devices.
Industry consultant Paul Martaus believes prodding from state government assistance programs will propel widespread U.S. adoption of EMV. Texas recently disclosed plans to migrate its electronic benefits transfer programs to chip cards. Should other state governments follow, Martaus expects convenience stores and supermarkets will have no choice but to upgrade to EMV-compliant terminals.
Wal-Mart Stores Inc. has already installed EMV-compliant terminals, although it has yet to invest in the necessary operating software, according to several knowledgeable sources. "I'd be willing to bet that if the banks were to start issuing the cards, Wal-Mart would spend whatever it took" to accept EMV chip cards, Martaus said.
Several experts also suggested the Federal Reserve Board could pressure issuers to move to chip cards. The Durbin Amendment to the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act entrusts broad authority in the Fed to amend Regulation E (which pertains to consumer electronic funds transfer rules) to combat debit card fraud. Last year, the Fed also called together a forum of bankers, merchants and others to examine the future of EMV. However, Martaus cautions that EMV is no magic bullet. "We're talking about 30-year-old technology here," he said. And during a 2010 webinar, Brian Riley, Senior Research Director for Bank Cards at TowerGroup, noted that in "the computer generation," 30 years is "a lifetime, or several lifetimes." Riley also questioned the viability of using chip and PIN for online payment applications, noting that the combination "doesn't work particularly well in the online environment, and the online environment today is the fastest growing channel."
One workaround to EMV's shortcomings is tap-and-go technology, which uses radio frequency identification (RFID) to authenticate transactions through an exchange with a chip embedded in a card or other form factor. In addition to MasterCard's PayPass, numerous iterations of tap-and-go payments exist, such as stickers and smart phones, including options supported by Visa and First Data Corp. Best of all, "there are at least 150,000 retail locations where tap-and-go payments are supported today," Martaus said.
Meanwhile, Apple Inc. reportedly is working to integrate NFC technology with its next generation of iPads and iPhones, which are expected to hit the market later in 2011.
Current iPhones features bar codes, and at least 2 million small merchant establishments can read bar codes, according to Martaus. With both NFC and bar code technologies, iPhones and similar smart phone products can double as electronic wallets. "EMV makes a lot of sense with smart phones," Martaus said.
Although EMV is often discussed in the context of chip cards and PINs, physical PIN entry is not required by EMV technology. That's what makes tap-and-go applications a viable migration path to widespread EMV adoption. But contactless applications may not offer a long-term solution.
The limited power and memory capacity of RFID chips reduce the amount of data that can be stored, and thus the level of security provided, Maria Arminio of Avenue B Consulting Inc. explained in a white paper, Combating Fraud in the Retailer Payment Environment, published in 2010. "Ultimately, the best solutions will use multifactor authentication and dynamic authentication," Arminio wrote.
In addition, Mott said, "Ideally, you're going to want chip and PIN, as well as dynamic authentication and full encryption." Dynamic authentication provides added protection against card skimming and counterfeiting by requiring different credentials for each transaction authorization.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next