Will Senate Bill Force The U.S. To Go Chip-And-PIN?
Written by Evan SchumanJune 24th, 2010
With Wal-Mart's recent push for Chip-and-PIN in the U.S., the debate has been what could possibly push the banks into supporting such a costly move. One financial blog is making a compelling argument that the U.S. Senate may be about to jump into the U.S. EMV case.
Todd Ablowitz, president of the Double Diamond Group and one of the more interesting payment experts in the U.S. (for us, "interesting" is someone who thinks a well-balanced presentation is where all audience members are pissed-off equally), has been sitting with lobbyists and studying the Durbin bill, currently scheduled to go before a House-Senate conference committee on Thursday (June 24). His conclusion, with a little bit of mildly tortured logic: The bill will strongly incentivize banks to accelerate their acceptance of Chip-and-PIN in the U.S.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
4 Comments | Read Will Senate Bill Force The U.S. To Go Chip-And-PIN?
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
June 24th, 2010 at 11:22 am
Interesting to think that they have had that in France since the 80′s and we are, in our advanced country, just really starting to discuss about going that way.
June 24th, 2010 at 3:27 pm
Daniel, it’s not at all that simple.
The credit card system in the United States has hundreds to thousands of card issuers spanning banks of all different sizes. It’s been building since the early 70s when present day information systems and the Internet were beyond our imagination. EMV was deployed in these other countries because it made financial sense for them. Their card-present fraud rates were higher than in the US when on magstripe. They have only a handful of card issuing banks, and a smaller and newer electronic payment infrastructure. As a result, the cost to deploy a new technology for card present payments was less than eating the fraud in those countries.
We are not in a terrible position.
EMV implementations deployed today would be a poor choice to mimic if we were to undertake a card present infrastructure upgrade. Currently, EMV only provides a high level of confidence that chip transactions are genuine, resulting in lower fraud rates at merchant locations that only accept EMV payments. That’s it. It’s not a magic silver bullet to stopping card data theft and fraud.
There is still track data in the card that can be stolen if systems are hacked. Even when transactions are done using the chip, track equivalent data is passed around in the clear that can be used to clone magstripe cards for use in merchant locations accepting magstripe payments. Even if the chip uses the newer iCVV value inside the track equivalent data to prevent magstripe card cloning, the card number and expiration date are still exposed in the clear which can be used for card not present (CNP) fraud. There are still many merchants that do not use AVS or CVV2 to prevent CNP fraud, especially with Mail Order/Telephone Order.
Read this report: http://weis2010.econinfosec.org/papers/panel/weis2010_sullivan.pdf
In my opinion, what we need is an EMV implementation that is backwards compatible with other existing implementations. But in ours, there should be a next step in security baked into our deployment. Stop transmitting track data, account number, and expiration date in plain text! The terminal should encrypt not only the encrypted PIN data used to authenticate the card and user, but also encrypt any other sensitive data that can be used for fraud. The industry is already moving to “end to end encryption” to do this with our current card present payments method. That buys us time to rollout a hybrid E2E/EMV standard. Maybe it’ll actually be developed by EMVco and presented as just a new version of EMV.
June 25th, 2010 at 6:56 pm
Its been reported that it will costs US merchants $6.75 Billion to upgrade POS to EMV. Why will merchants make this investment to pay higher Interchange?
Why Visa and MasterCard Should Voluntarily Lower Interchange
Posted on June 16, 2010 04:44 by Ty Hardison
Lately I’ve read many articles about Contactless and Near Field Communication (NFC) payments, the prospects for merchant and consumer adoption, bridge technologies and market trials. Contactless payments, which feature speed, convenience, security and more functionality that leverages the mobile network, can outperform legacy mag-stripe payment technology. NFC promises smart phones as payment devices, which in turn promise to change consumer expectations about buying everything from mass transit, fast food and concert tickets, to the retail brands themselves.
At the same time, U.S. cardholders increasingly find it difficult to use mag-stripe cards outside the U.S. As we discussed here, the U.S. EMV strategy hinges on contactless / NFC adoption. Some believe EMV 2.0 in the U.S. will be contactless and mobile payments and serve as a disruptive technology that will usher in even more payment players from mobile carriers to Apple and Google.
Yet contactless and NFC payment technologies face the classic “chick or egg” dilemma. Payments is a platform business and the principal of network effects is required to build a two sided market where both card issuing and merchant acceptance must compel each other forward with the prime objective to encourage use.
So what will be required to advance contactless payments? Will it take millions of additional contactless cards to be issued (or will it take NFC smart phones to replace cards) or will it take hundreds of thousands of U.S. merchants installing devices to accept contactless payments?
From most accounts the lack of merchant acceptance of contactless payments is a key barrier blocking NFC contactless payments. Without the widespread installation of readers, contactless is stalled. A Javelin Strategy & Research report estimated the basic cost to deploy EMV POS terminals at $6.75 Billion, not including the cost of implementation. The low percentage of merchants that accept contactless payments (I’ve seen figures from 70,000 to 200,000 U.S. merchant point of sale payment terminals that accept contactless payments) reduces the incentive for banks to issue chip cards, NFC phones, tags, stickers, etc.
What will it take to get merchants to upgrade, replace or add devices to their existing terminals and POS systems to accept contactless payments? What’s the incentive for merchants to invest in contactless readers? The business case has evolved over the years from faster lines and replacing cash, to enabling no signature required and chargeback liability, to loyalty programs that create a more informed shopping experience. But the real fuel that contactless payments needs is in the form of incentive Interchange rates. Nothing works like financial incentive.
Another main problem is the lack of consumer awareness, with no aggressive campaign by merchants to steer consumers who have contactless cards to use them. The presence of contactless devices alone will not guarantee usage. Merchant staff must become more adept at facilitating contactless transactions. Merchants must support effective training of employees who can in turn show and tell consumers how pleasant and easy contactless purchases can be. Think about how merchants installed PIN pads and were instrumental in steering consumers to enter their 4 digit secret PIN by asking credit or debit? Why did they do this? There was a financial incentive to do so.
Contactless payments derailed by government intervention
The Senate passed S. 3217, the “Restoring American Financial Stability Act” on May 20, 2010. This legislation attempts to overhaul the regulatory structure of America’s financial system through increased regulations and the restructuring of our financial regulators. Then along comes the Durbin Amendment. The Durbin Amendment attempts to impose government regulation of Interchange, setting different pricing for the same service and then trying to legislate out competitive market pressures that would naturally bring these together. Considering the importance of the payment system to our economy, consumers, businesses and banks, I feel any Interchange regulation should warrant a stand alone comprehensive approach and its own legislation (if any), not a last minute political earmark amendment.
The unintended consequences of Interchange legislation should be a concern for all parties, but particularly for small businesses as I’ve discussed here. As it relates to disrupting contactless payments, the Durbin Amendment provides for the setting of minimum charge amounts and challenges the business case of banks issuing and managing debit card programs.
A preemptive strike by the card companies could change the debate and advance the next generation payment technology. Instead of solely a defensive strategy against legislation and litigation, Visa and MasterCard should set a voluntary and substantial reduction in Interchange in exchange for contactless payment acceptance.
This was the strategy in the late 80s when I first entered the payments industry. Back then merchants were using a knuckle buster to manually imprint cards and paying a 4% paper draft rate to carry them into the bank teller. We would reduce a merchant’s rate to 2% by investing in a VeriFone Zon electronic draft-capture (EDC) terminal. Sure the terminal was faster and more efficient but that’s not why merchants adopted them, they adopted them for the savings.
Before government or court ordered Interchange intervention, the card companies would be wise invest in contactless. Visa and MasterCard could make the case that continuing to use old payment technology (mag-stripe cards) carries more risk; and therefore, justifies higher Interchange. And merchants should realize that mag-stripe payment technology will not serve their best interest in the future and that issuers who rely on Interchange income will play an important role in advancing the next generation of payments in the U.S.
June 28th, 2010 at 10:17 am
I agree that Chip & PIN will only address a very specific type of attack. There needs to be more comprehensive security built into the payment systems, starting with encryption as Lucas noted above. However, encryption alone is not enough. Tokenization should also be deployed to minimize the risk of merchant breaches.
If the Fed is going to choose security measures that will reduce fraud, they should emphasize a layered defensive approach that will mitigate multiple types of attack. The fraud countermeasures can ensure secure transmission into the payment networks occurs and then ensure that no PAN data is returned to the merchants.