Thinking the unthinkable about EMV in the USA
The main reason for the switch to “chip and PIN” is, as we all know, to protect against fraud.
But it only protects against one kind of card fraud and then it only protects completely if we do not allow magnetic stripes.
“But the switch to EMV doesn’t necessarily protect against credit card numbers being stolen, Forrester says. And tokenization, a process that replaces sensitive cardholder information with a unique series of numbers use to identify customers, hasn’t been widely adopted in the U.S.”
Here, I think, I might differ with Forrester. Yes, it is true that tokenisation has only been adopted for Apple Pay, Android Pay and (presumably) Samsung Pay. But the investments in tokenisation mean that it will spread and, what’s more, I firmly predict that mobile will displace other transactions at point of sale (POS) thus bringing tokenisation to the high street. But their main point holds. The dynamic of the fraud changes around chip and PIN introduction are well-known and the overall shape of the fraud curves will undoubtedly be the same in America since, as far as I know, there are no plans to take stripes off of the cards or to start taking stripe readers out of stores.
“It will reduce “card present” (CP) face-to-face and automatic vending fraud, but it will increase pressure on “card not present” (CNP) fraud.”
[From Search Results CNP EMV]
Our experiences in the UK are that not only does CNP fraud increase as the bad guys chase the easy money but that, in time, the fraudsters become more imaginative about attacking chip and PIN as well, adopting a variety of strategies to obtain PINs.
“As had been hoped, chip & PIN has reduced card fraud at POS. As had been expected, some of this fraud has been displaced into Card-Not-Present (CNP) channels to the extent that CNP now accounts for half of all fraud. Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.”
[From Card fraud in the UK]
I wrote this back in 2007, when it was already clear that EMV was displacing fraud in this way. Then, back in 2013, I couldn’t help but look at the issue again in the context of the drive toward smart phone solutions.
“Should the US use chip and PIN online? A few years ago, I thought this would be a good idea (in fact, I worked on a strategy for a US issuer looking at this around five years ago), but the window has been closing. In fact, as technology has moved on, I’d say it’s clear that this will now never happen. We’re not going to add smart card readers to our laptops or mobile phones and we’re not going to use chip and PIN cards in them to transact online. We going to use the smart phone instead.”
[From Search Results CNP EMV]
Now, of course, we can all see that this is correct. Visa, Mastercard, Amex and Discover have delivered tokenisation into the marketplace and so instead of using EMV online we’re going to be using tokenisation. But there are people out there who are asking whether we really need to use EMV cards at all? As I mentioned above, why not use mobile phones and tokenisation everywhere? Why bother putting in the chip card readers or the contactless readers in store, why not just go in-app for everything and give the customer the same payment experience in store, on line, on the phone and any other channels.
“Speaking the CNP Expo  in Orlando, Lee Jurgens from Ralph Lauren… said that the US should have skipped chip & PIN and gone straight to mobile because it is the more secure payment mechanism. He’s got a point, and there’s no point the industry pretending that he hasn’t.”
Now, I can’t pretend to be unsympathetic to this perspective, having long maintained (based on the results of a number of different risk analysis projects carried out by my colleagues at Consult Hyperion) that mobile will be safer than cards, even after the shift to chip cards. Back in 2009, I said that:
“Incidentally, while mobile is certainly underutilised in the fight against fraud, a situation that is beginning to be addressed, tacking mobile on to the end of “traditional” payments is a stopgap.”
[From Window pain]
In other words, using mobile just for authentication doesn’t deliver all of the benefits, we need to use mobile to replace the card itself. For this reason, I was unsurprised to read Visa Inc’s Vice President of Risk Products, Stephanie Ericksen, recently quoted talking about PIN and saying:
“we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”
I am sure that what she means by “new technologies” is, for the foreseeable future at least, mobile phones, strong authentication and tokenisation. It seems to be that because of the additional fraud prevention and detection possibilities afforded by the mobile phone, this might not just be an alternative to chip and PIN but a replacement for it, delivering better value to all of the stakeholders. And the payment schemes could certainly pass on the fraud and other savings in the form of incentives to merchants. The “card present” / “card not present” world will be replaced by the “cardholder is present” and “cardholder was present” world.
“I expect to see a new V/MA rate tier for use of tokens in mobile. “Cardholder present” that will mean liability shift to bank and a rate reduction of around 10-25bps (in the US).”
So just as the US is finally thinking about starting mass market EMV issuing, after equivocating for so many years, and if EMV really does have a “shorter shelf life”, is it time to start thinking the unthinkable and asking whether they should bother?