Where Are We with Payment Security?

The EMV Standard and Payment Security

In the UK, the migration to EMV technology has reduced fraud with payment security in face-to-face transactions since EMV adoption in 2003.  The EMV standard operates with EMV-compliant cards (which have embedded chips instead of magnetic stripes) and EMV-compliant POS terminals.  The chips require a PIN entry for a secure EMV transaction.  The acronym EMV is derived from the initial letters of Europay, MasterCard, and Visa, all of whom cooperated to create the technology standard.  MasterCard merged with Europay in 2002.  JCB and American Express have since joined the organization as well.

EMV is a perfect example of two-factor authentication, where two different factors are required to complete a transaction, and has been referenced as a key solution for secure, fraud-resistant transactions.  There is a strong push for EMV abroad and to encourage merchant acceptance, merchants are held responsible for fraud resulting from any non-EMV transactions.  As more countries adopt EMV technology, they are also banning signature transactions.  Australia will ban signatures by 2013.  Canada will not accept magnetic stripe transactions after 2015.  These added security layers will push payment card thieves to focus on easier targets, such as the U.S.  EMV employed as the only method for secure face-to-face transactions abroad is also altering how U.S. cardholders are conducting (or abandoning) transactions in these countries.  This could result in lost revenue for international merchants and will hopefully put the pressure on issuers and merchants in the U.S. to adopt EMV.

“Australia will ban signatures by 2013.  Canada will not accept magnetic stripe transactions after 2015.”

Ecommerce Data Protection

According to the U.S. Census Bureau, ecommerce sales in 3Q 2009 were estimated at $32 billion, 3.7 percent of total retail sales – an increase of approximately 2.1 percent from 3Q 2008 while total sales decreased in the same period.  Visa, MasterCard and JCB already have 3-D Secure protocols in place for online purchases.  Verified by Visa, MasterCard SecureCode and J/Secure (JCB) all require the cardholder to enter a password or unique ID to complete a transaction.  Cardholders must register with the programs for the extra layer of payment security to be added during a transaction.  Unfortunately, these programs have not been well received or implemented due to added costs to the merchant and low acceptance from cardholders.  In response – and to support EMV online – MasterCard has developed their Chip Authentication Program (CAP) and Visa has created their Dynamic Password Authentication (DPA), a different version of CAP.  To date, deployment has been minimal.  Last week, ArcotOPT was announced as the first solution using CAP on mobile phones for ecommerce and online banking.  Although the company, Arcot, is based in California, the product was released in Europe where EMV has a strong presence. We are not likely to see deployment in the U.S. until EMV takes hold here.

Going Contactless

As contactless card adoption grows (mostly in the small ticket market – fast food, convenience stores, etc.), so does the acceptance of the added payment security already in place.  Contactless cards include a unique CVV for each transaction.  If thieves were to obtain the payment card data from a transaction, the CVV could not be used for another transaction.  Additionally, contactless payments do not transmit the cardholder’s name and some also do not include the account number.  MasterCard teamed up recently with RIM to deploy MasterCard PayPass contactless stickers on Blackberry phones.  After each PayPass transaction, a confirmation email with the transaction information is sent to the Blackberry phone. Verifone has combined its end-to-end encryption solution, VeriShield, with EMV to support contactless payments beginning this spring in the UK and a few other regions.  End-to-end encryption does not supply any usable cardholder data to a merchant’s POS device or network, thereby reducing fraud risk.

How About Mobile Shopping?

Smartphone technology, not to mention the iPhone, has significantly increased the interest in mobile payments.  Presently, contactless stickers can easily satisfy this demand (as mentioned above with MasterCard and RIM).  Some major card companies have also tested near field communication (NFC) as a contactless payment option. NFC is a short-range wireless technology which enables the exchange of data.  Payments using NFC also require a PIN to complete the transaction.

It is apparent that various options for added payment security are already available. As to why these new payment security options are not yet deployed in the U.S. rests on the concern for cost and revenue stream.  Mobile carriers want a piece of the pie when transactions are made using devices over their networks, thereby slowing the adoption in carrier channels.  EMV would certainly incur costs for merchants (new POS devices) and card issuers (new cards with chip technology).  Despite these new security protocols, a strong fraud risk still exists with merchants, processors and companies storing sensitive data (against PCI compliance), as well as physical cards being cloned or skimmed.  Costs associated with fraud in the U.S. today are written off as a cost of doing business. Pending government legislation, card association guidelines and PCI compliance appear to be the only factors pushing for faster adoption of stronger security measures.