By now, most participants in the US payments industry are finally about to realize that the day of the mag stripe is doomed and that EMV, the secure payment card technology rolled out in Europe nearly a decade ago, is finally about to make its debut in the
US. Incredulous as it may seem, the financial integrity of the payment card industry continues to rely on 1970’s technology. But what I find even more shocking is that despite all the security breaches, card data thefts and all the evidence that cybercrime
continues to outsmart even the most sophisticated security systems (JP Morgan Chase being the highest profile
casualty), that the majority of credit and charge card issuers in the US haven’t pushed more quickly for a complete transition to Chip and PIN for their entire card estates. Instead, major players like
Chase and
American Express, amongst many other key institutions, have opted to issue Chip and Signature cards by the millions.
While any attempts to prevent card fraud with enhanced security should be welcomed, we need to be also mindful that there are problems to consider as a consequence of the issuance of Chip and Signature payment cards. One of the most obvious being that that
in countries that have made Chip & PIN their payment card standard, Chip and Signature payment cards are pretty much useless. Forget the premise that a signature must be accepted as an alternative to a PIN, because in reality that simply isn’t the case. It’s
a cold comfort to find oneself stranded when trying to check into a hotel late at night, or purchasing a travel ticket at an unattended automated kiosk, or trying to purchase necessities at any late night convenience store, where the transaction cannot be
completed or is rejected. Simply put, for the international traveler Chip and PIN is mandatory. And for good reason.
Chip and Signature is not as secure as Chip and PIN – that’s a fact, and consequently we shouldn’t expect that the benefit in the reduction in Card Present fraud derived from the implementation of EMV Chip and PIN elsewhere will be realized in the US. It
won’t, in particular, as the majority of cards to be issued in the US will be Chip and Signature. Fraudsters will always find the weakest link in the process – in this instance, it’s relatively easy to forge a signature in the case of a stolen card or even
intercept the card before it reaches the genuine customer – and the fraudster can simply sign in his own handwriting. And there are other weaknesses as a consequence of Chip and Signature (e.g., Chip & PIN cards require issuers to assign a PIN before mailing
the card and require a cardholder to visit a branch to reset the PIN).The sad fact is that the critical security benefit that comes with a PIN is seriously undermined by the reliance on an easy-to-fake signature.
As many have written in the past, myself included, EMV is a much needed security technology that significantly raises the barrier for payment card fraud by virtually eliminating the ability to manufacture cloned credit cards, something that accounts for
as much as 45% of all payment card fraud today. While Chip & PIN is part of the solution in the US, it should be noted that it isn’t without serious
issues of its own,
including exploitation by so-called “replay attacks” even before you consider the implementation costs and additional burdens on merchants. So while I applaud the US in its efforts to adopt more modern consumer card protection scheme, by taking only a “half
step” into EMV with clearly weaker signature authentication, the industry is investing hundreds of millions of dollars into an infrastructure that will not produce the significant security it expects. It will no doubt confuse and anger consumers who are expecting
increased fraud protection and worse, it may actually exacerbate card fraud through increased physical card theft, putting customers and their money at risk, since the card itself is now the primary authentication factor. Clearly, Chip and Signature is not
the answer.
Today, almost two out of three Americans have been exposed to, or have become victims of, data theft and card fraud, being subjected to the stress and aggravation of potentially having their accounts unlawfully accessed and their cards replaced,
in some cases, multiple times. The card issuers appear to be accepting this as the status quo, so perhaps what is needed is action, action like the example being set by the White House which announced that
president Obama signed an executive order mandating the use of Chip and PIN technology at executive departments and agencies for card payments and is formulating new multi-factor authentication
guidelines to protect personal data available online. One can only hope that this is just the catalyst that the US needs to truly move forward and protect its consumers against card present payment card fraud. However, whilst these measures are clearly a step
in the right direction, there’s more that can be done.
So, the die is cast and the US will have Chip and Signature alongside Chip and PIN. There is, however, a solution to the fraud challenge of Chip and Signature. EMV technology can be combined with zero-friction, real-time, authentication technologies such
as privacy sensitive proximity/geo-location technology to determine that the genuine customer is at the place of the transaction. If further user/transaction verification is required, an automated “conversation” can be conducted with the customer through an
APP on the mobile phone, utilizing Voice Biometrics, thereby providing the highest level of transaction authentication/verification, but in a totally low friction format (it should also be noted that this model could also be used to address the Card Not Present
fraud issue, but that’s a separate discussion topic). The audit trail resulting from such an approach provides the greatest assurance in the event that there is repudiation of the transaction, the bane of the payments industry today for both the consumer and
the service provider. This approach recognizes the importance of authentication not just for the initiation of a transaction, but its persistence through to completion via true transaction verification. Underpinning such an implementation lies the trusted
device, established during the low-friction Enrolment/Registration process, and a strong contributor to the “invisible” security process. This approach, represents probably the strongest barrier there is available today.
As I have said previously, card fraud and security is a complex global problem, one without any single solution. It is therefore incumbent upon the industry, a moral responsibility I believe, to ensure no stone is unturned in the protection of our customers
from fraud. EMV is one technological piece of the puzzle. Device Trust, incorporating Proximity Correlation combined with strong User Authentication, incorporating multi-factor authentication and voice biometrics, are additional highly complementary technologies
in stopping fraud and helping to ensure that when identity data and payment card data is stolen, that the data is rendered worthless to the fraudsters. Without such a holistic approach, we are only presenting a mirage, an appearance of protection, but one
that will vanish when tested by today’s sophisticated cybercrooks.