29 June 2017
Chris Brown

Trusek Technical

Chris Brown - Trusek

2Posts 15,403Views 8Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Will cards disappear before cash?

16 June 2017  |  8732 views  |  13

In the early 2000s when the internet was still young, Visa, MasterCard and the other major payment card schemes had a choice. They could create a system that made using credit/debit cards on the internet safe, or they could rely on the unguessability of the card number. As we all know: they chose the latter.

 

In 2004, with online fraud becoming an issue, the five major card schemes, Visa, MasterCard, American Express, Discover, and JCB (Japan Credit Bureau), formed the Payment Card Industry Security Standards Council (PCI SSC) and later that year, in an effort to secure card numbers, they produced the first version of the PCI DSS (Data Security Standard).

 

So was born a multi-billion dollar industry built around protecting the card numbers of the large card schemes. Protection which is paid for by every merchant that accepts card payments and every processor who supplies the technology and, indirectly, by every card holder. Merchants, processors etc. must recoup their PCI DSS compliance cost or their businesses wouldn’t be viable, hence they increase the cost of the goods and services which they offer consumers. This is all because the card schemes shied away from implementing effective security from the beginning.

 

The card schemes failed to face up to the major security problems when there was still time to do something about it. Back in 2005 after the first major card breach at Card Systems International, when 40 million cards were compromised, highlighted the inadequacy of trying to protect the card number and keep the secret.

 

It is hard to overestimate the size of the effort that is required to protect the ridiculous secret of the card number! Every call centre must ensure that representatives cannot write down a card number, the phone call recording systems that they use must have cutouts so that the card number and CVV are not accidentally recorded. The computer systems and networks which card storing, processing and transmitting software runs on must be audited annually to ensure PCI DSS Level 1 certification. The cost incurred by companies to become and remain PCI DSS compliant can be very high. Depending on the level of card transactions which a company processes, annual costs can range from $50k – $250k for audits and to remain compliant. However, becoming compliant initially can cost up to $1 million

 

These costs are born from the inadequacies in the systems provided by the card schemes and are paid by all those who use these flawed systems.

 

The card schemes do not bear any of the risks associated with their inefficient systems. The risk of data breaches sits with the merchant. 90% of data breaches impact small merchants, which on average costs each more than $36k. The cost to larger companies can be vast. In 2013 Target was the subject of a data breach at its bricks-and-mortar stores in the US. 40 million credit/debit cards became subject to potential fraud after malware was introduced into the POS terminal system at almost 1,800 stores. The total cost to Target has exceeded $300m. Home Depot had a similar data breach in 2014, when hackers infiltrated its self-service check-out terminals at its 1,900 plus stores. 56 million cards were compromised, costing the company in excess of $179m to date.

 

Such is the value of the secret.

 

Is this a secret that is possible to keep? In short, No. The usual 16 digit card number is made up of 6 digits called an Issuer Identification Number (IIN) which is assigned to the financial institution which issues the card – the Issuer. The Issuer will often use the next 2 digits to define the card programme (defining the cardholder’s transaction fees and limits). The last digit is a check digit and is derivable from the first 15. Therefore, there are only 7 digits that must be guessed.

 

If you have access to a 10 million strong bot-net, exactly how many guesses do you think it would take to guess every single possible card number within one card program? Answer, 1. With a bot-net of that size you could guess each and every possible card number within one card program with one guess from each bot.

 

So what is the alternative?

 

To create a new payment network that is fit for the modern age and doesn’t involve cards. IMPOSSIBLE! I hear you cry? Not so. There is a way, and it will fix many of the other ills facing the banking industry today while it’s at it.

 

 

a member-uploaded image TagsSecurityPayments

Comments: (15)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 16 June, 2017, 19:00

Many have tried to replace card in the last 20 years of Internet commerce. They've failed. Good luck trying to succeed in this mission in the next 20. While on this subject, it doesn't matter that merchants were told to cough up the cost of PCI DSS. If V/MC had done something on their own instead, they still would've passed on the cost to merchants. End of the day, for a payment card, V/MC is the supplier and merchant is the customer and, as they say, a good business makes its customer pay for its last cup of coffee.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 17 June, 2017, 15:41

It's not about a card. It's about "push" vs "pull". Card networks are already experimenting with both models to hedge the risk of disruption.

Pull is based on a customer providing all the payment to the merchant. Push is based on a customer instructing the issuer (bank) which merchant to pay.

With push, sensitive data stays with the entity that created that data in the first place; and the risk shifts from passing sensitive data to just customer verification (which is neede with Pull too).

Instant payments in Europe is a good example of Push. As it's direct a/c-to-a/c transaction, it disintermediates the card networks. That's one of the reason why Mastercard bought Vocalink (I hope that the Mondex scenario is not repeated again).

1 thumb up! 1 thumb up! (Log in to thumb up)
Anthony Pickup
Anthony Pickup - MYRECS LTD - Manchester | 21 June, 2017, 10:40

One also needs to look at Cash and Cards as Tokens that change with time as well as push and pull payment model.

The physical form of cash has changed over time and will continue to change.

The Card has also changed in form over the last 50 years in terms of technology.

The card schemes will also continue to evolve as consumers require payments to be both pull and push to manage the different usecases.  

I forsee that in many usecases cash may be dematerialised as well as cards in some scenarios.  The question is will the payment rails be a managed scheme or a scheme modeled more like a cash model (commodity value model).

One thing we can predict is there will only be change if it reduces payment costs to individuals and organisations or it is reguated now in very large markets.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 21 June, 2017, 15:48

Okay let's assume you know a BIN/IIN, know that you need a MOD10/Luhn Check Digit and can safely generate a complete and valid PAN (not very difficult - there are helpful tools on the internet to help generate/guess such things).

Getting a hole in one?  A valid PAN, with valid CVV and Valid MM YY Expiry Date - probably less than 0.001% chance - and if you are trying to validate combinations with any velocity any Issuer worth it's salt should be able to work out someone is attempting to guess Card credentials (consecutive failed attempts).

Why are Cards always seen as the bad guy?  Work with what you have - don't chase Unicorns.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Chris Brown
Chris Brown - Trusek - Amersham | 21 June, 2017, 16:42

In response to the last comment, if issuers mandated the use of CVV and expiry date and checked the information given you are right that it would be more difficult to guess card details but the reality is that they don’t and a card number alone is enough. This is, at least in part, due to the PCI DSS mandating that the CVV must not be stored so for websites that store card details they must send transactions without the CVV.

As to why Cards are always the bad guy? PCI-DSS and massive fines have been mentioned. Add to that the cost of doing business with the card schemes. Visa currently has a market cap of nearly a quarter of a Trillion dollars. That is a huge investment to get a return on every year.

There has to be a better way. If we always continue to work with what we have there would be no such thing as progress.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 21 June, 2017, 16:47 Not quite the accurate picture - in order to perform a subsiquent unauthenticated transaction a prior authenticated transaction must have been performed (the first time you registered your card on Amazon - for example). For others (like Apple) they ask you to reconfirm the CVV from time to time. Issuers do not just accept eCommerce transactions without authentication of the most basic kind...
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 21 June, 2017, 17:19

Progress comes from solving problems, not inventing new things just for the sake of it and without understanding the dynamics of the incumbent situation. In any case, so many companies across so many industries have claimed that card payments are costly but have uniformly failed in their attempts to come up with a cheaper alternative for the mainstream market e.g. Dwolla, Carrier Billing, MCX / CurrentC, SoftCard / ISIS, etc. Given this backdrop, I tend to believe that card-replacement products are more a sign of delusion, not innovation / progress.

Like other companies, Visa is measured on Return on Equity, which is based on equity. At $30.783B, Visa's equity is only 15% of its quarter-trillion market cap. AFAIK, there's no metric called Return on Market Cap against which Visa is expected to deliver returns.

1 thumb up! 1 thumb up! (Log in to thumb up)
Chris Brown
Chris Brown - Trusek - Amersham | 21 June, 2017, 17:44

In my opinion the reason why all the mobile wallet/payment systems have failed is precisely because they have endeavoured to layer them on top of the existing card scheme's rails rather than creating something that's new, better and more pervasive than that which has gone before.

I would go further and say that all of the current payment systems used by banks today are inefficient, expensive, slow and/or exclusive.

That is very much a blog topic in it's own right however

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 21 June, 2017, 17:47

Two words (in Europe): PSD2 PISP.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 21 June, 2017, 18:30

Oh, no, not true at all. Dwolla, Carrier Billing and SoftCard all began by setting up independent payment rails separate from ACH / card rails. As I highlighted in https://www.finextra.com/blogs/fullblog.aspx?blogid=7438, carrier billing players began life on MNO rails and levied 30-40% transaction fees on merchants. With that kind of fees compared to 1-3% MDR of card networks, it was not surprising that they failed to gain traction. Only then did they hitch themselves to card rails as a last ditch effort to survive, realizing that they could never match card networks's 1-3% MDR.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 21 June, 2017, 21:09

You missed the point. PSD2 is about obligatory opening of the existing rails to third parties. On attractive terms. Europe-wide.

Again - as per the previous discussion - the change won't happen overnight. But it will happen.

After you'd been fishing in a desert with your bare hands, your circumstances change dramatically when you are transported to the abundant seashore with the captain of a fishing boat handing you in a fishing rod (and a license to fish).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 22 June, 2017, 12:02

Pages 48-49: https://www.slideshare.net/ericschmidt/how-google-works-final-1#50

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 22 June, 2017, 13:08

@AlexanderPeschkoff: JFYI, my comment about Dwolla et al was in response to @ChrisBrown's comment, not your comment about PSD2. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 22 June, 2017, 13:18

Sorry for the confusion, @Ketharaman. You know that I always like our heated debates :)

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 22 June, 2017, 13:52

@AlexanderPeschkoff + 1. LOL:)

At the risk of sparking off another heated debate, Finextra reported yesterday that tech specs for PSD2 may get postponed to 2019. When I read that, I wondered how many fintechs would be around till then for PSD2 to really matter much!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from

Chris's profile

job title CTO
location Amersham
member since 2017
Summary profile See full profile »

Chris's expertise

Member since 2016
0 posts8 comments
What Chris reads
Chris writes about
SecurityPayments
Chris's blog archive
June 2017 (2)

Who's commenting on Chris's posts

Susan Hall
João Bohner
David Godfrey
Ketharaman Swaminathan
Alexander Peschkoff
Anthony Pickup