If only we could get our collective heads around the problem of assuring the pedigree of online information -- be it credit card numbers, or simply name and address -- the ROI for chip cards would be plain to see.
Observation:$100B worth of fraud is ID related
Premise: To prevent personal data being replayed behind the backs of its owners, those data can be communicated from shopper to merchant in digital certificates issued to shoppers' personal hardware devices, like smartcards, SIMs or smartphones.
Methods: Most browsers and most servers have the cryptographic APIs and components already built in. The acts of requesting a digital certificate from a smartcard, presenting the certificate to a server, and signing transactions with it, can all be implemented
at the server, using XML and Java and the like.
Submitting personal details to merchant sites by smartcard would be an option alongside regular manual entry of 'naked' credit card details. Merchants (or Acquirers) might levy a surcharge of 1% or so for manually entered data in line with the elevated
risk, to help shoppers switch behaviour.
(1) For maybe $1B the majority of merchant websites could be upgraded to process ID data via digital certificates (economies of scale would come from Merchant Acquiring banks and payment gateways making the software upgrades in common shopping cart software)
(2) For a very conservative $5B, every one of 50M American online shoppers could be given a smartcard reader, training and support (in an increasing number of cases, consumers will find they have smartcard readers built into their computers, like the Dell
e6500 and numerous HPs; the penetration of integrated smartcard readers would jump overnight* if banks supported smartcards for secure transactions over the Internet)
(3) For no more than $1B, Issuers could switch 100s of millions of magnetic stripe cards to chip (and many are going to do this anyway in response to demands from travellers who have trouble using their regular US issued cards overseas)
(4) Let's ignore the oft-cited $10-20B "EMV enablement" cost in the US since that figure is dominated by retail merchant switching costs, but what I'm talking about is using chips online for e-commerce, with no new hardware at all for merchants.
So for a $7B investment, most of the e-commerce component of the $100B loss could be saved. The same digital certificate methods could be used in any setting where identity data is presented online and there is a risk to the receiver of impersonation; e.g.
new account origination (as discussed recently by
Robert Siciliano), and all manner of e-health apps.
It's ironic that the business case for EMV cards -- intended originally to address card present fraud -- might be more attractive if they were initially used in the US for online shopping, not face-to-face. Why not let bricks & mortar Acquirers and retailers
follow in their own good time?
*Footnote. Rapid deployment of integrated smartcard readers has happened before. In January 2003, Bill Gates announced that smartcards were Microsoft's preferred means for future authentication; their software from XP onwards already included native smartcard
APIs. Within a mere four months of the announcement, Dell released the first notebook PC with a built-in smartcard reader; Acer, Compaq and others followed quickly. Third party smartcards and applications failed to materialise in significant numbers, and
through 2004 the computer manufacturers took the readers out of their products, to use the precious space for other features. The lesson is that computer companies are at a tipping point. Now that there are over a billion smartcards on issue, all it would
take to see integrated readers become ubiquitous would be for a large institution to release a smartcard based online payment or ID solution.