Blog article
See all stories »

An article relating to this blog post on Finextra:

Atlanta Fed staffer questions value of PCI guidelines

The US payments industry should reconsider the value of PCI compliance guidance in the light of increasingly sophisticated skimming attacks and instead consider mitigating risk by moving to chip and P...


See article

Taking full advantage of Chip

The Atlanta Federal Reserve's Cindy Merritt -- assistant director of the Retail Payments Risk Forum -- offers a refreshing, plain talking critique of the PCI-DSS regime. She goes to the heart of the matter; the rewards for organised crime are simply so vast that a process and audit based security regime like PCI-DSS doesn't stand a chance. PCI (like policy based security generally) mitigates against accidental loss or amateur attack, but it is nearly useless against concerted sophisticated attacks or inside jobs.

While stakeholder in the US struggle with the business case for EMV, it may help to look a little beyond EMV, because on its own, it still leaves the system open to Card Not Present fraud. The experience worldwide is that organised crime in each market turns to CNP when their skimming methods are throttled by the introduction of chip.

If deployed artfully, chip cards from the EMV system can also thwart CNP attack by introducing strong asymmentric cryptography (digital signing) to Internet transactions.

While the US bricks-and-mortar retail environment faces major switching costs, and they make take years to upgrade their termianl equipment, e-tailers have a wonderful opportunity to foster the use of chip cards to secure payment data in online shopping, for the price of a smartcard reader for each customer.

5307

Comments: (6)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 June, 2011, 11:06Be the first to give this comment the thumbs up 0 likes

@Stephen W: It's refreshing to read the full picture about EMV, especially the fact that it cannot mitigate CNP fraud, which reportedly constitutes 70% of all card fraud. While a smartcard reader for each customer could provide total protection against fraud, the savings achieved from such a solution needs to be carefully weighed against its additional cost and potential to shrink the target market (e.g. mobile shopping would become impractical; not many people would like to carry a cardreader around). Existing 2FA technologies like VbV/SecureCode could provide a viable alternative. Of course, they also introduce additional friction in the checkout process, thereby threatening loss of revenue from increased shopping cart abandonment. Unfortunately, there seems to be no magic bullet to solve this problem - yet!  

Nick Collin
Nick Collin - Collin Consulting Ltd - London 06 June, 2011, 11:33Be the first to give this comment the thumbs up 0 likes

A very simple EMV solution to CNP fraud is for cardholders to use the EMV cardreader they already use for secure online banking to generate a dynamic SecureCode/VbV for secure e-commerce. More and more banks around the world are already deploying such Remote Chip Authentication - effectively transforming CNP into card present.  Note that the one-time-password can also be used over the phone, and the only thing the cardholder needs to remember is their existing PIN.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 June, 2011, 12:07Be the first to give this comment the thumbs up 0 likes

@Nick C: I've come across solutions that generate dynamic virtual card numbers that expire after a single e-commerce use e.g., NetSafe from HDFC Bank, India. However, the concept of a dynamic VbV password is interesting and news to me. I've looked all over the Visa / VbV website but could only spot references to static VbV password. Would appreciate public domain references that describe the concept of dynamic VbV passwords as also a list of banks whose Internet Banking cardreaders can be used to generate them.

Nick Collin
Nick Collin - Collin Consulting Ltd - London 06 June, 2011, 14:28Be the first to give this comment the thumbs up 0 likes

Hi Ketharamen - This is quite a new solution and I think MasterCard banks are leading the way, with CAP/SecureCode.  As far as I know, Nordea, and all the Belgian banks (KBC, Dexia, Fortis, ING ...) use this solution, as well as several in Eastern Europe and Turkey.  Technically, it's very straightforward - as an issuer you just treat the OTP as a SecureCode and authenticate in the same way as you would an online banking transaction.  Cardholder education and marketing is more challenging - you have to explain that the cardholder must use their EMV card and cardreader to generate the SecureCode when the SecureCode window pops up.  But I understand it's catching on as a really secure and cost-effective answer to CNP fraud.  If you email me on nick@ncollin.demon.co.uk I'll send you an article I wrote for banking Automation Bulletin on the subject.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 June, 2011, 15:42Be the first to give this comment the thumbs up 0 likes

@Nick C: Thank you for the clarification that such a solution is led  by MasterCard/SecureCode. I was able to locate its launch press release dated 5 Nov 2008 on the Internet. CAP/SecureCode is surely a highly secure solution. However, going back to my original comment, for an issuer that does not already use cardreader (which is probably 100% of US banks), CAP/SecureCode introduces additional costs. As against this, technologies like (a) VbV/SecureCode with static password, and (b) NetSafe type of dynamic/OTP virtual card numbers, appear to provide adequately secure, yet far more cost-effective, e-commerce alternatives since they don't need cardreaders.

Many US etailers don't seem to have implemented even (a) several years after its launch by Visa/MasterCard, which seems to suggest that the cost and/or friction of deploying (a), (b) - let alone CAP/SecureCode - technologies outweigh CNP fraud losses. Which is anyway the same argument used in the US to keep EMV itself away.

Nick Collin
Nick Collin - Collin Consulting Ltd - London 06 June, 2011, 16:04Be the first to give this comment the thumbs up 0 likes

It's possible to make a very positive business case for CAP/SecureCode, not just in terms of less fraud, but also lower fraud prevention costs, lower password management costs, less call centre enquiries, most use of cost-effective remote channels etc.  The cost of the readers is about £5 or less now, and if you don't like them then we're just begining to see CAP/SecureCode on Display Cards.  As to US banks being any kind of model for the rest of the industry - well just look at the mess they've got themselves into by lagging behind on EMV chip!