Blog article
See all stories ยป

What can kill EMV

For those in a hurry, here is an executive summary: ISO 9798, assisted by the likes of Verayo (as well as femtocells and in-store Wi-Fi).

Anyone remotely familiar with EMV knows that it's a mess. EMV is a global standard that covers inter-operations of "chip" bank cards and compatible devices (POS terminals and ATMs). There are 16 (!) variations of EMV implementation when it comes to card authentication, transaction authorization and cardholder verification. EMV is at v4.5 and runs into over 700 pages. It represents interests of just four companies - I don't count the merchants and the issuers here (a subject for a separate blog post). The main purpose of EMV is to provide secure authentication of transactions.

There is another global standard for secure authentication of remote transactions, used over 10bn times every day. It is concisely spelled out on just seven pages and represents interests of over 800 companies. Like EMV, it relies on the use of "chip" cards. Unlike EMV, it does not require secure/approved/certified equipment - any mobile phone will do. Secure POS card terminal based on this standard costs less than $10. Including NFC.

I am, of course, talking of GSM - more specifically, ISO 9798 (which GSM authentication protocol was derived from).

EMV is "curated" by Visa and MasterCard - the global, universally accepted, payment channels. They are known within the payment industry as the "schemes" and that is where the problem with EMV lies. Well-intended desire to be universally accepted forced Visa and MasterCard to work with merchants even at remote locations where no means of communications were available. For that purpose, offline authentication was included into the EMV protocol specifications.

That was fine twenty years ago, but the world has since moved on. Telecom and the internet have become omnipresent phenomena. There are very few "unconnected" places left out there, with no fixed or mobile telecom facilities. Hence, there are no longer any strong reasons for not using online-only authentication. Allowing offline authentication for the sake of offering EMV acceptance in a few "off the grid" places drags the whole EMV concept down.

When - not "if" - payment transactions move to online-only authentication, the role and importance of EMV (and, potentially, of Visa and MasterCard) could be greatly diminished. I don't want to oversimplify things here, but one of the key functions of the schemes is to act as a "gateway/router" for channeling the transactions between the parties involved (acquirers, issuers, processors). That is something that Cisco has been doing efficiently and successfully, on a much larger scale, for years. Without charging any, let alone percentage-based (!), "interchange fee".

If the "schemes" do not become a "network", somebody else will take that space. There are several players - big and small, both insiders and outsiders - who are eyeing that opportunity. For example, the Mobino's CEO who worked with Tim Berners-Lee on HTTP and HTML is planning to bring the same logic to payments.

I am at the NFC World Congress in Nice next week where I am moderating the "Transport and Ticketing" session as well as taking part in the "World's Smart Cities" panel, representing London - will no doubt get some material for more thought-provoking blog posts.

5062

Comments: (6)

Philip Harrison
Philip Harrison - UK / Europe / Russia - London 16 September, 2012, 12:27Be the first to give this comment the thumbs up 0 likes Great commentary, Alexander. While Visa and MC do offer far more than just network management (eg. regulation, arbitration, global branding etc), the ice on which they are skating in the world of mobile payments is getting thinner.. Philip Harrison
A Finextra member
A Finextra member 16 September, 2012, 12:41Be the first to give this comment the thumbs up 0 likes @Philip - Absolutely: I only touched the "rails" part of the schemes. As for the regulations etc, surely they play an important role there. At the same time, the payments can be viewed as a "two-party" process that involves the issuing bank and the acquiring bank, and those parties can already interact well without any intermediaries.
John Dring
John Dring - Intel Network Services - Swindon 17 September, 2012, 09:06Be the first to give this comment the thumbs up 0 likes

Great blog and insight. But history shows 2 things (that come to mind) - Betamax did not displace VHS, and Mobile Operators and Banks don't sit easily together!

Matt Scott
Matt Scott - RenovITe Technologies Inc - London 17 September, 2012, 11:53Be the first to give this comment the thumbs up 0 likes I think the Offline component was also intended to reduce the strain of OLTP on Acquirer and Issuer Systems as, at the time, this was projected to sky-rocket well beyond the capabilities of the (then) current systems. As it happens most EMV issuers set their initial chip parameters with very low offline floor limits (often zero) as confidence in the technology was particularly low.
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 19 September, 2012, 12:39Be the first to give this comment the thumbs up 0 likes

I've generally thought of mobile payments to be a solution chasing a problem. By pointing out its "auto authentication" capability, you've highlighted a very different - and valuable - side of mobile payments. Props for doing that!

However, I've a feeling that only the mobile POS use case of mobile payments - a la SQUARE and iZettle - can provide EMV-equivalent authentication. In the mobile wallet use case, 'who you are' (i.e. IMEI #) and 'what you have' (i.e. card details) both reside on a single device (i.e. smartphone). The loss of this device can pose a far bigger security hazard than losing an EMV card where only the cardholder knows the PIN (this assumes that smartphone users generally don't set a lockscreen password). 

Even in the first use case (mobile POS), you've pointed out correctly that EMV only enjoys the support of four companies. But, the problem is, these four companies enjoy the status of judge + jury + executioner when it comes to the card rails. So, as long as mobile POS services use card rails, their providers will forever be at the mercy of these four companies. Haven't we already seen a glimpse of their hegemony when Visa banned iZettle from accepting Visa cards (if I'm not mistaken, for violating EMV device connection rules)?

A Finextra member
A Finextra member 19 September, 2012, 14:48Be the first to give this comment the thumbs up 0 likes I am sure Visa's decision was purely down to EMV rules & regs and nothing ti do with Visa Inc.'s shareholding in Square... Remember that a Wallet app could enforce passcode security and most phones have a remote kill/wipe function which mitigates the risk somewhat. I think the fact that Apple is launching the Passbook app with QR Barcodes is quite telling of their confidence in NFC. Really it should be driven by the major cardschemes (Visa, MasterCard, China UnionPay) to define a Mobile Wallet standard to help boost adoption rates worldwide.

Retired Member

Member since

19 Mar 2009

Location

Blog posts

4,292

Comments

5,034

More from Retired

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.


See all