A Finextra member 26 November, 2009, 11:39 0 likes

And how would cardholders who pay for INTERNATIONAL cards be able to use their chip only cards outside of Europe?

Nick Green - ISD Consultants - Northampton 26 November, 2009, 14:53 0 likes

For the international traveller it has been suggested, in the past, that you have two cards with different numbers - one for the EMV world and one cheap magstripe for the non-EMV world. On a different but practical point even a chip only card would have to have some mag tape on - it's how ATMs detect you have the card in the right orientation. Additionally removing the tape would reduce the life of the magstripe reader (magnetic tape is soft compared to plastic) that would have to remain for non-EMV vistors.

A Finextra member 26 November, 2009, 17:35 0 likes

Having different cards for European Domestic and International is a good idea - implementing them with different Card and Account properties would limit risk exposure in the event the International Mag Stripe is compromised.

Isn't this where V-Pay was meant to be taking the Market in Europe - to an EMV only Acquiring Zone?  I still believe there are unresolved issues with regards to Card/Cardholder Not Present transactions (Mail Order/Telephone Order & e-Commerce).

A Finextra member 27 November, 2009, 06:47 0 likes

As ATM skimming gets more and more popular and credit card companies suffer bigger losses, it is pretty obvious that the world is moving towards chip-only cards.

In Europe a chip-only card would already function very well. ATMs are almost fully chip compliant already, and for vendors which have not yet upgraded to EMV terminals it only serves them right tro have to manually input the chip-only card's number in their terminal - maybe they'll get tired of it eventually and get the EMV terminal.

When travelling to non-EMV countries, one would carry along a debit card (Visa Electron, Mastercard Maestro) with a magstripe for ATM withdrawals, and the chip-only card for purchases - again entered manually to the sales terminal.

To have to enter the card number manually increases the responsibility of the sales terminal holder, who must check the validity of the card by hand. The CVV number is also stored with the card processor as "input manually". This decreases credit card fraud, because the fraudsters cannot use blank cards or operate anonymously. And this goes for magstripe countries as well.

If  Europe moves to chip-only cards, making fraud very difficult, the fraud schemes will hit other areas of the world twice as bad. This will probably result in American and Asian banks finally considering the EMV as well.

A Finextra member 27 November, 2009, 09:59 0 likes

"If  Europe moves to chip-only cards, making fraud very difficult, the fraud schemes will hit other areas of the world twice as bad. This will probably result in American and Asian banks finally considering the EMV as well."

But card fraud rate in the U.S. is less than half of the card fraud rate in the UK, for example, because U.S. credit cards are rarely issued with pin-codes. What's the point in skimming a U.S. mag-stripe, signature-based card if there isn't a pin-code that goes along with it? How can you possibly motivate a country to solve your problem when its fraud rate is less than half yours?

Once again, the problem solving is done by everyone without regard for consumers.

Instead of issuing multiple cards, which by the way isn't a novel idea since a french bank mulled this idea over in 2003 but decided against it, why not change the ATMs and stand-alone POS in Europe to have dual card slots, one to process the chip (not require the cardholder to put the entire card in the slot), and the second slot for regular mag-stripe based cards? This way you don't need to issue multiple cards.

"When travelling to non-EMV countries, one would carry along a debit card (Visa Electron, Mastercard Maestro) with a magstripe for ATM withdrawals"

And this will make card accounts safe?

How about carding? I'm sure most people here know that a card number has to conform to a luhn-digit check and its common knowledge that fraudsters have lists of BINS and the following range of numbers that represent Platinum, or Gold, accounts. Issuing multiple cards also as acknowledged in one comment, does not solve CNP fraud.

Another solution which a group of european banks admitted is the most efficient method to deflect the increase of cross-border fraud (as well as CNP fraud) is to enable the cardholder to activate or deactivate their card for out-of-country use and CNP use. This way, even if the cards get skimmed, the clone cards are rejected. Even if a carder gets the correct card number with cvv/exp date, the fraudster will not be able to use the card details in a CNP transaction.  

Nick Green - ISD Consultants - Northampton 27 November, 2009, 10:55 0 likes

Marite,

I didn't say the two card idea was novel - yes it's been around for years.

"How can you possibly motivate a country to solve your problem when its fraud rate is less than half yours?"

Shouldn't this be OUR problem because ultimately we all pay for fraud and I would question the statement that the US has less fraud; they tend to measure it in a different way which makes it look less than it is.

EMV isn't just about fraud it also offers control to the issuer to manage cardholders' spend at the point of sale and to develop other products and services. With EMV it is possible for an Issuer to issue cards that may only be used in a restricted type of retail environment (eg T&E) the terminal and card can determine this without reference to the Issuer host - try doing that with a magnetic stripe.

CNP does continue to be an issue - I'm currently working with a company that have a new approach (NDA means I can't say much) but it won't be a rapid adoption as it is reliant specific enviromental changes (sorry it's vague) but when it was demonstrated to a global card scheme it created an OMG moment - and yes it uses EMV.

A Finextra member 27 November, 2009, 12:00 0 likes

"I would question the statement that the US has less fraud; they tend to measure it in a different way which makes it look less than it is."

Question it all you want. The explanation is simple and logical. No static pin-code (signature-based) = no reason for skimming.

"With EMV it is possible for an Issuer to issue cards that may only be used in a restricted type of retail environment (eg T&E) the terminal and card can determine this without reference to the Issuer host - try doing that with a magnetic stripe."

Wonderful. Perhaps, they'll start issuing Electron EMV cards which will enable cardholders to pay for toll or parking.

"CNP does continue to be an issue - I'm currently working with a company that have a new approach (NDA means I can't say much) but it won't be a rapid adoption as it is reliant specific enviromental changes (sorry it's vague) but when it was demonstrated to a global card scheme it created an OMG moment - and yes it uses EMV."

The implementation of most of these OMG solutions usually resulted into getting into the 'chicken and the egg' conundrum and this is what kills the golden goose.

"Shouldn't this be OUR problem..." 

I noticed you didn't say anything about my comment regarding installing dual slots in ATM machines (some exist already) and stand-alone terminals. 

Most times, solutions to problems are quite simple.

But problems are solved only by those that have the motivation to solve them. And each of us that sell solutions, of course, will push for what will make us money and not necessarily the most efficient solution.

The entire CARD payment industry has gone haywire in any case. Instead of keeping card payments simple and less costly for all market participants, it has evolved into complicated, expensive networks serviced by a few players. I look forward to PSD which opens up the payment industry in Europe. Certainly, competition always leads to more efficient products and services. 

Lachlan Gunn - BenAlpin Ltd - Perth 27 November, 2009, 15:29 0 likes

Marite

I like the possible solution you mentioned:

"Another solution which a group of european banks admitted is the most efficient method to deflect the increase of cross-border fraud (as well as CNP fraud) is to enable the cardholder to activate or deactivate their card for out-of-country use and CNP use. This way, even if the cards get skimmed, the clone cards are rejected. Even if a carder gets the correct card number with cvv/exp date, the fraudster will not be able to use the card details in a CNP transaction."  

Does anyone know if there is a suggested practical or favoured approach to this?  How would the cardholder do this?  By telephone, by SMS, by Internet? Has anything been tested?

Cedric Pariente - EFFI Consultants - Paris 28 November, 2009, 10:33 0 likes

I think there is a key component missing here:

The opinion of the users !

Do you really think people would appreciate being forced to have 2 cards because specialists think it's better for them?

Ask them also what they think of VBV or SecureCode that has been thrown away at their face without notice asking for their birthdate in order to "secure" their online transaction.

Before adopting a solution, the users' opinion should be mandatory.

A poll is necessary, but a real one, independent. Not from "an independent survey company" that is sponsored by banks or payment networks.

A Finextra member 30 November, 2009, 09:45 0 likes

Lachlan, "Does anyone know if there is a suggested practical or favoured approach to this?  How would the cardholder do this?  By telephone, by SMS, by Internet? Has anything been tested?"

Yes, this is done via IVR/telephone, SMS, Mobile Interface, Web Interface. The proof of concept was delivered in 2003 through a successful pilot with real cardholders with subsidiaries of french metropolitan banks such as SOCREDO Banque, Banque de Tahiti and Banque de Polynesie.

Please check you finextra inbox. I sent you a private message.

Peter Gullberg - Todos AB - a Gemalto company - GOTHENBURG 30 November, 2009, 15:09 0 likes

It's a good idea, but I think the correct question should be:

- Should chip based ATM-cards continue to have automatic fallback to magstripe in magstripe only ATM's?

It seems that MasterCard and VISA haven't really adopted the liability shift between Europe and US, where some banks still loose money, even though they have incorporated all the security features that technically would remove this type of fraud.

A Finextra member 30 November, 2009, 15:56 0 likes

"Should chip based ATM-cards continue to have automatic fallback to magstripe in magstripe only ATM's?"

I don't see how else cardholders would be able to withdraw money other than to allow the processing of mag-stripe/static pin-code with these magstripe only ATMs. It ain't really a fallback in anycase. Fallback rule refers to a condition wherein the ATM that can process chip, deems the chip 'unreadable', therefore it fallsback to reading the magstripe.

"It seems that MasterCard and VISA haven't really adopted the liability shift between Europe and US, where some banks still loose money, even though they have incorporated all the security features that technically would remove this type of fraud."

There is no liability shift in Canada or the United States. Although we do read about Liability shift in Asia Pacific, I'm not so sure that this is accurate. For example, Singapore does not have even a single ATM machine that processes the chip.

Shift in business rules that are imposed onto the market usually trigger antitrust inquiries and procedures. Recall, the two antitrust cases with the European Commission concerning VISA and Mastercard.

A Finextra member 01 December, 2009, 11:07 0 likes

With regards to Fraud Rates - are you talking US Issuer or US Acquirer rates - because I think you will find America is a prime target to take skimmed card data to because of the "less complex" security applied to processing there.  In the instance of at least one European Issuer I am aware of they simply decline or refer any Authorisation Requests from America due to the exponental growth of Skimmed Fraud in that area.

I find it difficult to believe that Cards are issued in America with Signature as the only method of Cardholder Authentication - forging a signature is easy and most cashiers will not notice if you write Donald Duck anyway.

A Finextra member 01 December, 2009, 13:26 0 likes

"Forging a signature is easy and most cashiers will not notice if you write Donald Duck anyway."

See : https://www.finextra.com/blogs/fullblog.aspx?blogid=3595

If a merchant in the U.S. accepts a card without checking the signature, and if the cardholder disputes the transaction, then the Issuing Bank charges back the amount to the Merchant, and the salesperson or the merchant will then learn not to accept cards without checking the signature. 

""With regards to Fraud Rates - are you talking US Issuer or US Acquirer rates - because..."

Issuer related fraud rate, of course and this fraud rate is more important since the Issuer can always charge back a transaction to the Acquirer if the card was not properly accepted. If a clone of a skimmed European card is used in an ATM machine in the U.S, with the correct pin-code, it is the European issuer that refunds the money to the cardholder. If a clone of a skimmed US card is used in an ATM machine in Europe, with the correct pin-code, it is the U.S. card issuer that refunds the money to the cardholder. 

"In the instance of at least one European Issuer I am aware of they simply decline or refer any Authorisation Requests from America due to the exponental growth of Skimmed Fraud in that area"

Too bad for this European Bank's stranded cardholders... 

"I think you will find America is a prime target to take skimmed card data to because of the "less complex" security applied to processing there." 

The other side of that coin is : "Europe is a prime target to skim the magnetic stripe of cards and record the pin-codes because of the proliferation of stand-alone POS and ATM terminals."

Protecting European cardholders against card skimming does not involve rocket science. It's definitely not for the lack of security solutions that European cards are prime targets of skimmers. 

A Finextra member 01 December, 2009, 21:52 0 likes

I think you've missed the point of the original statement - which was - if we remove mag stripes from cards will fraud be reduced and the answer to this is yes - undeniably.

Skimmed European EMV Cards will mostly be rejected at EMV-enabled ATM's (mis-configured hosts may still permit the auth as technical fallback).

Skimmed US Cards can be used at any ATM because there is no way to tell a Skimmed Card from a Genuine Card (no Chip).

Eventually Fraud losses will reach a point where the International Cardschemes will take corrective action.

A Finextra member 02 December, 2009, 09:29 0 likes

Matt : "I think you've missed the point of the original statement - which was - if we remove mag stripes from cards will fraud be reduced and the answer to this is yes - undeniably."

EAST is bringing focus onto this issue to encourage industry discussion and debate. 

And if you read the entire thread of this discussion and debate, you will note that I commented on other solutions such as putting dual slots in ATMS and standalone POS and giving cardholders the ability to TURN ON/TURN OFF their cards for out of country use and CNP use.

And if you read the entire thread of this discussion and debate, you would have noted that the first question I asked is if you remove the magstripes, how would European cardholders be able to use their cards in non-EMV countries (still in Asia/Pacific, Middle East, North America, South America).

In summary, I commented on alternatives which in essence could rewrite the question to "If we offer dual slots in ATM machines and standalone POS, will fraud be reduced and the answer to this is yes - undeniably."

"If we offer cardholders the ability to turn off and turn on their cards for out of country use and CNP use, will fraud be reduced and the answer to this is yes - undeniably."

You also said : "Skimmed European EMV Cards will mostly be rejected at EMV-enabled ATM's (mis-configured hosts may still permit the auth as technical fallback)."

????. Under your scenario, your pure EMV cards cannot be skimmed. So, fallback does not apply.  But they also cannot be used in countries that do not process the chip (Asia/Pacific, Middle East, North America, South America)

Robert Siciliano - Safr.me - Boston 02 December, 2009, 14:22 0 likes

Can I buy ATMs in Europe and have the same fun? Is there the same raw data? https://www.finextra.com/blogs/fullblog.aspx?blogid=3551

Stephen Wilson - Lockstep Consulting - Sydney 02 December, 2009, 16:40 0 likes

So there are two ways to go. We could go forward, and have chip payment cards and terminals rolled out universally, eventually taking out the mag stripe. 

Or we could go backwards.  We could remain so paralysed by customer convenience over security that we keep layering more and more complexity and stop-gap fixes on the good old magnetic stripe card.  Don't worry about all the complexity, so long as we still got the stripe!

Chips are taking over all types of cards; why resist the tidal flow?  It's ironic to me that the US gets a bad rap for its reluctance to go to EMV cards, yet the US market happens to enjoy the best smartcard-enabled laptops (like the Dell e-series, with contact and contactless car readers built-in) thanks to the growth in FIPS 201 PIV cards and a rich array of associated apps.

Lachlan Gunn - BenAlpin Ltd - Perth 11 September, 2010, 17:52 0 likes

The results of the EAST research poll carried out in January and February 2010 showed that 60% of the respondents were in favour of action being taken to address this risk as follows:

28% indicated that they would be happy to contact their bank to have the stripe on their card activated before travelling outside Europe;
12% indicated that they would be happy to carry a Chip only card, and to apply for a separate stripe card should they need to travel outside Europe;
20% agreed with both approaches.

The remaining 40% didn't agree with either approach.

This followed on from the EAST Poll conducted at the end of 2009 which indicated that 60% of respondents felt that European EMV cards should not hold sensitive cardholder data as standard in a magnetic stripe, although feedback was received highlighting practical issues with removing the stripe