A Finextra member 09 March, 2015, 16:13 2 likes

American issuers have been authorising 100% of all US Issued card fraud for years, Billions of dollars funding many other criminal activities.

When I hear someone say that out of the whole EMV  work out that "Its the PIN management system that takes the effort" I dispair......  Before this it was the Cost of the Chip, or the cost of the Merchant hardware upgrade..... whilst Fraud losses continue to rise....   Chip and PIN enables cardholder activated terminals, it is a standard outside the USA  and its based on the old security mantra - "Something you have (the card) and something you know (the PIN)" .....  As Chip and PIN is common internationally is this not just another trip hazard for US consumers to worry about when they travel without a PIN. America -please listen.... CHIP and PIN - you know it makes sense!

Paul Love - Konsentus - Nottingham 09 March, 2015, 17:37 1 like

Will the US become the King Canute of payments?

Surely this game is over, EMV Chip & PIN is the de-facto standard for the rest of the world, and there are plenty of experts available to help out with any implementation issues.

Bill Trueman - Riskskill.com - London 09 March, 2015, 21:41 1 like

Indeed - I agree totally with the previous TWO comments. CHIP and PIN is the de-facto worlds standard for everywhere except the USA - there are no problems with it, it has been implemented for 20+ years and the following has happened:

1. ALL the fraud is now migrated or migrating to the USA. 

2. It is harder for USA citizens to travel cross-boarder (even to Mexico and Canada) - and they are left frustrated in Munich, Paris, London or ..... well wherever!

3. The equipment is the cheapest it has ever been for anyone else.

4. Fraud globally has migrated

5. The cost of card processing remains high in the USA with a requirement for merchants to retain signatures and recover them when needed

The excuses are endless on why this has not happened in the USA. And more and more creative, with less and less substance. This latest one about PIN Management Systems is just plain silly.

The one about no business case is equally laughable - as there has been a business case everywhere else. No-one has actually ever produced one though - because the US industry has no central body to effect such discussions through.

Equally blaming Durbin or other laws is just ignorance.

- AND the worst of all ...... "because the USA has a better telecoms/payments/banking system" is naiive - as each of these is now increasingly behind the ROW. 

YES - it is "GAME OVER" - sorry Visa and Stephanie Eriksen, you will have to find another way around the routing issues and competition in these areas and save the USA issuers and acquirers and Merchants $100millions in the meantime in fraud and processing costs. 

Richard Crookston - R Crookston - Lampeter 10 March, 2015, 10:11 0 likes

It is funny how this now well established technology has been seen as problematic by the payments industry establishment in the USA for so long.  Now the bigger players have seen the light (e.g. MasterCard and Visa) you would have thought there would be a willingness to adopt the technology at all levels. 

The original point of the chip-and-signature option was to enable specific cardholders to use chip technology without the need to remember or key in a PIN where they had a problem.   It was aimed at providing a service to individuals, not as a general cop-out solution for issuers.

But is there no carrot and stick to help its adoption along?  In many places (UK included) the wake up call to the retail community came with differential pricing. 

The carrot was the acquirer and interchanges charging a very high per transaction charge to the retailer for mag stripe, much the same for chip-and-signature (making the issuers ask why bother?) and considerably less for chip and PIN.  So does this not apply in the USA too?  If so, then why would the retailers not then demand chip and PIN from every issuer? 

And where is the use of big stick to push things along? 

Anecdote time.  I recall being told by one senior manager from an American issuer at a technology show, many years ago when the UK was first embarking on EMV implementation, that he did not like chip technology because it was seen as unnecessary and 'foreign'. I wonder if that attitude still exists in some quarters? 

No, probably not...........

Richard Sanders - Hermosa Consulting - Southend on Sea 10 March, 2015, 10:16 0 likes

I can only agree with my esteemed colleagues above. Chip and signature will never be the solution.

Presumably this alos means the US wishes to retain magnetic stripe as a fallback particularly for the the US traveller community so it will be ages before we can finally remove it from cards. Bliss for the fraudster.

A Finextra member 10 March, 2015, 11:28 1 like

Korea is removing the Mag stripe option from ATM's we are told -- before long mag stripe should be removed from ALL cards and finally the skimming nemesis will be behind us.....  I ask you .... who  days uses Magnetic Tape recording these days..... Maybe a few analogue music studios? Reel to Reel tape recorders i think not?    how about cassette tapes?   nope! not many takers there- how about the Credit card Industry where we add a cheap low security back door into  our card security systems...   I posted the first comment above - and great to see the follow up from peers ... If only America would read and digest.... Guys - we need you to help put Mag Stripe fall back in the same place as Smallpox.... Lets wipe it out completely!!! and i mean WIPE!!!

A Finextra member 10 March, 2015, 15:26 0 likes

There's even confusion in the US as to what 'Chip and PIN' means – is it EMV Offline PIN or is it just different to Chip and Signature? Whatever it means, doubters and naysayers, the usual suspects, are trying to drag it down – see my blog post here: https://www.finextra.com/blogs/fullblog.aspx?blogid=10653

A Finextra member 10 March, 2015, 16:57 0 likes

Online PIN - Offline PIN -  I believe they can use either or both.... maybe they think that just because its an offline PIN there is no authorisation?

A Finextra member 10 March, 2015, 17:45 0 likes

It just keeps going on, and on, and on.... Now the compromised USA issued (NON EMV) cards are finding their way into the Apple pay system...   if you Google search 'Apple pay hit by low tech card fraud'   you will see that CNP wrapped in HCE doesnt do the job of eliminating fraud... it just creates a new channel for the fraudsters......   Whats ironic is that Apple stores are being targeted..... I thought that Apples leadership were being smart by staying out of the payments business (other than ITunes store) 

The Upside for Apple is tiny (almost a rounding error relative to their overall numbers) if Apple Pay is moderately successful....   if Applepa Fails  or suffers significant fraud (we will only learn about the Tip of the Iceberg)  then Apple risks a huge loss of face and credibility... And for what....  creating a stop-gap solution that will be overtaken by Chip and PIN and contactless EMV cards that work well in the ROW.   

I think Apple may live to regret their foray into POS payments.  Time will tell, but a Fraudulently acquired MAC PC  is going to need a large number of Healthfood sales at 15bps to make Apple whole again.....

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 11 March, 2015, 14:56 0 likes

I'm neither an expert "available to help out with any implementation issues" nor could I care less which way USA went but, in the interest of restoring some balance: 

1. I see nothing wrong in Stephanie Ericksen's statement, "we can rely on online processing where transactions are transmitted in real-time to the issuer for approval. With that in place, there's no need for the offline authentication that was the genesis of chip-and-PIN."
2. ROW adopted 2FA for for sensitive NetBanking transactions and all online card transactions several years ago. USA still has not. However, I haven’t seen any clear evidence that fraud as a % of transaction value is any higher in USA than ROW.
3. Any discussion of reduced fraud as a result of implementing Chip + PIN has to be viewed against loss of sale - or shift to cash - driven by PIN, both in terms of UX friction and change in POS equipment. Many places where I used to pay by credit card earlier, I'm now forced to pay by cash because of PIN-related problems.
4. And it's not as though there's no card fraud in Chip + PIN regimes in ROW where a bulk of fraud has moved to online / CNP transactions where Chip + PIN doesn't help. 

One size doesn't fit all, especially when we're trying to force fit the ROW style to the country that invented the credit card and is home to the leading credit card networks in the world including Visa. I trust them to know and do what's best for their country, keeping in mind their local consumer behavior and business culture.

Bill Trueman - Riskskill.com - London 11 March, 2015, 16:58 0 likes

Very Interesting KS. I am so glad that you have put another view; and it was importantt that you declared your lack of expertise with this.

- First credit cards were in the USA - but, I woudl add that it was the USA companies who also invented CHIP and PIN / EMV and imposed it upon the ROW

- You have not seen any clear evidence about fraud % being higher in the USA. You need to look harder - it is rather more extreme than you may think. You will not have seen any evidence to the contrary either.

- I suggest that you read all the details above on Stephanie's statement. It may be true in the USA - to a degree!!!! - but the whole world is not on-line.

- A key issue as others have highlighted about is the adoption of a key global strategy to get rid of the magnetic stripes on the cards, which can only be done when all no longer need them. This will remove all sorts of serious problems and costs. And risks, and fraud.

- You really need to look at some figures, losses, migration numbers etc. and see how CHIP/PIN has eradicated many problems.

- All the latest card compromises will also be rendered useless in a CHIP & PIN environment.

From the above, you will gather that there are big issues in every one of your statements above, that most people have already answered or have the data that you clearly do not have - to be able to understand these issues better.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 12 March, 2015, 08:43 0 likes

@BillT:

1. It’s naïve to claim that somebody imposed something on someone but, playing along for the moment, the imposee must take responsibility for its decisions. For example, RBI, the Indian central bank cum banking regulator has gone on record saying, "security first, convenience next" when it comes to card transactions, so it's no surprise that India is a fertile market for all kinds of security measures including both Chip+PIN and Chip+Signature! From my personal experience in Europe, security overshadows convenience, so, again it's not surprising that it'll be a receptive market for security measures. Whereas, in the USA, convenience reigns over security, so it hasn’t implemented 2FA and other security measures implemented by the ROW several years ago and the sky hasn’t fallen as a result. “Different strokes for different folks” is how I see it. Much as I'd like to think that what's good for India is good for the world or dream that an European strategy is a global strategy, reality dictates otherwise. I’m no global strategist but, from personal experience, the more an ROW strategy is thrust on USA, the more USA will scuttle it.
2. This article, Stephanie Ericksen's statement and my comments - all pertain to USA only. Who's talking about the whole world?
3. The onus is on change advocates advocating a shift to Chip+PIN to produce the numbers, with the two key metrics being (A) Fraud loss as % of Sales (B) Revenue loss due to friction introduced by PIN. From personal experience and anecdotal evidence, PIN hasn’t reduced (A) whereas it has increased (B), so PIN is a bad idea. But I agree I must look at hard data. Since you claim that most people have the data, you should be able to provide it easily. For all the posturing about data, I couldn’t find any of it in this article or in the above comments and, for years, I’ve been soliciting for it right here on Finextra (in my blog posts or comments e.g. here, here) without receiving any concrete response. 

A Finextra member 12 March, 2015, 09:23 0 likes

Magnetic stripe skimming,  and all the fraud that derives from it comprises,  the single biggest factor, driving the single biggest risk to our industry. The big risk is not the loss of cash,  its the loss of consumer confidence in our payments processing infrastructure, in my view.

In its day Mag Stripe & Signature at POS and Mag Stripe & PIN at ATM was the universal standard. These services, with local floor limits to cater for the Online/offline vagaries of differing countries worked. This system Delivered appropriate levels of security at the right locations and the right price.   Everyone understood it, it worked - up to a point.

That was then - this is now.  It would seem to me that we are now ready for a new universal delivery mechanism - Chip and PIN at POS,  Chip and PIN at ATM and NFC for low value, with or without PIN, based on Chip based or Local limits for online/offline use....   

If we dont keep it simple, consumers wont get it, if we dont eradicate mag stripe soon then the fraudsters will simply continue to exploit an anachronisic loophole...and consumer confidence will erode further.    Korea is leading the way against mag stripe. It is Securing its ATM network against skimming fraud by removing Mag stripe options from the ATM Network (And the ability for real Mag stripe only cardholders or  Mag stripe using fraudsters, to access the ATM Network)  presumably the genuine customers will be able to go into branches with their Passports to get cash?  Fraudsters will just go to countries that still allow Mag stripe use at ATM's...    

The Move to Chip and Pin - the removal of the mag stripe - and the eventual adoption of biometric measures seems the way to go.  

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 12 March, 2015, 11:09 0 likes

Biometric has seemed the way to go for over a decade. It almost became a reality in India recently: With the GoI’s Aadhaar biometric National ID program enrolling fingerprints of over 500M Indians, the government / RBI tried to push banks to enable POS and ATMs for biometric authentication. In addition to Chip, PIN and Signature, that is, thereby resonating with my earlier comment about India is a low hanging fruit for all kinds of security technololgies. Banks pushed back, citing the manifold increase in bandwidth and processing power required to handle fingerprints. That’s the last we heard of the plan. Alas, biometric will continue to be the way to go for another decade unless there's some new disruptive technology that solves the technical problems of rolling out biometric authentication at scale for a mission-critical use case.

I don't have any numbers but am willing to bet that a majority of American consumers don't even know what "payments processing infrastructure" entails, let alone lose confidence in it in the event of data breach / fraud. And, why should they bother? In USA, when I spot a fraudulent charge on my credit card statement - and there are apps for that - and report it to my bank, it gets reversed immediately, no questions asked. When I’ve tried doing the same in ROW, it’s a nightmare. That’s why US consumers are not - and don’t need to be - so obsessed about fraud containment as the ones in ROW.

From the merchant pov, fraud is bad but losing revenues when the PIN-introduced friction causes a transaction failure is many times worse.

A Finextra member 12 March, 2015, 16:54 0 likes

The fact that America has had to build Apps to report fraud demonstrates that they must have a significant fraud problem...

Its lucky for american consumers that their President recognises the problem exists.. he will look after their interests by insisting on EMV for government departments. 

Biometrics are proven - Apple pay fingerprints work - problem is the number os users is a very small subset of the cardholder market.

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 13 March, 2015, 12:31 0 likes

Yeah right, @FinextraM. Just like the proliferation of mobile wallets indicates that there's a huge problem with paying by plastic. Right? In any case, the thrust of BillGuard, the app I was referring to, is to highlight fraudulent charges by merchants rather than other consumers, so Chip+PIN won't prevent this type of fraud anyway.

Talking about the government’s span of control in USA, FFIEC mandated 2FA for online and NetBanking transactions in 2005. Ten years later, it still hasn't happened. The CEO of a leading bank said recently that he's unlikely to see Faster Payments in his lifetime. I could go on and on but I hope you get my drift. 

Apple Pay seemed to be the type of disruptive technology required to make biometrics go mainstream - until I read the recent buzz about how it fails to prevent fraud at the provisioning stage. http://blogs.gartner.com/avivah-litan/2015/03/02/applepay-fraud-points-to-looming-problems-with-mobile-payments/