EMV: What Is It Solving, Exactly?
My latest wanderings into the world of payment technologies started when I read that analysts at NCR had found a crucial security hole in chip-enabled cards. In attempting to understand what they’d found, I descended down, down into the rabbit hole of payment technologies.
I’m not going to pretend to understand all the technical details. Frankly, as a CIO, I would hire people to take care of these things for me, as long as they could give me an English description of the risks and benefits of any approach. I have talked to four different people, and I still don’t completely understand what’s going on under the covers, but I’ve learned enough to say that as an industry, we’ve spent a lot of money for somewhat questionable results.
Much to my surprise, implementing EMV is a bit like buying the “builder’s special” version of a house. You get the ability to validate that a card containing a chip is legitimate and not a counterfeit. Then things proceed the same way they always have. Data, including credit card number and expiration date are sent unencrypted over the network to the card processor, and from there to the appropriate credit card company( like Visa, Mastercard and American Express), and ultimately to the issuing bank.
If you want to scramble the data, you have to go beyond the builder’s special. There’s an extra charge for Peer-to-Peer Encryption (P2PE). According to Tom Litchford,Vice President of Retail Technology for the NRF, 80% of retailers have opted for this expensive add-on. Partner Brian Kilcourse points out that the encryption is not fool-proof either (anything encrypted can be decrypted), but it’s better than sending naked data across the lines. So add more money into the mix.
In fact, Greg Buzek over at IHL Group points out that to date retailers will spend a minimum $35 billion on EMV to solve an $8.6 billion dollar fraud problem. That’s a -77% ROI, assuming full compliance and no erroneous chargebacks…but the chargebacks seem to be coming anyway. More about that in a minute.
Okay, so with that as backdrop, here’s why NCR’s find is so important (note: I did reach out to both the researchers and Corporate Communications at NCR and have received no response to date). There’s a bit somewhere in the magnetic stripe that “tells” the swipe machine if the card contains a chip or not. This bit is important, since only about 40-60% of extant cards are chip-enabled. If you swipe a card that has a chip, you are told to “dip,” not swipe. If you swipe a card without a chip, you’re good to go. (And that’s assuming that the retailer has been certified to actually use EMV, which is yet another story for yet another day.)
Problem is, if the bad guys flip that bit, they can make counterfeit cards to their hearts’ content and use them successfully. Theoretically, the issuing bank knows which cards have chips as well, so they could decline the transaction, but as a practical matter, this does not happen in real or even near-real time.
The banks can argue the point, but as Mr. Litchford reports from a recent card processor presentation, 60 percent of the credit card numbers available on the “dark web” are chip-enabled, and they command a premium price, precisely because the bit can be flipped and no further changes are expected to the card(s).
Here’s a plain English explanation of the problem: This whole thing is nuts. As partner Brian Kilcourse said last year, “At the very least, the payment networks are more focused on shifting risk than in enabling it.” What good is that?
And that brings me back around to the chargeback issue. Retailers began to notice over the holiday season that the banks were charging them back for all kinds of things, whether related to EMV or not. Most just paid the ticket and moved on, but in a tough retail environment, these same retailers are getting cranky. I’m not going to attribute a nefarious reason behind the excess chargebacks. I’m just going to say that banks haven’t updated their systems to levels where they can distinguish between types of chargebacks, and so they just pull everything they see and charge it to the retailers. I’d rather call them lazy than evil.
Lawsuits have started. Money is still being spent. And data breaches still happen. As Greg Buzek says, “It’s like a y2k problem that never ends.”
Let’s get realistic here. The payment industry and EMV advocates laugh at how old mag stripe technology is. According to Wikipedia, it seems to have been commercially adopted in 1971. Wow, that’s old. But boys and girls guess how long EMV has been around? Again according to Wikipedia, it was initially written in 1993 and 1994. How would you like a computer that was put together in 1993 and 1994? It might seem slow, unwieldy and out of date. And to bastardize that standard further by saying “We don’t need a PIN, let’s stay with signature” renders it even less interesting.
The question I keep asking myself is this: in an ecosystem where every single party needs each other, why can’t they work together to make things better? This is one time when I have to give some props to Walmart…they basically gave up and tried to disintermediate the credit card processors entirely with MCX. That didn’t work out, because the consumer gets nothing out of it.
Those consumers don’t need more reasons to distrust their banks. And they don’t need more reasons to spend less money. So what the heck? When is everyone going to lay down their axes and work towards developing a scheme that works for everyone?
The tokenization schemes used for Apple Pay and other forms of mobile payments work, and work well. Why aren’t we moving in that direction? Or something? Anything?
I just don’t get it. As I said before, as it sits today, this whole thing is nuts.