Dynamic Data and Fraud PreventionU.S. Move to New Payments Technologies on the Horizon
Also known as chip and PIN, EMV card technology is considered to be superior to the dated magnetic stripe. Over the years, hackers have figured out how to bypass mag-stripe security with skimming devices, which copy card details encoded in magnetic technology.
Randy Vanderhoof, executive director of the Smart Card Alliance, which supports a U.S. move to EMV, says fraud-prevention incentives offered by Durbin have created incentive for card issuers to move beyond the mag-stripe and into the advanced technology realm of EMV.
"By introducing dynamic data into the transaction stream ... it devalues the data that the criminals are going after, and it makes it much more difficult for [them] to create fraudulent copies or skim the data from the U.S. card issuers," Vanderhoof says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Fraud continues to rise, and when the percentage of fraud against the revenue that card transactions generate dramatically changes, business managers are going to take a harder look at the ways in which they can curb and reduce the losses, Vanderhoof says.
The outcome: Card issuers could move payments toward near-field communications, either on mobile devices or chip cards.
During this interview, Vanderhoof discusses:
- The security of contactless payments and the role mobile could play in payment fraud reduction;
- How global payment card acceptance is putting pressure on the U.S.;
- Examples of contactless success in the transit market card issuers should look to for guidance.
Vanderhoof is the executive director of the Smart Card Alliance, a not-for-profit, multi-industry association of more than180 member firms working to accelerate the widespread acceptance of smart card technology in North America and Latin America. He came to the alliance in January 2002 and became the executive director in August, 2002. During his tenure as the chief executive, he has directed the transformation of the organization from primarily a networking organization into a diverse, education oriented, international, multi-industry organization that gathers industry stakeholders together to help stimulate the rapid adoption of all forms of smart cards for electronic payments and digital security applications. In December 2008, Randy was named by Security Magazine to the list of the Top 25 Most Influential People in the Security Industry.
Before joining the Smart Card Alliance, he was employed with IBM Global Smart Card Solutions; an international product group supporting IBM's smart card services to its global banking, healthcare, and government industry vertical teams. Previously, he served as on the Executive Board for the Alliance as a corporate member from 1998-2001.
U.S. Roadmap to EMVTRACY KITTEN: The last time we spoke we talked about the so called roadmap the US might follow on its path toward EMV. The path we pursue might not look like what has been implemented in Europe, but it could take technology that is similar and would enhance capabilities for global payments, convergence and enhanced security. Could you give us a little background about what that roadmap in the US might look like?
RANDY VANDERHOOF: We're definitely at the end of the road when it comes to the old magnetic stripe card, and now we're looking at a whole new direction in terms of where do we go from here. That roadmap has a lot of different options to it, EMV chip cards, contactless payment and NFC mobile payments. There are many different options for the U.S. payments industry and different technology decisions that need to be made along the way. We're just starting now to look at how the U.S. market differs from Europe, Asia and other places that have implemented EMV. We don't necessarily have to follow exactly the same script that those other countries have. But we can actually use the options that are available to us, based on the current state of the technology and the understanding of how the industry might adopt this technology in the U.S. to really take a fresh look at it. I think a lot of smart people are starting to have those discussions today.
KITTEN: You raise a good point. When we talk about mobile payments, chip cards and NFC, what is the common ground in all three?
VANDERHOOF: All of them introduce something that is severely lacking in the U.S. market, which is dynamic data. I can't emphasize enough that the old magnetic stripe is based on a very vulnerable static data format that the hackers are going after to harvest that information, create clone copies of these cards and to force issuers who might suspect that they've had a data breach to reissue tens of millions of cards a year. By introducing dynamic data into the transaction stream, which is something that mobile card, mobile payments, chip cards and contactless cards bring to the marketplace, it devalues the data that the criminals are going after and it makes it much more difficult for the criminals to create fraudulent copies or skim the data from the U.S. card issuers. That important element alone is going to dramatically reduce the amount of fraud and change the direction of fraud mitigation from simply trying to protect the existing card to actually focusing on where the card is being used and where the criminals that are attempting to use those cards can be further attracted and stopped.
KITTEN: And how does NFC support mobile payments? What does the current contactless infrastructure look like and how would it be compatible for payments technology that's already in place in other parts of the world, such as Europe?
VANDERHOOF: For those people that have been following the industry, they know that we're now seven years into a migration of contactless payment technology led by the brand solutions like MasterCard, Visa's payWave, American Express' ExpressPay and Discover and their products. Hundreds of different financial institutions have issued contactless cards for use and somewhere between 75 million and 85 million cards have been issued now. So as NFC comes along, it's going to be able to leverage the infrastructure that has been established for contactless cards and just offer one additional option for consumers, which is to use their mobile phone as a means for delivering that payment transaction at the point of sale. What NFC brings to the table, besides simply another way to pay, is that the mobile phone is an intelligent computing device that can be connected to the Internet and can be conserved as a device that can receive data as well as transmit data. It's a very powerful tool to be able to not only deliver payments but also to accept coupons, promotions and marking messages from retailers that will actually shape the way consumers shop in stores in the future.
KITTEN: We've talked about contactless payments in the past, and it seems like interest in contactless payments has kind of slacked a bit in the U.S. Do you think that the move to mobile or mobile payments might reignite some of the interest and acceptance of contactless payments?
VANDERHOOF: I do, and part of the evidence for that was how successful contactless payment stickers were and have been since they've come out. Everywhere I go, I see people have heard or have used their contactless payment stickers on their phones at convenience stores, shopping centers, gas stations, all over the place; and they really like the concept of being able to use their mobile phone. We think that NFC is going to further ignite consumer interest in contactless payments because it provides some very interesting ways in which consumers can be urged to use contactless payments through their mobile phones by being able to interact with merchants, receive promotions, coupons and location-based advertising, and other ways that will really help shape the way consumers shop in the future.
Another point that the NFC phone offers that contactless cards never could deliver was that it has that user interface, it has a display and it has a keyboard in the mobile phone so it actually provides a lot more interactive capabilities than a standard contactless card would offer.
Durbin Amendment, Interchange & EMVKITTEN: Now from a more timely perspective, I would like to ask a quick question about interchange and the impact that some of the things we're seeing right now with the Durbin Amendment could have on contactless payments, EMV and mobile. When we think about the Fed Reserve's decision on interchange, how do we think that could impact or motivate merchants and financial institutions to make a move to EMV, or some type of NFC payment platform?
VANDERHOOF: Well all eyes are on the Federal Reserve and what decision they are going to come out with today, and I think a lot of people are starting to look at what might be the possible outcomes of a decision to dramatically reduce interchange. From my perspective, I think the cost of fraud is going to become extremely difficult to be absorbed if the revenue that financial institutions would count on from their interchange channel gets dramatically reduced. For years we've heard the banks promote the fact that interchange rate is low and that there's really not a business case to invest in EMV technology. But when the percentage of fraud against the revenue that those card transactions generate dramatically changes, then my suspicion is that the business managers are going to take a harder look at fraud and look for ways in which they can actually significantly change the curve on that and reduce it in the future. That's going to be a one-time investment in chip technology or NFC contactless that will then provide them with a whole other level of fraud reduction that they can achieve down the road.
KITTEN: I want to go back to talk about security and contactless specifically. There have been concerns in the past about contactless technology, radio frequency identification, which is better known as simply RFID, and security concerns surrounding that. It has been suggested though that the reality is contactless payments are more secure than mag-stripe payments.
VANDERHOOF: There has been a lot of media coverage about these alleged breaches of data from contactless cards, and we fought hard to try to set the record straight by providing expertise on the layers of security that go into the payment system, that go beyond just the simple ability to read the account data from the contactless payment device. We think we've put that discussion to bed. There have been no reported breaches of people's credit card data as a result of the skimming of contactless cards. We know that there are layers of security that go into the system to prevent that kind of vulnerability and we don't think it's an issue.
The mobile devices have many additional opportunities for securing that data because the mobile phones themselves have PIN protection. The payment applications that are going to reside in those mobile phones will also likely have PIN security. Considering where we're coming from in terms of the old magnetic stripe card, which was basically vulnerable to any type of attack, contactless payment cards offered a significant additional layer of security and now NFC phones are going to add more security on top of that. It's all part of a process of closing down some of the old ways in which data can be stolen from the payments industry to create fraudulent cards and transactions, and really opening up new opportunities for how people can make payments.
Security with Mobile and Contactless PaymentsKITTEN: Could you tell us what some of those different security models are for mobile and contactless payments?
VANDERHOOF: The mobile devices that are going to support payments are built around something called the secure element, which will reside in the mobile handset and be a secure container for the card transaction data. When that transaction is made, when someone uses their phone at a point of sale, the communications between the phone handset and point-of-sale device will implement the same dynamic data string that contactless cards generate today. And if and when the U.S. market starts to process payments using EMV, the additional security capabilities of EMV will also be a part of that mobile payment transaction. Now we're seeing how the level of security with new technology is going to dramatically increase as we move off of this old roadmap of magnetic stripe and into the technology of the future.
KITTEN: As you've pointed out earlier, we actually have some examples to look to in the industry to support the fact that these types of transactions can be more secure. Could you give us a little background on what is going on with transit, or open payments?
VANDERHOOF: Transit is a very interesting market to follow because the transit industry represents a very attractive set of consumers for people who are involved in advancing contactless and mobile payments. For those people who use transit in major cities around the country, they usually go to a kiosk machine and put their cash or their credit/debit card into a machine and transfer that into fair payment media and put money on a card or paper ticket to be used to access the trains, buses and subways. What the transit industry is looking to do is migrate their acceptance systems to not only accept the fair media that they have traditionally offered, but also to accept contactless cards and mobile phones that are issued through the open banking system.
What is attractive about the transit industry for banks is that it's a group of consumers that use their payment device multiple times a day. Therefore its people who once they've used it a few times, it will become a part of their daily activity. It will also increase use because people who avoid riding on buses, trains and subways often do so because they don't want the hassle of having to go and purchase tickets and put money onto a card that they might never fully use; or they're unsure about the safety, the payments that are accepted in those system or maybe simply don't have the cash that they would need to normally get in and operate on those riders. But being able to pull out your payment card and tap it on an acceptance device in any city in the country provides a level of comfort with people that will help mass transit ridership increase. It's really good for the banks, it's good for the transit operators and it's good for consumers.
EMV InitiativesKITTEN: What about some of the initiatives that are taking place in the industry? Wells Fargo and Chase for instance have been issuing cards to some of their card holders who travel overseas, and they're issuing separate EMV cards for them. Can you tell us how those programs have been launched and what the thinking behind them was?
VANDERHOOF: Certainly. The end of the road for mag-stripe is being played out not only in the US but outside the U.S. as well. As more countries become committed to chip technology and the use of smart cards for payment, there's less acceptance for the old magnetic stripe cards. What people from the U.S. were finding as they were traveling to cities in Europe, Asia and elsewhere was that they would have their U.S.-issued magnetic stripe cards not being accepted in all places. This has created a significant burden on U.S. customers. So what the leading banks have started to recognize is rather than lose those transactions by people moving away from their cards and going back to cash, they could capitalize on those international travel customers by offering them a payment card that will work in the U.S. as a traditional magnetic stripe card but also contain an EMV chip in the card that they could then use when they are traveling outside of the U.S. in those accepted locations that only accept chip, or that favor chip over magnetic stripe. It's a way to serve their customer base without having to make a significant change in their entire cardholder infrastructure. And they begin with issuing EMV to their international travelers.
KITTEN: Before we close, what final thoughts would you like to leave our audience with? Do you expect the U.S. to make a move to EMV sometime soon?
VANDERHOOF: The U.S. market has started to seriously look at EMV and all of its forms, and start to plot a new roadmap for payments in the U.S. market. There is a lot of attention being placed on Canada, which as you may know has almost fully implemented EMV. And because of the close ties between the regions there's a lot of information and experience that can be passed back and forth both from the financial institution side and processing side, as well as from the merchant side. There are some great lessons learned there. There are also some lessons where they don't want to repeat, and this is what's positioning the U.S. market to actually have a very efficient approach to EMV because they can take what has happened in countries that have not done well and address the changes that will work best for the U.S. market. Also, piggy back on the new technology innovations that are happening with mobile phones and come up with a real strategy for the market as it exists, not only today but five years from now when the full implementation of EMV is likely to take place.