The path for the USA to EMV

http://www.finextra.com/community/fullblog.aspx?blogid=5875

EMV: Let the planning begin

 

There’s no way around it – EMV transition planning will be complicated. However, while EMV is a complex specification, the good news is that it can grow over time. Thus the key is to implement an infrastructure that lets you start with a simple, single portfolio that can expand and mature with you. Looking forward, the goal is to do it once, do it properly and avoid the pain of re-doing it when it’s time to move into mobile payments

I agree totally with this sentiment. Mobile is here. EMV addresses the requirement to include Dynamic data in a payment transaction to address questions of identity and irritability.

Update 02/22/2012

Having had a chance to sit inside EMVCo working group meeting and being fully aware of those words read every time that reminded us of our confidentiality and sharing of patent and secrets that might jeopardize the future of EMV.

What I saw was the successful release of the EMV contactless specifications and type approval processes capable of testing tap if one remembers the distance has to be 2 cm instead of 10.  Otherwise the protocol and security will last us until 2025.  Plans where underway as I left that where focusing on expanding the standardization of mobile and the development of a next generation or EMV 2.0.  They are talking about 2015 and 2017 for probably dates that these new specifications and processes would be in place to allow widespread adoption so that circa 2030.  If hey are right we have a new and transparent solution that opens and never hinders access to whatever we have the right to access.  what about the next 17 years,

Well, EMV works.  It already includes mobile and contactless.

Visa and MasterCard have said yes.  Amex is OK, discover has had lots of ads for payment people with EMV knowledge and such titles.

The Federal Reserve seems to be on-board and Global Platform, NFC and Mobey forum seem to be OK.

Looks like a plan to me.

Payment – Mobile Payments – Connectless payments and an opening to further discussion

Each day I receive a variety of articles on the subject of mobile payments and find countless opinions about the evolution, risks and capabilities of mobile payments.

As is always good form a definition is in order.  I could begin by suggesting a mobile payment is any time that while moving about I can purchase something from someone using some recognised means of payment or currency.  So at the most basic level of understanding carrying cash in our pockets was and still remains a form of mobile payments.  Yet this is not what we mean when we discuss mobile payments.  What we have done is combined two words from two worlds into a new thought.  Mobile emerging from the arena of telephony and the use of the concept of a phone that does not need to be connected with a piece of wire.  Wireless, cellular and mobile all are terms that we associate with the use of radio waves to connect a telephone to a network allowing us to make phone calls from someplace that is in proximity to a receiver or cell tower or satellite.  Now I’m sure all of my readers know these things and are wondering what is the point.

The point is that we also talk about contact-less payments that concept of waving a card in front of an antenna, thus  allowing the card to receive power through induction and then communicate with the device controlling the antenna.  Some people call it that “Tap and Go” feeling others refer to it a PayPass, Visa Wave, Express Pay card and if we travel the world we will find an assortment of other brand names such as Dexit.  In many cities transit agents discovered that by employing contact-less cards interfacing with – terminals they could create efficiencies, improve information about ridership and maybe even reduce fraud.

So now we have to discuss the application of the technology.  This brings us to the idea of closed loop and open loop systems.  Neither are new thoughts, charge cards issued by department stores are closed loop they only work at that companies stores.  Open loop refers to systems that are widely accepted because someone has gone out and branded a concept, convinced merchants it is convenient and then offered a “Card” to you and I so that we can be identified and employ this “Means of Payment”.  Classic brands that we think of as Open Loop systems include money, MasterCard, Visa, Interac, PIN, eurocheque and an assortment of national brands.

Yet all of these systems have inherent inefficiencies.  Inefficiencies that some see as benefits and others see as highway robbery.  Then there is that class of people who enjoy getting something for “nothing” they like the idea of counterfeiting money, replicating credit and debit cards, capturing our PIN and ultimately stealing our identity and more importantly our hard earned money.  I could also mention merchant discounts, late fees, interest charges, interchange but those are all for another day.

The operators of these systems understand or learn about these various methods of “Stealing” identity and money and have built systems to mitigate the risk, eliminate no minimize yes.  In Europe and throughout the world (except the USA) the members of MasterCard, Visa and the various domestic systems are working to reduce these threats by introducing Smart Cards or Chip Cards all cards employing the EMV specification that have a computer embedded within.  The benefit is that PIN can easily be introduced on credit cards, the cost of telecommunications can be reduced by allowing the computer in the card to make intelligent decisions when ever that card is used to effect a payment.

This movement to secure payment cards with the technology and specifications defined within the EMV specifications began first in France where they went out on their own developed their own specifications and proved to the world that smart cards or chip cards can and will reduce the level of card present fraud and can if employed properly also reduce the cost of telecommunications.  their success can easily be  seen in this chart that tracked their progress and success.

French Banks demonstrate the Smart Cards workFrench Success Story

Remarkable success, yet they were now faced with an issue.  First the criminals understood if they disabled the chip (computer) the merchant could still swipe the card and read the magnetic stripe.  This one easily could be solved by eventually not allowing cards that should have a chip to be swiped through the magnetic stripe reader.  But what about when these cards were used in Holland, England or anywhere that had not, and at the time no one had, adopted the same means of defense.  The net result fraud migrated from being a domestic issue to the cards being used in neighboring countries.  Obviously the French became proponents of a global migration to smart cards and convinced Visa, MasterCard and Europay to develop the EMV specifications, recognising that they would have to eventually convert.

I could continue to digress from my main theme and talk about how each country went through its decision making process.  I could then go on and talk about how far along they are in their implementations. Suffice it to say some are finished, others are diligently working towards completion and others are moving at a pace that does not cause undue expense and allowing natural replacement cycles to drive the timescale for implementation.

Here in the country where I live they also have a Chip Migration strategy.  Canada is inpilot or a trial depending on how the lawyers interpret the efforts of banks potentially colluding together.  By the summer cardholders in the Kitchener Waterloo area will be using these chip cards and the media, banks, merchants, processors and associations will be monitoring and learning how the Canadian’s feel about and their willingness to embrace the change.

The following chart outlines Interac’s schedule for deployment.  MasterCard is playing along without committing.  Whereas Visa has stated that they will push the liability for fraudulent transaction not protected by EMV to the Acquirer if their merchants are not compliant by October of 2010.Canadian Chip Migraation Interac's EMV Timeline

So how does all of this affect the introduction of Mobile Payments or Contact-less Cards.  A mobile payment is simply, today, a contact-less payment performed using a mobile phone with the contact-less interface inside as apposed to to using the card as the form factor..  Well some will say not at all, the drivers are different the business case is not the same.  Yet the core technology is a computer in the card.  So why worry, eventually all of this could come together.  Or will the USA decide to take another path all together.

So to end this particular blog I ask a simple question, based on the premise that the mobile and contact-less payments that we see emerging are all about speeding up low value <$25 dollar transactions. What happens when I want to use my contact-less mobile phone for a payment for say a $1,500 hotel bill.  Will I tap my contact-less device “mobile phone”.  Have to find a place to put it while I either enter my PIN or sign the receipt.  Today the clerk typically holds the card for me while I sign the receipt tomorrow what.  Or will they decide to merge contactless and EMV creating a more interesting problem.  I’ll need to keep that phone near the antenna while my PIN is verified and the transaction is authorized.

Or should we go on and talk about the security concerns that everyone has described in countless articles and numerous logs.  The idea that the criminal will walk down the street reading the content of your purse or wallet with their hidden antenna.

Or should we talk about who is going to pay the price of adding the contact-less antenna to the merchants point of sale equipment.

Let me hold those for another day and another flow of thought.

Interac's EMV timeline

NSTIC and EMV should merge

October 03, 2011

Cyberspace trust: Proving you’re not a dog

A very real discomfort underlies the classic joke: “On the Internet, nobody knows you’re a dog.” How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate’s Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you’re reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.

http://portalsandrails.frbatlanta.org/2011/10/cyberspace-trust-proving-youre-not-dog.html

Philip thinks:

  • The next step is to merge the identity sought by everyone and easily relegated to the Banks to manage.  Facebook and GMail offer an option if their KYC can be improved.  With face to face meeting it is possible to truly prove identity, requiring a branch network.
  • Transaction processing is legacy in the developed world while the emerging economies offer an opportunity to build new.  Existing standards and processes need to be respected as they transform to absorb the new information attachments and Internet offers we now need to cope with.
  • The Wallet forms the basic unit to create a trusted network employing smart cards, trusted computing, persistent computing and inteligence to enable the consumer experience.
  • Privacy and integrity of that trust is essential to the system
  • The individual is key
  • Respect rights and obligations

 

 

 

 

Are the Pundits over thinking the ISIS proposition

Mobile payments is being discussed in the context of “creating” a new “means of payment” or in other words a new “Payment Brand”.  I would suggest  the expense and time it takes to create a new “Payment Brand” is significant not to ignore expensive. 

Just look at PayPal.  How long, on the backs of eBay, did it take to reach the point where they are ready to  enter into a venture with Verifone to become a “means of payment” their buyers can use at the real world stores of their sellers.

Two models for payments exist in the market today and frankly these two models have not changed, since the beginning of any form of commerce. 

The three party model and the four party model. 

Classically banks regulated and trusted to hold our moneys in accounts are fundamental to the act of payment.  They have always been key to developing and operating the payment systems. 

Unless of course we use cash. 

In both models two parties always exist – the Buyer and the Seller, the Payer and the Payee or the consumer/cardholder and the merchant.

In the four party model we add two Banks who support one of these two parties.  There is the bank with the relationship with the consumer/buyer/payer/cardholder, often called the Issuing Bank.  On the other side of the payment there is the bank with the relationship with the merchant/seller/payee, often called the Acquiring Bank.

The three party model, simply means that the Bank of the payer and the Bank of payee are the same.  The movements of funds flows from the buyers account to the sellers, as ledger entries, within a single institution.

American Express and PayPal are perfect examples of non-Banks who operate three party payment systems. 

The central bank is another example of a three party system.  All the banks within a country are clients of the central bank and have accounts at the central bank.

Clearly the three party model is the most efficient.  But, it requires that there is a monopolist who processes payments for all buyers and sellers in order for the system to truly work.  Reality dictates that a monopoly or agreement by all parties to use a single entity for their banking and payment services must exist for such a system to dominate the market.  

Therefore, the payment systems have evolved cooperatively; based on acceptance by the consumer and merchant of a recognized means of payment.  The banks work together to establish a set of rules and procedures they employ to transact payments.  Various four party models i.e. MasterCard and Visa along with checks, electronic fund transfers, dominate the payments landscape. 

Inherent to these models is  a Brand (acceptance mark), a set of rules and a clearing mechanism.  Everything works because there are agreed rules and procedures that govern how the two banks execute payments.  To complete the cycle these two banks ultimatelyexchange real money, typically through a settlement bank or the central bank representing the total value of the payments processed.

To add complexity to the landscape, the Issuer and Acquirer often contract with processors to do the work.  These to entities are identified in the graphic as the Issuing Processor and the Acquiring Processor.

Behind the term mobile payments, some think there is a more efficient method of affecting payments.  They believe inserting a new player into the game will make the whole system more efficient and therefore cheaper.  Or more appropriately they think that their new approach will allow them to earn a portion of the Merchant Discount (fee paid by the Merchant to the Acquirer) or the Interchange (fee paid by the Acquirer to the Issuer). 

The more I think, read and discuss, the more convinced I become that creating a new payment Brand is an expensive exercise and frankly believing we can create something new and more efficient than the existing four party models is irrational. 

So what does the Mobile Phone bring to the payment landscape? 

Clearly ISIS understands.  Mr Abbott states “We plan to create a mobile wallet that ultimately eliminates the need for consumers to carry cash, credit and debit cards, reward cards, coupons, tickets and transit passes.”  Key word “WALLET” by definition “A wallet  is a small, flat case used to carry personal items such as cash, credit cards and identification documents, such as a driver’s license. “  Interesting, a mobile phone is a small, flat object that can carry a digital facsimile of cash, cards, identifications documents … . 

Next we think about NFC “Near Field Communications”, a method of transferring data between the content of the Wallet to the merchant’s Point Of Sale device “POS”.   Tap instead of swipe.  NFC replaces the  read of the magnetic stripe with the transfer of the data from the Mobile Wallet to the merchant’s POS.  To achieve this goal PayPass and the otehr contactless payment cards simply stores what is on the magnetic stripe and passes it via NFC to the POS.  Given that a mobile phone is a computer we can introduce digital certificates and do it much more securely. 

This is exactly what  EMV Europay, MasterCard and Visa defined and employ.  Debit and credit card issuer throughout the world are now employing the  trusted characteristics of a chip card to secure their credit and debit card payments using digital certificates. 

With a Mobile Wallet (remember the SIM is a chip card) a trusted component is available, inside the consumer’s wallet, capable of supporting EMV and assuring the authenticity of the content (Card) of the wallet and the identity of the owner of the wallet.

Bob Egan in a recent Forbes article The ISIS Mobile Wallet: Are Visa, MasterCard and PayPal Under Siege? writes “To me it’s quite clear the ISIS is taking matters into its own hands. I predict we will see ISIS become the issuer behind new carrier partner plastic credit/debit and prepaid cards in addition to mobile wallet capabilities for those cards become resident as applications on mobile phones.” This suggests that Isis is going to compete with Barclaycard.  If this is the case then what does the following statement in the Isis release mean “Barclaycard US, part of Barclays PLC, is expected to be the first issuer on the network, offering multiple mobile payment products to meet the needs of every customer. “ 

So what is Isis planning?  Clearly Pundits are not sure.

EMV is truly becoming the base for secure Card Authentication and Cardholder Verification

INCREASING EMV CARD AND TERMINAL DEPLOYMENTS CONFIRM EMV AS GLOBAL PAYMENT STANDARD
06 October 2010: As of 1 September 2010, over one billion EMV®* cards and 15.4 million EMV terminals were active globally. These are the latest EMV deployment figures reported by EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa.

http://www.emvco.com/download_agreement.aspx?id=561

The Future of Money

I took offence when I looked at the picture included in the article published on Wired.

http://www.wired.com/magazine/2010/02/ff_futureofmoney_move/

The arduous path that he has carved out for a card transaction assumes a lot of unnecessary intermediaries that have included themselves within the picture.

For me the story can be simplified.

Credit card processing involved a minimum of five parties.  The Issuing bank and its technology arm, the acquirer and its network and the scheme (Visa, MasterCard … ).  Everyone else is about the realities of the ISO marketplace and the proliferation of parties offering added value services along the transaction path.

 

 

Remember a credit card transaction is simply

 

Swipe/Tap/Dip/PIN.

Add transaction amount, time, merchant etc.

Ask Acquirer for approval.

Acquirer passed to scheme

Scheme routes to Issuer

Issuer approves and sends back the authorization.

then if necessary sign receipt

That night batches of requests for payment are sent from the acquirer to the Issuer with the Scheme, reconciled and settled.

 

Then there is ACH.  Yes the technology needs a modernization the functionality must be stream lined and ubiquity must be embedded in the pricing model.

Electronic checks that are facsimiles of hand written checks cleared through the Check 21 system should not be eliminated, they are efficient and provide a great personal audit trail.  handling the paper should be pushed as close to the original transaction as possible so that personal accountability is induced.  The person I handed the check to has the check.  So if there is a problem I have to deal with him.

Otherwise all the necessary transactions are possible and with the move to STP “straight through processing” the ability to assure availability of funds can be assured.

What are most of the other schemes.  First like American Express they are three party solutions with a man in the middle holding funds on account in a pre-paid scenario or capable of submitting as your proxy transactions into the ACH and card systems.

Yes the three party system is the most efficient.  Unfortunately it has one problem, it is not open.

Visa and MasterCard, although viewed as restrictive, are open systems.  They accept; any properly sanctioned bank as a member willing to abide by the rules and maintain sufficient reserved.  For a new system to acquire this status either means they become a bank and meet those incremental regulations or they focus on building critical mass as American Express has proven can be done.

So as this next article concludes, what is can improve and probably is better than something new.

http://www.wired.com/magazine/2010/02/ff_futureofmoney/all/1

The Future of Money: It’s Flexible, Frictionless and (Almost) Free

This is what I have done as the following snapshot indicates:

www.andreae.com/presentations

Critical mass versus ubiquity the future of payments

In a paper recently published by the Federal Reserve they begin to consider what actions the FRB should take to drive the further adoption of P2P electronic payments and the reduction in paper checks.

http://www.bos.frb.org/economic/ppdp/2010/ppdp1001.pdf

Their introduction speaks to the differences in adoption of electronic payments in the USA and Europe.  Intriguingly they include privacy concerns as a key issue.  This being said, having lived in Europe for 15 years, I am not sure the desire for privacy is greater in America.  What can be said is that the moment when the underlining infrastructure was developed defines the ideas and feature sets.  Newer systems learned grew as other economies embraced and proved the viability of innovative ideas.

They go on to discuss the fate of eCash (Mondex, VisaCash) and the need to create ubiquity in order to assure success.    Clearly, as they outline, the major adoption issue in the field of payments is achieving a density of merchants willing to accept a particular means of payment  and simultaneously demonstrating a significant number of consumers willing to employ said means of payment.

Unfortunately for the inventors of neat solutions the reality is that without figuring out how to assure ubiquity the new idea they will not be a success.  If we look at contactless, MasterCard clearly recognised this reality and funded the initial investment in equipment.  Without this investment one wonders if PayPass would have reached the low levels it has.

The interesting thought that emerges from this paper is that the wide spread deployment of mobile phones means that an infrastructure that both merchants and consumers have is in place and if one can find an intuitive means of exploiting this installed base, part of the deployment problem is mitigated.

In my heart, I believe mobile will allow the establishment of new ways of paying,  The next question can today’s infrastructure support P2P payment instructions and will the issuers and acquirers figure out how to make money without cannibalizing existing revenue streams.

What next for Smart Card and Mobile Phone

“Chip and PIN”, EMV … ISO 7614

The New York Times, in the previous post, looks at the issue from the obvious perspective.  The result is as one would expect.  Remember when France first introduced smart cards 1984or mandated then back in 1992 and the acceptance nightmare.

In the past I have written on the idea –

Push PCI/EMV into one coherent electronic and secure smart card reader and PIN Pad.

Mandate all new 1 July 2010; with the understanding that the reality –  every piece of equipment will be replaced in a reasonable period, say 7 to 10 years.

VARs should easily be able to do that.

The incremental ($8/device) on the device side goes down over time, as equipment becomes more affordable.

On the system side, most international providers have a solid EMV implementation they can port over to the US platform over that same 7 year time frame.

At the Network switches, gateways and IPSPs; data formats should be changed sooner, say three years from day one.

Issuers can then decide, when to embrace one  global two factor authentication solution; using contact and contact-less EMV  cards to support card authentication [Factor 1] and card holder verification processes (eg. Chip and PIN) [Factor 2] .

Biometrics were understood when EMV was created.  The mechanisms are in place to introduce an agreed, more secure, biometric verification process [Factor 3].

The NYTimes understands what EMV is

So why not go ahead, do contact ISO7614 and contactless cards ISO14442 for 1.75 a piece.  then merge 15+ cards to a few. Save 11*$.025 = 2.75 per person. or 1.100 Billion less cards as pollutants

Could U.S. consumers spur adoption of EMV in U.S.?

Tracy Kitten

• 01 Oct 2009

As the rest of the world wraps its migration to EMV/chip-and-PIN technology, Americans traveling overseas are running into mag-stripe disadvantages.

This week, travel reporter Michelle Higgins of The New York Times writes that U.S. cardholders traveling abroad are getting turned away by some merchants, since mag-stripe readers are quickly becoming things of the past in every corner of the globe except the United States.

Though EMVCo., which oversees and spearheaded the EMV shift, has said from the beginning that all chip cards and readers would continue to also read mag-stripes, many merchants are reluctant to accept mag-stripes, since they can be held liable if card information is skimmed or compromised. And because magnetic stripes are relatively easy to copy compared with chip-and-PIN technology, accepting mag-stripe transactions potentially opens the door for fraud.

The problem is that most U.S. consumers have not been informed by their financial institutions about potential transaction problems when traveling overseas. Most, in fact, have no idea what EMV or chip-and-PIN technology is.

Twenty-two countries, including most of Europe, Mexico, Brazil and Japan, have adopted EMV technology, according to the Smart Card Alliance. About 50 other countries, including China, India and most of Latin America, are in various stages of migrating over the next two years.

Last year Canada began rolling out chip-and-PIN cards and plans to stop accepting mag-stripe cards at ATMs after 2012 and at POS terminals after 2015.

American Banker Reports

Europe to Eye Mag-Stripe Ban

Cardline Global  |  Friday, June 26, 2009

European banks may consider banning the use of magnetic stripe credit and debit cards, according to Gerard Hartsink, the chairman of the European Payments Council.

Hartsink, who is also a senior executive vice president at ABN Amro in Holland, said that European financial companies will have largely completed the transition to the EMV Integrated Circuit Card Specification by 2011, and the council, which is driving the transition to the Single Euro Payments Area, could then advise its members to stop accepting magnetic stripe cards, which are considered less secure than those that use EMV.

“My feeling is, although it has not yet been decided, the [council] will take a decision in 2011, maybe 2010, to only use chip cards,” he said in comments during a presentation this week at the Contactless Cards and Payments conference in London.

The council has no enforcement power, but if banks in Europe went along with such a decision, it could leave U.S. cardholders in the lurch when they traveled to Europe and tried to use cards for purchases or ATM withdrawals.

“If [Americans] visit Europe, it’s not such a problem; their institution could issue an EMV card,” Hartsink said.

Payments council members will probably debate the issue in 2010 or 2011, he said.

Hartsink is not the only person suggesting a ban on magnetic stripe cards, according to Dave Birch, a director at the U.K. research company Consult Hyperion. In a recent blog post, he cited comments from a financial regulator in Singapore pressing for a “concerted, global effort to phase out magnetic stripe technology entirely.”

The time grows near for the merging of leather and electronics

Recently I came across an article that spoke to an idea that i had back in 1996 when I envisioned a personal device that allowed the consumer to merge their leather wallet, Filofax, mobile phone, walkman and PDA into a single light weight device.

https://www.andreae.com/presentation/Wallet_Pockets/my_dream_Start.htm

The author of this article talks to the need to create a secure mechanism to authenticate, identify and as appropriate verify that it is I.  When we looked to smart cards that was what we where looking to do and the SIM that is inserted into a GSM capable mobile phone is able to offer the security that Kurt Marko seeks.

Has the time come to move forward with my dream?

 

That was part of the dream that drove the creation of  EMV. 

Personal Portable Security Devices

 
Are Pocket-Sized, All-In-One Security Devices Ready For Prime Time?

Key Points

• Personal portable security devices integrate cryptographically strong user authentication, such as OTPs (one-time passwords) and public key certificates with ample hardware-encrypted flash storage, all housed in a compact USB device.

• The functional integration enables new usage models for secure mobile computing, such as standalone portable applications, browsers, or complete desktop environments.

• PPSDs are a relatively new and evolving technology that suffers from hardware costs substantially higher than those of point products, such as encrypted storage or OTP tokens, complex deployment processes, and necessary additional management software.

 

USB thumb drives have become the sneakernet’s backbone, the result of plummeting prices and burgeoning capacities for flash memory. These tiny wonders are spacious enough to store an OS installation with room to spare for user data; however, they are also inherently insecure. Although vendors have addressed this shortcoming with drives incorporating hardware encryption chips, these haven’t yet achieved mass acceptance. Small USB devices have also become a common vehicle for delivering secure, two-factor user authentication.

Wouldn’t it be nice if secure storage and authentication features were combined into a compact Swiss Army knife of security? A relatively new class of products, PPSDs (personal portable security devices) “combine the flash storage of universal serial bus thumb drives with the access control and secure storage capabilities of the smart card,” says Burton Group Senior Analyst Mark Diodati. “PPSDs leverage the USB form factor, use hardware cryptographic processing to provide smart card and one-time password device services, have secure storage capabilities, and reside in a tamper-resistant container.”

The real security magic comes from the synergistic integration of the two sets of capabilities; for example, users cannot access the flash memory without first providing strong authentication. Diodati adds, “The PPSD overcomes two issue— the limited storage capability of smart cards and the relative insecurity of USB flash drives. Larry Hamid, CTO of MXI Security, says the combination allows “a device that serves multiple security functions.”

PPSD Features

Furthering the theme of convergence, PPSDs also incorporate several strong authentication technologies. Like traditional USB tokens, PPSDs embed a certificate-based smart card in hardware; however, they add a software-based OTP (one-time password) generator. Unlike SecurID tokens, most PPSDs don’t sport a display; thus, to generate and view the password, users must plug into a PC’s USB port and run an embedded application. This makes PPSDs problematic for use on public kiosk PCs where the ports are usually disabled. Like USB security tokens or smart cards, PPSDs can hold any number of certificate-based credentials for Windows login or PKI (public key infrastructure).

PPSDs pair their strong authentication features with gigabytes of flash storage. Hardware-based encryption is accomplished via a symmetric algorithm such as AES, and, while standard USB flash drives can be encrypted with software, they are arguably less secure. In addition, PPSDs are tamper-resistant because they use their internal smart card to store encryption keys and an embedded chip to execute the encryption. Some PPSDs also support biometric authentication via an integrated fingerprint reader for added security.

Advantages & Usage Scenarios

Like plain-vanilla flash drives, PPSDs have benefitted from dramatic increases in flash memory density and are available in capacities from 1 to 16GB. Such abundant storage enables some intriguing applications, according to Diodati. He sees PPSDs as an ideal way to protect mobile professionals via solutions such as hosting a complete virtual desktop OS, “hardened” business applications, Web browsers, or SSO (single sign-on) systems.

For example, using software, users can carry a fully customized Windows Desktop environment on a USB stick. Similarly, some let users install and run individual applications directly from a USB drive while leaving no traces behind on the host PC. PPSDs enhance these portable application environments by running them within a much more secure framework.

PPSDs look like the perfect security multitool, so what’s not to like? Unfortunately, according to Diodati, “the functionality of the PPSD comes with a price.” He explains that extensive processes are required to initialize devices for a particular organization, customize and personalize them for users, and bind their security credentials to internal directories. Although vendors provide administrative tools to automate these tasks, Diodati notes these often aren’t the end of the story. “Additionally, a smart card management system is required for most deployments, adding to the cost of the PPSD deployment.”

Cost vs. Alternatives

Aside from the administrative overhead and costs of ancillary software such as a CMS and OTP system, PPSDs themselves aren’t cheap. For instance, 2GB devices run around $150 with 4GB devices pushing $200. Compare that to a 4GB flash drive bundled with software encryption for less than $30, and it’s tough to justify the PPSD’s six-to-one price disadvantage if all one needs is secure storage.

The mobility of today’s workforce opens enterprises up to more security risks, according to Hamid. “You either have to compromise security [or] compromise functionality.” He sees PPSDs as a technology that can make security simpler, more portable, and less burdensome. Hamid believes carrying applications or entire desktop environments on a secure PPSD could emerge as an important new security model for mobile users.

Diodati is equally enthusiastic about the market potential of PPSDs but believes they need further development. “While the PPSD has the opportunity to be a stronger authentication market disruptor, the price must come down.” He’s also concerned about the complexity of PPSD deployment. “The orchestration of smart card management systems, key management/recovery, Active Directory, and PKI will remain a daunting task for most enterprises in the foreseeable future.” Hamid agrees that costs are a problem but promises new product lines “with drastically reduced pricing.”

Although the integration of strong authentication credentials and copious encrypted storage in a key fob-sized device promises to enhance and simplify mobile security while giving new meaning to the notion of a “mobile desktop,” the nascent state of PPSD technology means that it’s more appropriate for evaluation and prototyping than large-scale deployment. As hardware costs continue to plummet and management software matures, PPSDs could revolutionize the mobile security landscape.

by Kurt Marko

Key Features Of PPSDs

• Strong authentication via public key certificates or one-time passwords

• Native, hardware-based file encryption

• Portable single sign-on via the ability to carry both a user’s SSO credentials and an on-demand enterprise SSO system

• Ability to securely host a complete portable desktop environment

• Ability to securely carry portable applications, particularly a hardened browser with a restricted operating environment and secure configuration

Source: “Postcards from the Enterprise: The Authentication Experience”; Mark Diodati; Burton Group

America needs to embrace the Future

Back in 1993 I had the opportunity to help in forming the working group who developed and ultimately published the EMV Smart Card Specifications for Credit and Debit Cards.  Since then, as a member of the Europay and Visa Canada executive teams I promoted the virtues of smart cards and the business case for EMV. 

As a consultant, one of the focuses of my practice is EMV.  In both Europe and Canada I counseled executives on the what, how, when, business value and future opportunities of EMV, smartcards. mobile payments and internet payments

One question has always been asked of this American – “when will the USA migrate”.  Up until recently I was stuck, giving bland answers.  I suggested that we would have to wait until after fraud migrated to the USA,  away from EMV protected countries.  I tried to explain to people, committing comparable sums of money, that  the size of the investment required of US Issuers, Acquirers and Merchants is enormous and frankly cannot be justified. 

Why they ask,  simple economics I answered.  I explained that when one looks at the  quality of the fraud management systems in place, the level of on-line authorization and the losses incurred; it simply does not make sense.

Debit is the real reason to Migrate to EMV

In 2007 I was working with “The Exchange”, a Canadian network that supports sharing of ATM services such as deposit, bill pay and account to account transfers.  The focus of my work was to help them to understand the implications of EMV and to work with them to develop their go forward strategy. 

Part of the research led me to talk with the Fiserv, the Brand owner and their strategic partner.  While discussing what the Canadian entity needed to do with the America responsible for the USA Exchange and Accel network; the conversation drifted to when will the USA move to EMV.

What sat front and center inour discussion is the American banks that issue PIN Based Debit Cards have a much stronger rational to migrate to EMV than the credit card and signature based Debit issuers.  In the PIN Based Debit arena the “reputational risk” has and will continue to be the real justificationfor the migrate from magnetic stripe to Chip and PIN.

Why you may ask.  My answer is simple.  The cost to a criminal to install a fascia and PIN hole camera on an ATM, capture the magnetic stripe and PIN; offers these international criminals a very rewarding business case.  They are also funding aggressive operations that embed people into factories that produce magnetic stripe and PIN Pads with the imbedded capability of capturing and transmitting the magnetic stripe and associated PIN to the Mafia

Reputational Risk is the catalyst

 

So how does this affect “Reputational Risk”? 

1.       When the criminal perpetrates debit card fraud, they focus the attack at ATMs the cardholder would probably visit.  The Issuers’ fraud management systems are finding it hard to differentiate between a valid transaction and a fraudulent transaction, so out pops the cash, 100% fungible no need to fence the goods and cheaper and more profitable than robbing the bank

2.       Weeks later the cardholder notices that there is not as much money in their checking account as they expect and they call the Bank’s call center.  The argument follows – But only people who know your PIN can withdraw funds from your account, who did you tell your PIN to, your ex, your children …

3.       Eventually after a lot of time explaining, crying, shouting and generally getting on each other’s nerves; the Bank’s customer service agent will final accept that the cardholder did everything to protect the PIN and card; so the bank will reluctantly restore the funds to the cardholders account.

4.       Bottom line the cardholder feels that the bank does not care; their systems are not safe and the cardholder is now afraid to use their debit card.  The Bank and its ATM network are now at “Risk”.

No one should be surprised at this form of attack.  I knew and teh media presented the realtities of such attacks back in 1994.  As the size cost of the equipment shrinks and the capabilities of technology expands the incidence simply increase and proportional to the rewards.

To put a point on my analysis; when most countries decide to migrate to EMV it is not the Credit side of the cardholder relationship that seals the deal for the CEO and senior executives.  It is the Debit side that pushes the bankers to say yes we must migrate to EMV.  MasterCard and Visa,  who participant in both credit and debit, want the publicity.  Whereas the debit networks would prefer to not talk about the problem.   End result we are left thinking credit cards drive the migration to EMV.  Compounded by the reality that for credit cards in the USA, there is simply not a business case.

For the US banks to come together to decide that EMV is the right thing to do; there must be a place where the Issuers and Acquirers can come to terms with the cost and agree on an equitable way to fund the investment required.  For the debit card side of the Banks there is not an obvious place to have this discussion.  Most PIN Debit networks are either regional or owned by publicly traded organizations.  There does not appear to be a common forum capable of bringing the executives together to agree and commit.

Migration to EMV is expensive – YET really it is not

 

Everyone talks about how expensive it would be for America to migrate to EMV. 

Yes if we are to approach the migration with the Big Bang theory it will be ridiculously expensive.  Instead what the powers that be should agree is that all cards and terminals will be EMV by say 2019, ten years.

Let’s acknowledge that most of the major acquirers and processors have already implemented EMV on their international platforms; so the implications are understood and if they where intelligent when upgrading for Canada, England, Europe, Latin America, Middle East and Asia, they should have considerted how to cost effective assure the inclusion of EMV on their American platforms, someday. 

So now they simply have to add it to the list of requirements that will be included in one of the yearly upgrades, or, as part of their technology replacement plans.  Remember we are saying EMV in 10 years. 

Ten years is a long time when we think about technology.  Therefore they have no justification to argue it is punitive to force them to implement EMV.

On the terminal side we must remember that for the merchant there are only intangible benefits to implementing EMV.  Yes, like MasterCard Visa etc, EMV can be positioned as the cost of doing business and included in one of the compliance upgrades. 

Or, if we are intelligent, we say to the ATM operators, merchants, ISOs and acquirers, the next time you upgrade your point of sale system – buy an EMV compliant PIN pad and include EMV as one of the requirement for the systems that drives the device and transmits the approval requests and clearing records to the acquirer. 

Any ATM/POS supplier who sells outside the USA has EMV devices in their catalogue.  All the Value Added Resellers who sell international have support for EMV within their software.  NCR, Wincor-Nixdorf, IBM, EFunds, ACI, S1 … all support EMV.

With this plan in place, over time EMV will progressively be enabled at the point of sale. with minimal cost impact.   Yes the vendors will have to be told to play nice and not exploit the opportunity.  Yes for merchants that attact significant International clientele they should migrate sooner.  Yes, locations that are known to be high risk merchants they should be made to implement EMV sooner. 

This leaves the Issuer with an easy question to answer, when do I add an EMV chip to my card.  Well the answer is easy and it is complex.  On the simple side, when they think there are enough terminals to achieve the fraud saving then do it.  Or, we can add the contactless and mobile payment dimension and start talking about Combi cards, embedding EMV into the handset, considering Multi-application opportunities.  I’ll talk about that another day.

Agree to move and give people enough time so that there is no pain

 

Bottom line my message to the US market is the question is no longer about who will pay it is simply about how much time should we allow everyone, so that the incremental cost is irrelevant.

 This Blog was driven by reading a recent review from CTST

U.S. getting squeezed by EMV  Wednesday, May 6, 2009 in News

http://www.contactlessnews.com/2009/05/06/u-s-getting-squeezed-my-emv

With Canada and Mexico both going to EMV and most of the rest of the world doing the same it may be a matter of time before U.S. card issuers are forced to go to chip and PIN. EMV in the U.S. was the topic of a panel at the CTST Conference in New Orleans.

Mobile Payments and Banking – Consumer reaction is negative

UK consumers reject mobile payments

Security is a major hindrance, says study Written by Angelica Mari, 23 May 2008

I must admit I am confused about the potential for the Mobile Phone becoming a mechanisms we employ when making payments.  If I was simply to take the reaction in an article recently published on VNUNET.com, I would worry.  Yet in other articles and industry analyst speculate that by 2012 we will evolve to employing the mobile phone as our i means of payment.  As I suggested in a previous posting there is still a lot of work to do in developing the business case. 

Yes Vivotech reports phenomenal numbers of devices installed and Inside Contactless talks about the significant numbers of contactless cards deployed.  Standards are emerging and I am sure that EMVCO will develop the necessary security to protect Mobile Payments (assuming you don’t lose your phone).  Then there is the interesting reality that there are more mobile phone users than there are people with Bank accounts.  Micro-finance and developing worlds are embracing work like what Vodaphone is doing to drive payments in the P2P space to the mobile device. Yet when will all of these experiments and trials prove that the key issues of security and stakeholder profit are there?

Interchange is under threat

Judiciary Committee Antitrust Task Force
Hearing on H.R. 5546, the “Credit Card Fair Fee Act of 2008”

Today I sat down and read through all of the testimony and must admit, understanding the concepts of interchange, I am troubled by the testimony provided by both Visa and MasterCard.  Neither provided sound arguments to justify interchange.  Whereas those opposed, clearly demonstrated that Interchange benefited the large issuing banks at the expense of the merchant and consumer.  The only testimony that offered any sound support for interchange was that offered by John Blum.  Yet his arguments simply argued that without a fixed interchange structure smaller players would not be able to play, which does suggest the interchange mechanism, as a competitive process, is flawed.

Regulation is not the answer.  Yet, something must be done to assure that there are sufficient free market forces surrounding the calculation of the default Interchange rates.  

 Chairman’s Opening Statement

Witness list and links to their statements

Thomas L. Robinson
Vice President of Reglations
National Association of Convenience Stores
Joshua R. Floum
General Counsel and Corporate Sec.
Visa Inc.
Steve Cannon
Chairman
Constantine Cannon, LLP
Joshua Peirez
Chief Payment System Integrity Officer
MasterCard Worldwide
John Blum
Vice President of Operations
Chartway FCU
Edward Mierzwinski
Consumer Program Director U.S. PIRG

Interchange under judicial and legislative review

Today on Payments News – from Glenbrook Partners” they posted an article referencing the hearing taking place

Thursday 05/15/2008 – 11:00 AM
2141 Rayburn House Office Building
Judiciary Committee Antitrust Task Force
Hearing on H.R. 5546, the “Credit Card Fair Fee Act of 2008”

House Judiciary Committee Holds Hearing on US Interchange Fees

As we mentioned here on Payments News on Monday, the House Judiciary Committee is holding a hearing on Thursday, May 15th beginning at 11 AM Eastern time on H.R. 5546, the “Credit Card Fair Fee Act of 2008”. As of tonight, the committee’s website doesn’t list the witnesses who will be testifying – but it promises that a live webcast of the hearing will be available.

As an editorial comment, many of us in the payments industry find the “solution” proposed in this legislation to be overly complex. Read the actual text of the draft legislation – and you may reach the same conclusion! We wonder whether the merchant community in fact would be well served by the remedies proposed. A very basic question comes to mind: “Is this the best you can do?”

The legislation that is under review can be found at http://judiciary.house.gov/hearings.aspx?ID=204

My sense is that like Australia, Europe and other countries the USA Congress is ready to challenge the nature of how interchange is calculated and define methods of assuring merchants much reduced rates.  How the financial lobby will engage and how the associations will defend there position, should make for an interesting debate.

European ATM Skimming Fraud Jumps 43%

Reported by Epaynews.com

May 08 2008 : In 2007, ATM fraud losses rose by 43 percent in Europe to €439.01 million (US$683.7 million) from €306.48 million in 2006, reports EAST (the European ATM Security Team). Most of the losses in 2006 and 2007 were due to card-skimming at ATMs, the non-profit organization says.The year-on-year increase in fraud losses was mainly due to a €173.6 million increase in cross-border losses in 2007.
“These (cross-border) losses are occurring globally in countries where all or part of the ATMs deployed are not yet EMV-compliant,” EAST says. “Domestic European fraud losses have fallen year on year, an indication that the roll out of EMV-compliant ATMs is driving down fraud.”
 According to EAST, 78 percent of European ATMs are now EMV-compliant.
Card fraudsters are being forced to seek out non-EMV compliant ATMs to obtain cash, EAST says. “Incidents continue to be reported where data skimmed from EMV cards in European countries where ATMs are EMV-compliant, has been sent by criminals to European countries where ATMs are not fully EMV-compliant,” it says.
The skimmed data is used to make counterfeit cards that enable fraudsters to illegally withdraw cash from ATMs.

According to EAST, skimmed data is also increasingly being sent to countries in and outside Europe where EMV cards can be used as magnetic-stripe cards in ATMs. This takes advantage of a process known as “mag-stripe fallback”, which is designed to ensure that a card can be used even if its EMV chip is damaged or faulty.

Crooks Have Your Card and You Don’t Even Know It

How Thieves Copy Credit and Debit Cards and Drain Accounts

By ELISABETH LEAMY – ABC News

May 2, 2008—

 While your ATM card is tucked in your wallet, thieves half a world away could be cloning it and using it. The crime is called “white card fraud,” and ABC News investigated just how easy it is for thieves to make a copy of your card and use it to drain your account.

It’s difficult to get an exact figure, but it’s estimated that identity thieves net an estimated $345 million this way every year. Gary Burkey of Wilmington, Del., discovered somebody was withdrawing money from his account at ATM machines in a part of Pennsylvania he had never even visited.

Criminals get people’s numbers in a variety of ways. One way they capture card numbers is by installing skimmer devices over the slot where you insert your card when you use an ATM.

They also use hidden cameras to record your PIN. Miami Beach police have actual footage from a crook’s camera in Florida that shows a victim inputting his PIN. Clear as day: 1-4-2-6.

Click here for tips to protect you from today’s modern identity thieves.

“What makes this really sneaky, really devious, is once the criminals get the account information, they wait on it for a little while, said Cpl. Jeff Whitmarsh of the Delaware State Police. They replicate the cards and when the consumer least expects, that’s when they go in and hit the account.”

ABC News found the machines used to copy cards for sale right on the Internet, even though there are very few legitimate uses for them. We had our choice of 30 machines and bought one for about $500. We were even able to request priority shipping and received the package the next day.

ABC took the device to Chris O’Ferrell, an ethical hacker for a computer company called Command Information, which helps the federal government secure its systems.

We handed over an ABC News credit card and O’Ferrell swiped it so the machine could capture the information on the magnetic strip. Right away, the data popped up on the computer screen: name and account information.

With another swipe, O’Ferrell transferred it to a blank white card that came with our kit. Any card with a magnetic strip can be made into a clone — gift cards, hotel key cards, etc.

In less than five seconds, we had a duplicate credit card.

“That’s it. That’s all there is to it,.” O’Ferrell said.

We cloned an ATM card too. At one point we even accidentally deleted the data on one of our source cards, but since we had a clone, we were able to put the data back on.

Once we had clones of our cards, the question was, would they work? We tried the Visa card out at a gas pump. Without actually making a purchase (we didn’t want to violate any laws) we inserted the card to see if it would get authorized.

When the “lift the handle and begin fueling” message came up, we knew our clone was working. We tested the cloned ATM card by checking our balance at an ATM machine. When the screen read “Hello Elisabeth Leamy,” that was our first clue that that one was working.

It’s a bonanza for crooks. They used to have to risk going into stores to buy pricey merchandise, which they then sold for cash. Now they can just drain ATMs. Authorities say specialized crews do nothing but hit ATMs, cashing out on behalf of other identity thieves and taking a commission. One Bulgarian gang pulled $200,000 out of a single cash machine in Florida.

More than 65 other countries in Europe, Asia and South America now use smart chip technology that makes card cloning almost impossible. But the United States has stayed with magnetic strips to avoid the cost of converting ATMs. By one estimate, we have 400,000 cash machines in this country.

“It’s totally unacceptable,” O’Ferrell said. “It makes it extremely easy for the criminals to clone our cards and steal our identities.” Experts say since U.S. credit and debit cards are so much easier to tap, U.S. cardholders have become targets.

Copyright © 2008 ABC News Internet Ventures