EMV and Mobile Payments Questions abound, answers divide

  Steve Mott   Principal—BetterBuyDesign   Payments Summit Workshop, 2/4/2013

Major Issues/Questions Abound

 Background/History reveal erratic path to payments

 Choices are narrow, and lack of consensus

 Implementation complexities abound

 Implementation issues are very thorny

 CVM preferences reveal business agendas   Transaction security is questioned; PCI exoneration not achieved

  Proprietary claims persist

 Implementation costs/responsibilities strain business case

 Fight for control of EMV spec is underway

Background

  EMV originally designed to make offline payments more secure by verifying user to the authorized card account; can do online as well—but not over the Internet

 Relied heavily on PIN validation   Supported multiple payment options (credit,

debit, purse) and loyalty applications—but under one brand’s Application IDentifier (AID)

  Generally roduces liability shift (to Issuers) for chip-authenticated transactions (while sticking slow deployers with fraud)

A Brief, Informal History of EMV/NFC Payments

Date EMV/NFC Payment Market Development 2000 the card brands led the effort to instill the ISO 14443 standard for chip-based (EMV), single-path, card

emulation mode

~2000 About that same time, Visa/MC announced that by 2005, all of their cards in the U.S. would require a chip; shortly after, this requirement was rescinded

2004 In 2004, the card brands pushed through ISO 18092, which enabled a two-way path for supporting marketing applications

2004 Shortly after, a major effort to promote acceptance and adoption of ‘tap-and-go’ contactless ensued—focused significantly on the U.S.

2008 By 2008, the legacy payments industry decided that near-field communications (NFC) would be the preferred embodiment for mobile handsets, which would operate in the card emulation mode, using a secure element

2009 BestBuy shut down its tap-and-go program because Visa’s PayWave would not support PIN-debit option; only stores with aggressive local issuers noticed

2010 Tap-and-go contactless support began to dry up due to low adoption and volumes; NFC-slow to appear on handsets and in business models—faced growing challenges

2011 EMV contactless specs arrived in 2011 geared to common interfaces to NFC terminals; Visa announced its EMV program in August, including a liability shift by 2015

2012 EMV, designed to be synonymous with NFC, received support from other brands, but—like NFC—hit a wall with merchant adoption

2012 EMV, designed to be single-branded, doesn’t comply with the Durbin mandate for merchant choice of two, non-affiliated debit networks; EFT networks are upset

2013 Efforts to reconcile implementation issues with EMV are being addressed by the EMV Migration Forum; meanwhile NFC continues to struggle (though Isis and others are still trying to push it)

Choices, but no Consensus

 Brands’ answer: Card Emulation mode  CNP becomes an albatross to innovation  Alternatives arise and receive support

Card Emulation Mode: The Theory

•  Assumption: Payments would remain in the same domain as they moved from mag-stripe to chip

•  Challenge: Visa/MC members didn’t want to make investments in changes until there was a strong ROI

•  Solution: DECRYPT card credentials (PAN, Expiry date) while adding a bit of dynamic data authentication (CVV + transaction identifying data remain encrypted)

•  Benefit: Eliminates man-in-the-middle/replay fraud while minimizing participant costs in the early going

Card Emulation Mode: The Problem

•  Assumption: Merchants hate the status quo and want to see a paradigm shift that reduces control by brands

•  Challenge: Merchants have to foot 75% of estimated $8 billion investment

•  Solution: Payment account credentials in-the-clear can be hacked and used for online fraud (30% of U.S. websites don’t take CVVs) and PCI exposure/costs perpetuate

•  Benefit: Man-in-the-middle accounts for less than 5% of fraud; all other sources of fraud remained unaddressed (unless PIN verification is imposed, which the brands are trying to avoid)

CNP Debate

  CNP a vestige of 2000, when the payments industry lived in fear of the Internet  20-30 bps premium over card-present rates  Merchants absorb virtually all liabilities

  Visa/MC decree only card-emulation mode warrants lower card-present interchange

 Ostensibly an incentive to adopt NFC/EMV, but a disincentive to accept competing

 Transaction risk much higher  Doubts persist about intrinsic NFC risk (Apple)

  Google, others pay premium, absorb liability   Visa and MC allude to studies to give partial and

perhaps full parity with card-present to qualifying (secure) alternatives

Alternatives to NFC

•  Tokenized payments •  Using NFC, via ISO 18092 protocol •  QR codes (especially with one-time-use pseudo-

numbers or passwords) •  Full end-to-end encryption •  Potential for PCI exoneration

•  Variations on virtual Secure Element •  in the cloud •  in the handset

•  Bill to carrier

Payment Complexities Confound

Implementation Complexities: What Went Wrong With NFC

  Wallets: geared to digitize leather wallets/pocketbooks

  NFC: leverages contactless and status quo

  New interface (ISO 18092) set up two-way offers to drive usage and adoption

  Offers will drive usage and adoption

  Payments stay the way they are; existing players flourish

  No compelling case for just doing payments tap-and-go

  Offers minimal security and relief from PCI; failed model

  Can be used for tokenized payments/access to cloud

  Better offers require sku data; data not protected

  NFC costs more than plastic; card costs get worse

11

The Original Business Case for 2-way NFC: Mobile Marketing Opportunities

  Relevant coupons: 1-to-1 targeting, real-time, refreshing, etc. can reduce billions of waste from $400 billion annual spend on paper and broadcast media (where only 8% of consumers collect and just 1% redeem)

  Location-based services (e.g., queries on nearest brand store or restaurant, where promotional offers can be returned with info)

  Customer recognition (supplying data and receiving offers and updating rewards programs) upon entering stores; data can be harvested for banking products and joint bank/merchant promotions

  Products can be pitched inside the store, while shopping—including competitive offers

  Shopping items can be automatically scanned/read while shopping, facilitating self-checkout (where payment options can be pitched)

  Loyalty programs can be integrated and instantly updated for real-time redemptions

  All this data can be used (with sufficient consumer opt-in) to better address offers, promotions, financial services needed, targeting of ads, etc.

12

But Business Model Isn’t There Yet

  ISO 14443 payment mode requires a secure element; but  Secure elements are controlled by carriers  Carriers are charging $5-7 per year per loaded account—

regardless of whether used (versus $1/per account/year for offloading an online banking account

 Carrier charges through Isis will compound fees   Secure elements require application wrappers that can be

compromised and produce MORE expensive transactions than cards

  Deployment of NFC (and EMV) by Visa/MC to-date leaves important account credentials in-the-clear (TBD)—perpetuating PCI exposure and encouraging online fraud

  Radio signaling may not prove safe or efficient for POS over time

Starbucks/Target/Others (Barcodes); Apple (?)

Sources:  VentureBeat.com;  American  Banker  

Cloud-based Services  What’s right with them:

– Flexible – Avoid POS constraints – Driven by merchandising

proposition – Designed for buyer

convenience – Lend easily to specific

merchant preferences – Can evade bank and

network fees – Leverage mobile tech

 What’s a concern: – Need critical mass scale

to operate – Need bank/merchant

support for security and privacy

– Cloud security is yet unproved

– Operational viability is in question (without some wholesale system integrators)…Amazon

15

The Cloud: Ready for Prime-time?

16

By Greg Bensinger, All Things Digital December 25, 2012 Netflix Inc. said Tuesday it restored streaming video services a day after an outage triggered by technical problems at Web service provider Amazon.com Inc. stretched across the Americas. The service was running for all customers by Tuesday morning, Netflix said, after its and Amazon's engineers worked through the night to repair it.

Netflix, of Los Gatos, Calif., said the outage started about 3:30 p.m. Eastern Time on Monday. It prevented video streaming on a number of devices, such as Roku Inc. players. "We are investigating the cause and will do what we can to prevent reoccurrence," a Netflix spokesman said.

Other websites, such as software company Heroku Inc. and social media app Scope, also reported via Twitter service problems of their own that were traced to Amazon operations. Scope Chief Executive Amit Kumar said his engineers devised a way to bypass AWS and restore service. Heroku couldn't immediately be reached for comment.

Netflix Hit by Outage, Blames Amazon

First-Generation Mobile Wallets—Divergent Paths/Road to Nowhere?

Wallet Provider Target Channel Deployment Strategy

POS Orientation

Began focused on POS, now back to online; more than two dozen national merchants testing

Hedging bets on SE/NFC; OTP online (liabilities?); cards and phones for POS leveraging TXVia acquisition; data = big prize

Was seeding market with NFC terminals; 2.0 virtual MC prepaid option will use existing rails with CNP rate

Extending to POS; online going very well; nearly two dozen national merchants

Cards and phones for POS, with two-way offers coming; acceptance via Discover

Cards and numbers now, 18092 soon in handset, other modes coming

Focused on POS, considering online; nearing a dozen national merchants

NFC 14443 for POS; 18092 on the way

Straight NFC for terminals, with offer push

Focus was on digital/online, but now pushing POS; a dozen online merchants and handful of POS merchants testing

OTP online, NFC 14443 for POS, but considering 2D barcode, others

Using EMV to lead market to proprietary PayWave? Offering full encryption if Issuers, Merchant want it

Leveraged contactless lead at POS, now moving online; several key merchants

OTP online (maybe liabilities?); NFC at POS for now but exploring options with white-label wallet

PayPass is global standard, pitching open platform that can work anywhere

Current focus on POS with more than two dozen merchant owners

Believed to be offering a combined credit/debit facility on private rails

QR codes with OTP resolve in cloud; big emphasis on data/privacy protection

Cardholder Verification Method

Net-work

Preferred Embodiment

Rationale Counter-Argument/ Extenuating Circumstances

Visa Chip+Signature or Chip+Nothing (for transactions <$25)

PIN is a static identifier; PIN acceptance at POS limited

PIN is a great risk management and efficient transaction mode; signature can be worse than nothing (e.g., international cards)

MC Chip+Signature or Chip+Nothing; more neutral on Chip+PIN

PIN is static identifier; Maestro as a ‘consolidator’

2/3 of Issuer signups to-date are Chip+PIN, especially needed to support travelers in offline venues

Amex Chip+Signature or Chip+Nothing

Doesn’t have PIN-debit yet

Serve/Bluebird can slice-and-dice authentication protocols

Dis-cover

Chip+Signature, Chip+Nothing, Chip+PIN

Owns Pulse PIN-debit network

Offering use of Zip, and private label credit/debit rails (e.g., PayPal)

EFTs Chip+PIN PIN-debit networks, but with signature options

Viable EMV play is essential to survival but in jeopardy; Durbin not a panacea so far

EMV Implementation Costs   Tower Group(2001): $12 billion

 75% paid by Merchants  13% paid by Issuers  12% paid by Networks

  Javelin Strategy Research (2010): $8.6 billion  Merchants pay 2/3; POS drags feet (especially small merchants)

  Others (2011): $5-6 billion (relative to Canada)   Is NFC a separate implementation?

  Proprietary aspects emerging? (European Payments Council)   Is EMV mandate a side-door way to get NFC into POS?   What are the incremental costs? (big issue is merchant changeover

costs at POS)

EMV Implementation Issues  Visa/MC orientation against Chip+PIN

 There’s more competition for Visa/MC in PIN-debit than sig-debt   Issuers appear to prefer PIN-debit almost as much as merchants do  $75 signature/PIN requirement makes most of this moot

 Incompatibility of EMV with Durbin mandate (merchants can choose from a minimum of two unaffiliated debit networks)  MC offers its AID for use by other networks  Visa appears to want Issuers to decide  Where is the consumer’s choice manifested?  Survival of PIN-debit and EFTs at stake

  Push for both modes (contact and contactless) sounds forward-thinking, but is EMV contactless a real standard (or a way to get NFC in the side-door?)

  ANSI X.9 considering take-over/upgrade of EMV spec   Involvement of Fed   Challenges to objectivity of EMVCo from Issuers overseas

EMVCo: About to Lose Control?

Concerns About Need for Open Chip Card Standard Prompted Letter, X9 Says Jan. 22, 2013 An effort by a U.S. standards body to gauge interest in a meeting to discuss an open-standard alternative to EMV for chip cards stems primarily from the organization’s concern that EMV’s specifications are not commonly owned by the payments industry, the body’s top executive says. “EMV is a proprietary standard, that’s part of the issue,” Cindy Fuller, executive director of Accredited Standards Committee X9 Inc., tells Digital Transactions News. Governments around the world, she says, “are looking for open, non-proprietary standards.” The Annapolis, Md.-based X9 Committee last weekstarted circulating a letter to its membership asking for expressions of interest in holding a meeting to determine whether the industry should develop an open alternative to EMV, which is owned by Visa Inc. and MasterCard Inc. (EMV stands for Europay, MasterCard, Visa, but Europay was absorbed by MasterCard in 2002). The letter doesn’t specify any places or dates for the meeting but asks for responses by Feb. 11. It also says the Federal Reserve would host the two-day meeting.

 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Speaker Contact Information stevemottusa@yahoo.com 203.536.0588