On the cards
New Business Opportunities with Chip and PINHow to create added value based on EMV technology
19.07.10 BY Nick Collin
The EPC's SEPA Cards Framework (SCF) recognises the EMV standard, i.e. implementation of chip and PIN, for SEPA-wide acceptance of card payments at very high levels of security. The latest findings of the EPC demonstrate that as of end first quarter 2010, EMV compliance is 71 per cent for cards, 82 per cent for POS and 95 per cent for ATMs. There are outstanding opportunities for banks to leverage this new chip and PIN infrastructure with added value applications, according to a report by Nick Collin: "EMV Chip Applications: Catching the Next Wave" published by Retail Banking Research (RBR). In western European countries where there is a critical mass infrastructure of EMV chip cards and terminals, banks are already beginning to develop new markets and card acceptance outlets with innovative chip-based applications. Banks in regions which are still in the process of migrating from old magnetic stripe technology to chip and PIN, or have not yet started, have opportunities to learn from the experience of the pioneers and build added value features into their emerging EMV infrastructures from the outset.***
Scroll to the end of the page and post a comment. Go to comments.
Success in reducing card fraud
The main objective of chip and PIN migration is reduced card fraud, and this has been successfully achieved in countries such as the UK and France where levels of domestic, face-to-face fraud have indeed dropped dramatically. Levels of "fraud abroad" involving non-chipped cards or terminals are still high, but this will improve as more and more countries migrate. The report predicts that even the USA, hitherto resistant to EMV technology, will eventually be unable to resist the momentum of global migration.
EMV technology has not yet been widely applied to card-not-present (CNP) transactions via the internet and telephone, and as a result, levels of CNP fraud are increasing fast - now accounting for over 50% of card fraud in the UK, for example. This is about to change. An EMV application which is increasingly well established in Europe for secure online banking is remote chip authentication (RCA), in which a cardholder enters the PIN into a simple card reader to generate a one-time-password (OTP) which is then used to authenticate the transaction. More than 30 million RCA readers have been deployed across Europe by major banks. The natural next step is to combine RCA with an authentication framework such as the 3D Secure protocol, increasingly familiar to online shoppers in the form of MasterCard SecureCode and Verified by Visa. By treating the OTP as a 3D Secure password, this enables strong, two-factor authentication of CNP payments, and is expected to be a critical factor as the card payments industry struggles to maintain dominance in the burgeoning e-commerce payments market against non-card alternatives such as PayPal.
Gaining traction for new applications
The manner and timing in which infrastructure-based applications develop is complex and difficult to predict, typically following a pattern of first industry hype then disillusionment before real progress is established. The RBR report explores a number of models to help banks understand likely developments and plan ahead with more confidence.
Contactless payment is an interesting case in point. The same chip which supports EMV payments also supports contactless "Tap & Go" operation using either a plastic card or an NFC-enabled mobile phone. This development has been enthusiastically embraced by the card payments industry as a key initiative to induce a shift from cash payments to electronic payments. Contactless smartcards are indeed well established in niche markets, including mass transit systems such as London's Oyster Card, and there are excellent opportunities for banks to deploy branded contactless EMV payment cards in these environments. But although the current industry hype is that such deployment will spread rapidly to a much more general class of low value, high volume outlets, displacing cash, this may be constrained by "chicken and egg" issues. No matter how many contactless cards are issued, until there is a critical mass infrastructure of contactless readers in place, the volume of new contactless payment transactions will remain tiny.
Conversely, embedded within the contactless payment proposition is another EMV application known as pre-authorised payment - effectively a new form of e-purse - which may in time come to be seen as an example of premature industry disillusionment. The chip-based e-purse concept has been around for a long time in some markets, but success has been elusive. Although several schemes have gained some traction in their local markets, volumes have remained disappointingly low, and cross-border deployment has been minimal. The reason is that they are based on proprietary e-purse solutions and require special terminals, so there is lack of interoperability between schemes, and a patchy acceptance infrastructure.
The EMV pre-authorised payment solution, in contrast, can be used at any EMV terminal, anywhere in the world. Moreover, since it uses the superior risk management capabilities of the EMV chip to control spending and reloading of pre-paid funds, it is a very safe payment product which can be issued to anyone and be used securely in predominantly offline acceptance environments such as contactless payments. Despite a few pilot deployments, pre-authorised payment has not yet been a success in its stand-alone, contact form. However, this may be because the regions where it has most potential - the huge unbanked or underbanked markets in the developing world - are precisely those regions where EMV migration has yet to gain momentum. This may be one to watch in the longer term.
Another EMV application with great potential is the multi-payment card. Such cards are loaded with more than one standard payment application - typically debit and credit - and the terminal prompts the user to choose which method of payment to use. This is a very simple, but potentially very powerful example of how banks can leverage EMV chips to improve customer recruitment and retention, card activation and usage. Surprisingly, banks have only recently started issuing multi-payment cards, but the results have been impressive, in countries ranging from Finland to France This may be because it was not widely understood that acceptance of multi-payment cards is a standard feature of all EMV EFTPOS terminals. The manner in which different terminals prompt choice of payment method is still somewhat variable, and this may be a challenge in terms of cardholder and merchant education. Nevertheless, as more experience is gained, the prediction is that this application will enjoy rapid and widespread deployment in the near term.
High potential for use with other technologies
The EMV chip story is further complicated by the development, in parallel, of other technologies. In the early days of chip development, it was expected that the data storage capacity of chip cards would be widely exploited for offline applications. Such applications have indeed been developed; mass transit ticketing and payment applications must almost always be offline, and offline chip-based loyalty applications have enjoyed considerable success, in Greece for example. But in recent years there has been a revolution in telecommunications technology with the result that online processing is now almost as fast, reliable and cost-effective as offline processing. In the future we are likely to see increasing deployment of hybrid EMV solutions, with most processing and data storage occurring on remote servers in near-real-time, and the chip card acting mainly as a secure token for accessing the online applications.
This model underpins an exciting new breed of "entitlement applications". Many types of payment are associated with some form of cardholder entitlement, such as social benefits and discounts, age-related concessions (or prohibitions), health treatment, government services, membership, or physical access. By securely loading a branded EMV chip card with appropriate entitlement indicators, the cardholder can be identified, entitlements authenticated, and the associated payment recalculated and processed in one single, streamlined transaction. This type of application requires not just special programming of terminals, but also partnerships between the institutions from different sectors, and for this reason will take time to become widespread, but the potential is huge.
Entitlement schemes exist all over the world. Smartcard solutions are indeed quite widely deployed and known variously as "community", "city", or "campus" cards, but these tend to be local, proprietary solutions and suffer from the usual problems of lack of interoperability and the need for specialised terminals. There is a big opportunity for innovative banks to add value in these situations by leveraging their EMV infrastructures. An excellent example of how this can work is provided by one major European bank, which has issued an astonishing 3.7 million campus cards to 185 universities in 11 countries. Today, these cards are multi-application EMV cards supporting a wide range of student ID and other entitlement applications, but also, crucially, standard branded debit card payments.
A key message of the RBR report is that banks wishing to catch the next wave of EMV applications need to treat chip as a strategic, whole-bank issue, understood by senior management and deployed with vision and commitment across all divisions and functions.
This article is reprinted from Banking Automation Bulletin
Nick Collin is an independent management consultant and director of Collin Consulting Ltd. He has many years experience of developing and deploying added value EMV chip applications for banks and payment schemes.
To find out more on the RBR study "EMV Chip Applications: Catching the Next Wave" please visit: www.rbrlondon.com/emvchip
Related articles in this issue:
Related article in previous issue:
Other articles in this issue
19.07.10 Update EPC Plenary Meetings - Main decisions taken in June 2010 By Gerard Hartsink 19.07.10 SEPA Scheme Rulebooks: next Release - Public consultation ends in August 2010 By Javier Santamaría 19.07.10 EPC Card Fraud Prevention Forum - Agreement on new measures to fight card fraud By Cédric Sarazin 19.07.10 Standardisation is Key - Focus on security requirements and a European certification framework By Claude Brun 19.07.10 New and Improved - EPC publishes updated guidelines on the use of audit trails in security systems By Björn Flismark 19.07.10 PSD: taking Action - Commission determined to ensure transposition and PSD Expert Group offers further guidance By Ruth Wandhöfer 19.07.10 SEPA in the Context of the Financial Crisis - Retail payments business proves to be resilient By Wiebe Ruttenberg and Monika Hempel 19.07.10 Gaining Momentum - A progress report on e-Invoicing By Charles Bryant 19.07.10 Facing the Facts in July 2010 - The EPC Newsletter tracks the progress of SEPA implementation By Herman Segers 19.07.10 Missed Opportunity - European Commission recommendation on scope and effects of euro cash as legal tender By Leonor Machado 19.07.10 Continued Commitment to high Quality - EU Regulation on authentication of euro coins and handling of euro coins unfit for circulation By Leonor Machado 19.07.10 Why change? Why me? Why now? - The political mismanagement of the SEPA process reinforces resistance to change By Javier Santamaría 19.07.10 On Payments and Light Bulbs - Commission ready to write off SEPA via EU legislation? By Gerard Hartsink 19.07.10 Promoting the SEPA Vision - European Commission and ECB establish the SEPA Council By Gerard Hartsink
If you would like to comment on this article, please identify yourself with your first and last name. Please note that your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC Newsletter Terms and Conditions, so please read them carefully before doing so.