Success in reducing card fraud
The main objective of chip and PIN migration is reduced card fraud, and this has been successfully achieved in countries such as the UK and France where levels of domestic, face-to-face fraud have indeed dropped dramatically. Levels of "fraud abroad" involving non-chipped cards or terminals are still high, but this will improve as more and more countries migrate. The report predicts that even the USA, hitherto resistant to EMV technology, will eventually be unable to resist the momentum of global migration.
EMV technology has not yet been widely applied to card-not-present (CNP) transactions via the internet and telephone, and as a result, levels of CNP fraud are increasing fast - now accounting for over 50% of card fraud in the UK, for example. This is about to change. An EMV application which is increasingly well established in Europe for secure online banking is remote chip authentication (RCA), in which a cardholder enters the PIN into a simple card reader to generate a one-time-password (OTP) which is then used to authenticate the transaction. More than 30 million RCA readers have been deployed across Europe by major banks. The natural next step is to combine RCA with an authentication framework such as the 3D Secure protocol, increasingly familiar to online shoppers in the form of MasterCard SecureCode and Verified by Visa. By treating the OTP as a 3D Secure password, this enables strong, two-factor authentication of CNP payments, and is expected to be a critical factor as the card payments industry struggles to maintain dominance in the burgeoning e-commerce payments market against non-card alternatives such as PayPal.
Gaining traction for new applications
The manner and timing in which infrastructure-based applications develop is complex and difficult to predict, typically following a pattern of first industry hype then disillusionment before real progress is established. The RBR report explores a number of models to help banks understand likely developments and plan ahead with more confidence.
Contactless payment is an interesting case in point. The same chip which supports EMV payments also supports contactless "Tap & Go" operation using either a plastic card or an NFC-enabled mobile phone. This development has been enthusiastically embraced by the card payments industry as a key initiative to induce a shift from cash payments to electronic payments. Contactless smartcards are indeed well established in niche markets, including mass transit systems such as London's Oyster Card, and there are excellent opportunities for banks to deploy branded contactless EMV payment cards in these environments. But although the current industry hype is that such deployment will spread rapidly to a much more general class of low value, high volume outlets, displacing cash, this may be constrained by "chicken and egg" issues. No matter how many contactless cards are issued, until there is a critical mass infrastructure of contactless readers in place, the volume of new contactless payment transactions will remain tiny.
Conversely, embedded within the contactless payment proposition is another EMV application known as pre-authorised payment - effectively a new form of e-purse - which may in time come to be seen as an example of premature industry disillusionment. The chip-based e-purse concept has been around for a long time in some markets, but success has been elusive. Although several schemes have gained some traction in their local markets, volumes have remained disappointingly low, and cross-border deployment has been minimal. The reason is that they are based on proprietary e-purse solutions and require special terminals, so there is lack of interoperability between schemes, and a patchy acceptance infrastructure.
The EMV pre-authorised payment solution, in contrast, can be used at any EMV terminal, anywhere in the world. Moreover, since it uses the superior risk management capabilities of the EMV chip to control spending and reloading of pre-paid funds, it is a very safe payment product which can be issued to anyone and be used securely in predominantly offline acceptance environments such as contactless payments. Despite a few pilot deployments, pre-authorised payment has not yet been a success in its stand-alone, contact form. However, this may be because the regions where it has most potential - the huge unbanked or underbanked markets in the developing world - are precisely those regions where EMV migration has yet to gain momentum. This may be one to watch in the longer term.
Another EMV application with great potential is the multi-payment card. Such cards are loaded with more than one standard payment application - typically debit and credit - and the terminal prompts the user to choose which method of payment to use. This is a very simple, but potentially very powerful example of how banks can leverage EMV chips to improve customer recruitment and retention, card activation and usage. Surprisingly, banks have only recently started issuing multi-payment cards, but the results have been impressive, in countries ranging from Finland to France This may be because it was not widely understood that acceptance of multi-payment cards is a standard feature of all EMV EFTPOS terminals. The manner in which different terminals prompt choice of payment method is still somewhat variable, and this may be a challenge in terms of cardholder and merchant education. Nevertheless, as more experience is gained, the prediction is that this application will enjoy rapid and widespread deployment in the near term.
High potential for use with other technologies
The EMV chip story is further complicated by the development, in parallel, of other technologies. In the early days of chip development, it was expected that the data storage capacity of chip cards would be widely exploited for offline applications. Such applications have indeed been developed; mass transit ticketing and payment applications must almost always be offline, and offline chip-based loyalty applications have enjoyed considerable success, in Greece for example. But in recent years there has been a revolution in telecommunications technology with the result that online processing is now almost as fast, reliable and cost-effective as offline processing. In the future we are likely to see increasing deployment of hybrid EMV solutions, with most processing and data storage occurring on remote servers in near-real-time, and the chip card acting mainly as a secure token for accessing the online applications.
This model underpins an exciting new breed of "entitlement applications". Many types of payment are associated with some form of cardholder entitlement, such as social benefits and discounts, age-related concessions (or prohibitions), health treatment, government services, membership, or physical access. By securely loading a branded EMV chip card with appropriate entitlement indicators, the cardholder can be identified, entitlements authenticated, and the associated payment recalculated and processed in one single, streamlined transaction. This type of application requires not just special programming of terminals, but also partnerships between the institutions from different sectors, and for this reason will take time to become widespread, but the potential is huge.
Entitlement schemes exist all over the world. Smartcard solutions are indeed quite widely deployed and known variously as "community", "city", or "campus" cards, but these tend to be local, proprietary solutions and suffer from the usual problems of lack of interoperability and the need for specialised terminals. There is a big opportunity for innovative banks to add value in these situations by leveraging their EMV infrastructures. An excellent example of how this can work is provided by one major European bank, which has issued an astonishing 3.7 million campus cards to 185 universities in 11 countries. Today, these cards are multi-application EMV cards supporting a wide range of student ID and other entitlement applications, but also, crucially, standard branded debit card payments.
A key message of the RBR report is that banks wishing to catch the next wave of EMV applications need to treat chip as a strategic, whole-bank issue, understood by senior management and deployed with vision and commitment across all divisions and functions.
This article is reprinted from Banking Automation Bulletin
Nick Collin is an independent management consultant and director of Collin Consulting Ltd. He has many years experience of developing and deploying added value EMV chip applications for banks and payment schemes.
To find out more on the RBR study "EMV Chip Applications: Catching the Next Wave" please visit: www.rbrlondon.com/emvchip
Related articles in this issue:
Related article in previous issue:
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.