2014, on balance, was a very good year for progress in securing electronic retail payment transactions. Most importantly, many of the key payments stakeholders seemed to coalesce around the general understanding that three basic tools, EMV chip cards, payment tokenization, and end-to-end encryption were all essential to make real progress toward next generation payments security. In October bank customers with the iPhone 6 and 6 plus were introduced to Apple Pay, a first of its kind application that combined secure element, phone based biometric customer payment authorization with payment tokens, keeping traditional 16 digit payment account numbers away from prying eyes. Also in October, President Obama announced that all federal government procurement and DirectExpress benefit cards ((Direct Express cards are used to distribute social security, SSI, veteran’s, and other benefits. Three banks will participate in the governments “Smart Pay” program: Citibank, J P Morgan Chase and Co., and U.S. Bank)) would be migrating to full chip and PIN functionality, a process that will be begin this month. And – importantly – some of the largest issues announced their intention to issue (and some did issue) chip and PIN capable cards to their retail customers in the United States, hinting that another milestone might be passed.
Although it’s only January, we’ve already been reminded that progress toward optimizing the security of our payments environment is not always linear. Earlier in the month, J P Morgan Chase and Co confirmed that despite a CEO level announcement to the contrary in February 2014 it has elected not to issue chip and PIN credit cards to its retail customers, instead opting to continue the pure chip and signature approach the bank has followed for several years. That decision moves the bank away from a place where it could influence the direction of other issuers toward an outcome that would better protect payment security for cardholders. Virtually all of the large issuers in the United States have backed the chip and signature approach to cardholder verification.
Not all chip and signature cards are created equally however, and it’s important to note that not every U.S. bank issued chip and signature credit card is completely devoid of PIN authentication capability at the point of sale. Most Wells Fargo EMV equipped credit cards, for example, have online PIN POS capability, where the PIN is returned to the issuer for verification in real time. With online PIN, bank customers in certain circumstances will be able to complete a transaction using a PIN when a terminal asks for it. As Wells Fargo says:
“For most transactions you’ll finish with a signature, just like you do today, but you may sometimes need your PIN, especially outside the US” ((See Wells web site, https://www.wellsfargo.com/credit-cards/features/chip-card/chip-cards-demo))
Online PIN functionality will help with some, but not all, transactions in Europe and elsewhere where unattended terminals and poorly informed check-out clerks effectively demand chip and PIN capability. That’s because in many parts of the world POS terminals do not communicate with issuer hosts in real time. Instead, offline POS terminals store transactions for a designated period of time and then, in batch mode, forward them for processing. In parts of the world where land line telephone access was historically expensive, online POS terminals were the exception, not the rule. To enable cardholder
U.S. issuers can enable online Chip and PIN capability with far less effort than what would be required for offline PIN (they do for debit cards today), and online PIN is logistically easier and less expensive to maintain over time. The United States has an overwhelmingly online POS environment. And many large merchants are forcibly on record as favoring a chip and PIN EMV implementation. Those merchants recognize that PIN based chip transactions significantly reduce both lost and stolen and Never Received Issue (NRI) related fraud losses.
For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.