Mobile
Commentary
2/14/2014
09:06 AM
Lorna Garey
Lorna Garey
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why Alternate Payment Schemes Get No Love

Vendors promoting EMV, OTP, NVF, and other alphabetic credit card replacements completely miss the point.

Dear vendors working on ways to replace swipe-and-sign credit cards:

Consumers will never adopt a payment scheme en masse if it's less convenient than the current method. Why should they? Currently, retailers and card issuers assume the liability. I'm not on the hook for fraudulent charges. See a suspicious item that got past the card provider's fraud detection? Call the handy 800 number and have it removed. Worst-case scenario: I get issued a new card and have to invest 30 minutes to change standing accounts.

Look, it's not me. It's you. Retailers lose consumer data all the time, because PCI is still a joke, and card issuers continue to argue with retailers over who will pay for more secure point-of-sale systems. They're balking at reissuing cards with embedded chips in the US.

Why should I inconvenience myself to save their butts? Even if EMV-capable POS systems were widely installed by 2015 and issuers invested in changing over to chipped cards -- not at all a certainty -- that would do nothing for purchases where the physical card isn't present.

Not that we don't appreciate what you're trying to do. I recently saw a local TV news segment about the Boston startup Abine and its masked credit cards. For $5 a month, the company will issue me an electronic account that lets me generate one-time-use virtual cards every time I make a transaction online. Do you know how much I shop online? The company is also piloting physical OTP cards, like those from MtGox and others, that bear only a superficial resemblance to a standard credit card.

So let me get this straight: I can pay for the privilege of enduring glares as I hold up the line at the grocery store trying to explain the OTP concept to a bored 17-year-old clerk?

It's a nice thought. It really is. And a subset of privacy-aware consumers will adopt technologies like one-time-use or masked cards. They're the same people who use Bitcoins. Good luck going mainstream.

A more promising avenue is paying with your phone using an NFC wallet. Financial data, including credit and debit card numbers or prepaid balances, are stored on your SIM card or in the cloud. You just touch the phone on an NFC-enabled POS terminal and enter a passcode. This approach has potential, but there's no interoperability standard. Square competes with Google Wallet, which competes with Apple Passport. MasterCard competes with Visa, except where it doesn't. Individual retail chains such as Starbucks have their own iterations.

Oh, and most NFC systems reuse current retailer networks and POS equipment. Explain again how that's any more secure than a credit card, given the sad state of the regs that are supposed to protect us now?

PCI turned 10 this year. Verizon's 2014 PCI Compliance Report says use is up. Unfortunately, so is the cost of card fraud -- the Nilson Report says businesses lost $11.27 billion from it in 2012, or 14.6% more than the year before. But before you break out the tiny violins, only the largest merchants undergo formal PCI audits. Most businesses conduct self-assessments. In 2013, Verizon reports, only 11.1% of organizations were fully compliant with the PCI standard at the time of their annual baseline assessments, up from 7.5% in 2012. Only about 64% met even the most basic requirement: a firewall to protect cardholder data. A firewall. Think about that.

No wonder startups see opportunity. But beyond the I-have-an-opinion-on-Bitcoin demographic, this particular risk/reward ratio just isn't going to overcome the power of inertia.

"Even those who have been hit with hard-core identity theft won't buy in," Michael A. Davis, CTO of the endpoint security firm CounterTack, told us. "People are desensitized to fraud and ID theft. It's just part of life, especially when financial services companies absorb all the impact of the theft."

Of course, those costs eventually get passed along to consumers, but that passalong is opaque. Until there's a payment method that's as easy to use as today's swipe-and-sign cards and is as universally accepted, both online and in stores, most consumers will sit tight. Don't take it personally.

Lorna Garey is content director of InformationWeek digital media. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dandrick601
IW Pick
100%
0%
dandrick601,
User Rank: Strategist
2/20/2014 | 2:02:09 PM
Remeber the customer
Great comments all on the pros/cons.  I had this exact conversation with large bank IT exec last week.  And being a former bank fraud manager I know that you can't eliminate fraud, only minimize it.  EMV is a start, but we both agreed that tokenization schemes that work for POS and card-not-present will be required.  The question is will they be "easy" AND "cost effective"

The reason I liked the original article is because of the "spot on" view that customer mass adoption will require something easy.  That's why it hasn't changed yet - easy hasn't trumped the cost.  Ultimately, consumers pay the price for fraud - banks and merchants pass that "cost" along as part of doing business.  Customers don't really see that cost though.

 
WKash
50%
50%
WKash,
User Rank: Author
2/18/2014 | 12:25:51 PM
Re: Chip and PIN will win
Lorna, you're probably right about AMEX, VISA, Mastercard and other card providers. Pay Pal is probably looking pretty attractive right now to the electonic wallet crowd.  One question though is whether they would guarantee to cover (absorb) fraudulent purchases, the way the credit card companies now do (and promote).

 
hhendrickson274
IW Pick
100%
0%
hhendrickson274,
User Rank: Apprentice
2/17/2014 | 5:08:18 PM
Re: Chip and PIN will win
Chip and PIN has been proved to not be as secure as many believe it to be.  The current specification allows for modes of operation that allow the easy use of skimmer devices inserted into the IC card slot that are nearly impossible to detect unless you take the device apart.

http://krebsonsecurity.com/2012/09/researchers-chip-and-pin-enables-chip-and-skim/
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
2/14/2014 | 6:10:03 PM
Re: Chip and PIN will win
Wyatt, AmEx, MasterCard and Visa have to be living in fear that EBay/Paypal, Google and Apple will decide to stop infighting and band together to come up with a simple, secure and widely accepted standard way to implement a mobile wallet. All that's keeping the status quo is fragmentation.

Kurt Marko pointed me to news that Icahn is pushing EBay to spin Paypal out. Interesting times.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
2/14/2014 | 6:06:23 PM
Re: Chip and PIN will win
I didn't say (or mean to imply) that EMV cards are less convenient. I have one, and it's no different from using any card. The cards I am disussing are these:

http://www.coindesk.com/bitcoin-exchange-mt-gox-adds-extra-security-one-time-password-card/

Not sure where you shop, but I promise you, an OTP card is jamming up the line at my local market.
WKash
50%
50%
WKash,
User Rank: Author
2/14/2014 | 6:03:49 PM
Re: Chip and PIN will win
I have to agree. What the Target breach taught us is that the vulnerabilities are in the architecture that carries the data, not the cards or EMVs.   

That said, cards that require PINS would have saved American Express $1800 last week, after someone made off with my AMEX card and went on retail buying spree, merrily swiping my card at a dozen stores.  If I hadn't alerted AMEX the card was missing, he/she might have wrung up another $1800 or more in charges. A PIN would have prevented that.  But I'm a happy AMEX customer.  The wiped the charges off my account and sent me a new card.

One suspects its cheaper for them to write off the losses than to get behind a national campaign for smarer card systems that retailers, already unhappy with the percentage card issues collect, are unlikely to pay.

 
bwalker970
50%
50%
bwalker970,
User Rank: Strategist
2/14/2014 | 5:55:41 PM
Re: Chip and PIN will win
Two falacies of your argument are that convenience always trumps security and chip and PIN only offers "incremental" improvements over magnetic strips.  The latter assumption is disproven by the relative black market values of PCI-based and EMV-based credit cards on the black market.  A simple credit card with just a magnetic strip is nothing more than a series of numbers.  Capture the numbers and you have everything you need to clone the card and make transaction against the account.  The chip on an EMV card generates a unique token for each transaction which prevents replay of the transaction for other purchases.  That makes EMV cards much harder to clone.  

Your other assumtion is that EMV cards are less convenient.  A transaction with an EMV card is different but it is no less convenient than signing a receipt but certainly less convenient than making a small purchase at a retailer that does not actually care if you are authorized to make a purchase with the card.  If you are concerned about making purchases with a debit card, have you considered the risks of withdrawing cash from an ATM machine?  Chip and PIN also makes ATM machines resistant to card skimming without any additional inconvenience for users.

A system is only as strong as its weakest link.  Fixing the lack of security on the front end does not preclude fixing the infrastucture problems on the back-end.  There are lots of excuses but few actual doubts about the need to replace the antiquated card payment system in the U.S.  The money will be spent.  The only real questions are who will pay for it and when.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
2/14/2014 | 2:17:28 PM
Re: Chip and PIN will win
bwalker, I was talking about new electronic cards like the one I saw on the news segment. There's no way in a zillion years I would use a debit card linked to my bank account.

Absolutely we all pay for fraud - but at some point, does it make sense to spend a lot as an ecosystem on chip and pin POS systems when they supply only incrementally more security than what is in place now?
bwalker970
100%
0%
bwalker970,
User Rank: Strategist
2/14/2014 | 2:07:43 PM
Re: Chip and PIN will win
What glares in the grocery line?  Many people pay for groceries with a debit card which, surprise, requires a PIN. So the complexity of a chip and PIN transaction is no more involved or inconvenient than a transaction involving the debit card purchase.  It's actually more convenient than writing some semblance of your signature on a digital touch screen.  Now there's security for you.  Not only does the POS device capture all of the data necessary to clone your credit card, it also captures a copy of your signature and possibly the pen motions that you use to write that signature.  In the end, the credit card issuers are not on the hook for any fraudulent activity because they simply pass on all of the excpenses to consumers. So, all of us pay for the fraud because the credit card issuers and retailers are too lazy to replace an ancient and decrepit payment system that is in desperate need of replacement.

The argument for convenience is just a diversion.  The real argument is who is going to pay for the transition that everyone knows needs to occur.
jagibbons
100%
0%
jagibbons,
User Rank: Ninja
2/14/2014 | 12:46:15 PM
Re: cash is king
As Chris states, as long as the risk lies with the retailer or the bank, there's little incentive to use cash. If your wallet with a credit card in it is stolen, you're inconvenienced while you call to cancel the card and wait for a replacement. If your wallet full of cash is stolen, you're flat out of luck.
Page 1 / 2   >   >>
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.