Smart Card Talk : April 2009 : Executive Director’s Letter

Executive Director’s Letter

Dear members and friends of the Alliance,

On several occasions in past newsletters, I have raised the issue about the need and timing for the U.S. payments industry to move to chip and PIN technology. I’ve discussed my feelings on the subject from the perspective of rising fraud rates in the U.S. and the costs of such a move to industry stakeholders. I have even made the point that perhaps there is another way to improve payment security without adopting full EMV contact chip technology, which requires end-to-end reworking of the bank cards, the merchant acceptance terminals, and the back-end processing systems. Today, I have nothing fundamentally different to propose, except to raise the basic question of timing for this eventual shift from today’s legacy magnetic stripe infrastructure to the next great thing, whatever it is. If not now – then when?

I had the great fortune to attend a banking security conference recently where I heard almost unanimous agreement that the security model for payments in the U.S. is broken. Some suggest that that it will take external forces other than market economics to fix the problem. I heard from federal law enforcement who said they were virtually helpless to investigate and prosecute offshore criminal gangs who traffic in stolen bank card data. I heard from bank privacy and security officers who complained that even when they caught criminals in the act of payment fraud, they were helpless to put them out of business. Banks have found that fraudsters have perfected their social engineering skills and use of personal private information to circumvent helpdesk safeguards and get accounts changed and cards reissued fraudulently. These repeated attacks may necessitate voice recognition software as the only defense. I also heard about some scary tactics from banking regulators who can investigate gaps in security protocols and compliance regulations – even by third party contractors and software providers – and slap devastating fines and penalties on organizations to try to make examples of them and “encourage” other private sector organizations to self-comply with ever changing and conflicting security regulations. All of this is throwing more technology and more costs at the problem and masks the fundamental weakness of the industry: we have no way to prove identity and no way to safeguard how that identity is associated with the individual’s privileges, like getting credit from a bank to buy merchandise in retail stores or over the Internet.

So I say, pick a date. It really doesn’t matter if it is 2015, 2020, or later. Make a decision that there is an endpoint to shoot for, and work out a plan than spreads the pain across everyone, including the cardholders who want to have their cake (their freedom to buy anywhere, anytime) and eat it too (not to be responsible for the fraud it allows). There is a natural lifecycle for every part of the payments infrastructure – the cards that expire every 3-5 years, the software that drives POS systems in retail stores, the POS terminals that accept payment at check out, and the networks that process and store the data. By setting a sunset date on all of these technologies and systems, the industry can synchronize the development cycles so that all of the parts come together at the same time. If any parts don’t meet a new standard, be that a chip and PIN standard, contactless EMV, or something yet to be defined, then there is a penalty, either fines or exclusion from the market. This approach would stop the needless investment in interim technologies or dead-end solutions that won’t integrate into the global payments infrastructure. Ultimately we would have one, uniform global payments system that would drive fraud from the most vulnerable in the system, the individual cardholders and small retailers, to the larger retailers, ATM networks, and financial institutions who are the best equipped to handle the fraud and stamp it out.

Next week (May 4–7), the Americas smart card industry will gather at CTST 2009 – Smart Card Alliance Annual Conference in New Orleans. Our speakers are preparing their talks, our exhibitors are preparing their demos, and the industry leaders registered to attend are stocking up on their business cards, hoping to network together to learn about and discuss the dynamic changes happening in the payments, healthcare, government identity, security, mobile, and emerging smart card technology markets. If you haven’t registered yet, there is still time. Click on the link above and check out the 4 days of workshops, industry track sessions, keynotes, networking receptions, exhibit hall sessions, and birds-of-a-feather discussion groups. This is the only event that brings everyone and everything involving smart cards and digital transactions together in one event – you must be there!