Sunday, March 22, 2015

EMV in the United States: The Story So Far

A friend of my parents with his own business was asking them about chip cards and contactless. Since I've babbled on about it with them before (mostly as a result of my following the very long, ongoing US EMV Card thread on FlyerTalk), they ask if I could explain the difference. I realized I was writing quite a lot and figured I might as well post it on my blog.

The magnetic stripe credit cards we use today aren't very secure. The magnetic stripe doesn't change, so what criminals do is is get a device that copies the information off the magnetic stripe, and then writes that information onto another card. This process is called cloning. The name printed on the cloned card likely matches the criminal's ID (which is itself likely a fake ID), so that if a merchant asks for ID, the name printed on the card will match the name printed on the ID, and the photo on the ID will be a photo of the criminal himself, so everything will look good to the cashier (assuming they don't look too closely at the cardholder name printed on the receipt, which would come from the magnetic stripe data copied from the original card).

For one example of a credit card cloning setup, see these pictures of a fake New York City taxi, and note in the last one two credit card swipe machines, one real one to process the fare, and another one to read the magnetic stripe data off the card and store it to clone later.

Another easy way would be to target a waiter in a restaurant, since they often take credit cards away from the customer's table and swipe them somewhere out of customers' view, which would make it easy for them to swipe it through a second reader to clone the data. I'll come back to this later and show how Chip and PIN can lead to a solution to this problem.

The problem with the magnetic stripe is that it never changes. Every time you swipe the card, the same information gets transmitted to the card issuing bank. And they don't even have to get the physical card. In several of the credit card breaches in the past few years including Target and Home Depot, card information was stolen right out of the merchant's point of sale computer systems.

So, the fix is to come up with a way to have some of the information on the credit card change each time you use it. Fortunately, there is, and it's called a smart card. All a smart card is is a plastic, credit card sized card with a small embedded computer, and an exposed metal pad that allows the card to make contact with a reader of some sort. Some people have smart cards issued by their employer that they used to log into their computers (including the US Government's CAC and PIV cards). I've also seen laundry machines that used smart cards instead of taking coins. A special credit card machine was used to load money onto the card from a credit or debit card. And now credit cards that are actually smart cards exist.

Actually, they're nothing new. The first smart card payment card was a Carte Blanche card deployed in France in 1986. In the 1990s, Europay, MasterCard, and Visa collaborated to develop a standard, first released in 1995, called EMV (which stands for Europay, MasterCard, Visa). Today, EMV is the standard for payment cards worldwide, and in addition to MasterCard (which absorbed Europay) and Visa, the organization that oversees the standard now includes American Express, Discover, Japan's JCB, and China UnionPay.

What an EMV credit card does, in addition to storing the card number and other information we're used to, is generate a unique code per transaction called a cryptogram. The cryptogram is what's called a digital signature that verifies the transaction details. Change any of the details about the transaction, and the cryptogram won't match. Since the private key used to generate the cryptogram can't be removed from the card, this proves that the correct original card was used. It also means that if account information is taken from a merchant's computers, it's not useful since they can't change any of the transaction details without invalidating the cryptogram.

But, there's a catch. EMV cards still have magnetic stripes, because not every merchant has EMV-capable credit card terminals. And right now, what is the one huge market, with a high rate of credit card use, that doesn't have EMV?

The United States of America.

EMV is standard across Europe. Across Asia. Across Latin America. Canada has it. Mexico has it. But the United States is behind. Why?

For one thing, ever since we moved from imprinting the embossed numbers on carbon paper to the magnetic stripe in the first place, transactions are authorized in real time. Over time, banks have implemented more complex fraud detection algorithms, so they have other ways of detecting suspected fraud. In other countries, the cost of having a payment terminal make a telephone call to the bank every time a card was swiped was prohibitive, so other ways of attempting to see if the transaction was legitimate or not were needed. Thus, the use of a PIN, a number the cardholder could enter into a payment terminal, and could be authenticated by the card itself, rather than the bank. Then, at the end of the business day (or whatever time was convenient), only one phone call was needed to transmit all of the day's credit card transactions to the bank.

Combine that with just how big and profitable, the US credit card industry is. We have so many people running so many credit and debit card transactions every day, that even with the fairly small cut that the credit card issuers and payment networks (Visa, MasterCard, etc) take, the amount of money they lost due to fraudulent transactions was actually rather small. In 2010, losses due to credit card fraud were reported as 4.46 cents for every $100 in credit and debit card transactions worldwide. So it wasn't worth the effort and expense to migrate the US to EMV, even as fraud in the US increased as it decreased elsewhere. Thieves abroad were able to steal and sell credit card details that, while they couldn't be used in their home country, could be used in the US.

There also wasn't a big consumer demand for more secure credit cards. Federal law limits cardholder liability for fraudulent transactions to $50, and competitive pressures resulted in virtually all issuers now offering $0 cardholder liability on their cards.

So what happened?

Target got hacked. It wasn't the first credit card data breach that happened, but it got a lot of publicity because so many people were affected. And after that, the breaches just kept on coming. Albertson's. Staples. PF Chang's. Kmart. Jimmy John's. Neiman Marcus. Michael's. The UPS Store. Diary Queen. Goodwill. JP Morgan Chase. And let's not forget Home Depot, the biggest of them all with 56 million credit and debit cards compromised, compared to 40 million at Target. But starting with the Target breach and coming yet again every time another breach was reported, people started asking if there was something better that could be done. Could we make our credit cards more secure?

The answer was staring us in the face. From across the Atlantic, the Pacific, and across our northern and southern borders. Every American who had to stand in line to buy a train ticket in Paris because the kiosk wouldn't accept their credit card, who had to pay cash for a train ticket in The Netherlands because they only take Chip and PIN credit cards, who had to make sure they got gas for their rental car at an attended gas stations in Europe because the pay at the pump machines only took chip cards, who had to wait for a European cashier to find a pen so they could sign the receipt, who had to argue with a merchant that barely spoke English that Visa required them to accept their chipless credit card knew the answer.

EMV.

EMV wasn't completely unheard of in the United States. The United Nations Federal Credit Union (whom, as you might suspect from the name, has a fair number of members who travel overseas) was the first US financial institution to issue an EMV credit card, in 2010. The four big payment networks (Visa, MasterCard, American Express, and Discover), had set a date of October 2015 for a liability shift (I'll get to that in a bit). Some people probably thought the date would be pushed back. But after the Target breach and the "can we make this more secure?" questions seriously started to be asked, that date started looking a lot more firm.

So what is this liability shift? It has to do with who is liable for fraudulent credit card transactions. Normally, the issuer of the credit card holds that liability. The liability shift incentivizes a migration to EMV by shifting liability to the weakest link in the chain. Really, only one thing changes, but it's the key: If an EMV card is used in a magnetic stripe terminal, the merchant assumes liability for any fraudulent transactions. Thus, the card issuer is incentivized to replace their magnetic stripe only cards with EMV cards, in order to avail themselves of the opportunity to shift some liability away from themselves. Meanwhile, the merchant is incentivized to replace their magnetic stripe only credit card terminals with ones that can use EMV, so that they can shift that liability away from themselves and right back to the issuing bank. And since fraud goes down since there's one less way to do it, the bank still wins because they lose less to credit card fraud.

So in 2014, EMV migration started seriously happening in the US. The major card issuers, and some of the smaller ones, started migrating their credit card products to EMV. Issuers with a presence in other countries (like American Express, Capital One, and Citibank) had been issuing EMV cards in those countries for years, but by 2014 started offering EMV in the US as well. At one extreme, American Express now claims that all of its card products are now offered with EMV, including cards that they no longer take new applications for, like Zync. At the other extreme are banks like Capital One, which was late to start and currently offer it only on the Venture and VentureOne cards (but have been offering EMV cards in Canada for years). But its happening, with more and more cards being converted. One of the most recent is Chase's United MileagePlus Club and Explorer cards, which have only started being offered so recently that they don't show up with chips on Chase's web site yet (but I've seen pictures of actual cards, so I know they exist) and not all phone reps will know about it if people call to ask to get a chipped version.

But issuing EMV cards isn't enough. Merchants have to take them, and not continue to rely on the magnetic stripe. The magnetic stripe on an EMV card still has unchanging data and still can be cloned. And if a merchant is processing transactions with magnetic stripes, the situation hasn't improved. The banks will have spent a bunch of money to send out new cards (which are themselves more expensive; it should seem obvious that a piece of plastic with a tiny computer embedded in it would cost more than one without) but fraud won't go down. Thus, the liability shift to get merchants to upgrade terminals on their end, and to do it now rather than waiting for their current terminals to wear out and be replaced in a few years.

But what prevents an EMV card (whether authentic or one whose magnetic stripe has been cloned) from being used with a magnetic stripe terminal anyway, since nearly all EMV-capable terminals (basically, anything that's not an unattended kiosk in a country that made the migration to EMV years ago) have magnetic stripe readers too? The EMV specification accounts for that. Included on the magnetic stripe is something called the Service Code, and included in that is an indicator that the card has an EMV chip. A non-EMV terminal wouldn't recognize that and just ignore it and process the transaction normally, but an EMV-capable terminal would see the Service Code indication that it's an EMV card, stop the transaction, and prompt the user to insert the card into the chip reader. If the customer is presenting a card that doesn't have a chip, but the terminal is prompting them to insert the card into the chip reader, the merchant can be pretty confident that their customer is a criminal attempting to use a cloned credit card.

So in order for everyone to see the benefits of reducing credit card fraud, we need to see lots of merchants upgrade their terminals. When the majority of merchants have EMV terminals, and the majority of cards are EMV, criminals will have a hard time using cloned credit cards since not many places will accept them, and swiping in general will become the exception rather than the norm.

Where else have we seen this type of scenario? Vaccine herd immunity.

So, that's great. Fraud will go down, credit cards will be easier to use overseas again, everyone will be happy. End of story, right?

Nope.

There's a couple problems. The first I think will resolve itself soon enough. Lots of stores, especially big chain stores, have EMV capable terminals. But they haven't turned them on yet and still force you to swipe. The one big exception is Walmart (including Sam's Club), which has enabled EMV. I think the problem is that the big chain stores have complex custom point of sale systems that need to be modified to support EMV, compared to smaller merchants whose credit card terminals aren't connected to anything but a phone line or an Internet connection. So for them, migration is just getting a new terminal and asking their acquirer to enable EMV on their account. The larger merchants will get there, and many of them have said they're working on it. I think a problem is some peculiarities introduced by US debit cards to allow the transaction to route over either the credit or debit networks, but I have no reason to believe that won't get sorted out soon.

The second problem is more complicated.

The media is lying to you.

You've probably seen or heard stories about how US banks are now issuing "Chip and PIN" cards, and how you use the card will soon change. But like so many things, the devil is in the details, and the mainstream media gets it wrong.

EMV defines at least two ways for a credit card holder to prove who they are, signature or a PIN (and there are a few variations on how the PIN is handled, but that's more detail than I need to get into here). These are called Cardholder Verification Methods, or CVMs. And you've likely used both of these methods with non-EMV cards. If you've ever used your debit (as opposed to credit) card at a store, you were probably asked "credit or debit?" The labels are badly chosen, and either way the money comes right out of your bank account, but the difference is that if you choose "credit", your transaction is processed over Visa or MasterCard's credit card network and processed like a credit card, where you sign a receipt for the purchase. Or you can choose "debit", where the transaction is processed over an interbank network like STAR, Pulse, Cirrus, or NYCE, you enter the PIN number you'd use to withdraw cash from an ATM with the same card, and you don't have to sign. Oh and as an interesting side note, prior to migrating to EMV, Australian banks issued swipe and PIN credit cards.

So the EMV standard supports both. The banks that issue EMV credit cards decide which CVMs they want to support, and program that information into the chip. Credit card terminal manufacturers do as well. Typically, a manned terminal will support both, since it has a number pad (needed to allow the cashier to enter the payment amount) and thus can accomodate PIN entry, as well as a printer to print the receipt, which allows the merchant to print a second copy of the receipt and collect a signature. A convenient setup is to have an external PIN pad placed on the customer side of the counter, to allow them to enter their PIN without the merchant having to hand over the full payment terminal. These PIN pads can have built in card readers as well, allowing the customer to insert or swipe their own card rather than having to hand it to the cashier. They might also have the necessary hardware to support contactless payments (I'll get to those eventually) too. Make them a little fancier and you have the terminals you've been using for years at big chain stores where you sign or enter the PIN on a digital pad using an electronic pen. Look carefully at the bottom, and you might see a card slot, but unless you're at Walmart or Sam's Club, it probably won't work. At some places, like Target, it might even be covered up.

But, we have a problem. Not all terminals support both. In particular, those pesky European train ticket kiosks and pay at the pump gas stations. Since those countries tend to be primarily Chip and PIN, they assume that the cards will support PIN as well.

And this is where the big lie comes in.

You probably aren't getting a Chip and PIN card. You're probably getting a Chip and Signature card.

So what's the difference?

Remember how I said the issuer decides what CVMs they support, and programs that information into the card. Well, the way that typically works is that the terminal reads the list from the card and chooses the first one that works for it. So the convention is that the highest priority CVM for purchases (cash advances are always first, and are pretty much always PIN) defines whether the card is Chip and PIN or Chip and Signature. European and Canadian cards are normally Chip and PIN, since they put PIN above signature. But nearly all US cards are Chip and Signature. Not all hope is lost, since the US isn't the only country where Chip and Signature is normal; Singapore is another. And there are a few Chip and PIN cards being issued in the US.

But Chip and PIN or Chip and Signature really only refer to the highest priority option. I suspect that all PIN cards put Signature somewhere on their list. But not all Signature cards have support for PIN. Barclaycard US (I note US since they're a subsidiary of a British bank that would do this differently) is one of the best, since their cards, including Arrival+ and the HawaiianMiles cards, as their cards not only does it support PIN, but all the variations on how the PIN can be handled (USAA and SunTrust Bank also fall into this category), so they've got the best chance of acceptance worldwide. Next are banks like Wells Fargo, Citibank, and Bank of America (though BofA reps deny their cards support PIN for purchases, they actually do), which support some but not all PIN modes, so there's still a chance of not finding a matching CVM. Finally, there are issuers like American Express, Capital One, and Chase, which don't support PIN for purchases at all for their US-issued cards. MasterCard is a bigger advocate of PIN than Visa (which is heavily promoting Chip and Signature in the US), so there's a better chance that a MasterCard will support PIN of some sort.

But there is one thing that will help. Visa is pushing to ban PIN-only kiosks, but it's yet to be seen if they'll really be successful. What they're doing is trying to get the PIN-only kiosks to be modified to support another CVM I haven't mentioned yet called "No CVM". This is what it sounds like, where the card tells the terminal not to perform cardholder verification. This is also what happens when you use a kiosk in the US and you just swipe your card and don't sign anything (being asked for your zip code is really something else called address verification--online purchases do this too when they ask for your billing address separate from a shipping address--and is a source of as much annoyance to foreign visitors to the US as not having a PIN-capable card is to Americans overseas).

But even then we still have a problem, and that is merchants who are reluctant to accept signature transactions. They may be required to accept all valid cards (Chip and PIN, Chip and Signature, or magnetic stripe), and some bank customer service reps would outright tell their customers this when they would call to enquire about EMV cards (Capital One was notorious for this), but try explaining that merchant in rural Bulgaria who doesn't speak much English. And merchants are frequently selective about what rules they follow with respect to credit card acceptance. I still see merchants with signs that state an extra fee for credit card purchases; although they're no longer prohibited by Visa and MasterCard, they are still prohibited by state laws in California and some other states. And people have reported merchants in Australia not wanting to take Chip and Signature cards there, after that country converted to Chip and PIN last year, even though they're explicitly told that foreign issued cards may still be signature and those are still valid. The UK is an interesting case, since even though it's Chip and PIN, banks issue Chip and Signature cards to customers with certain disabilities, and thus refusal to accept a Chip and Signature card means the merchant risks running afoul of British laws prohibiting discrimination against disabled persons.

But none of that is a big deal if you're not much of an international traveller, since most cards issued in the US are Chip and Signature, and Chip and Signature is the least change from our current swipe and sign model. And some cards support PIN in one form or another, increasing the chances that the card will work abroad.

But what if you are a frequent enough international traveller that you want to avoid the hassle of being stuck with a Chip and Signature card in a Chip and PIN country. Or you feel, as I do, that a signature is pretty worthless as a form of cardholder verification (either the card itself is stolen, which has the signature written on the back for the thief to copy, or the card is cloned in which case they can make up whatever signature they want to put on the back of the card and on the receipt).

Fortunately, there are options out there. The United Nations Federal Credit Union card mentioned earlier as having the first US-issued EMV credit card is Chip and PIN. The Harvard Alumni card is also Chip and PIN, as is the Diner's Club card from BMO/Harris Bank, which unfortunately isn't currently accepting new applications. First Tech Federal Credit Union is preparing to switch from Visa to MasterCard, and it appears that the new MasterCards will be Chip and PIN. There's also a couple of wildcards: Walmart has stated a preference for Chip and PIN, and while the current Walmart and Sam's Club issued cards are Chip and Signature, they are supposed to start issuing Chip and PIN versions this year. Another wildcard is Target, which also claims to be coming out with a new Chip and PIN REDcard MasterCard, though as it hasn't been released yet, it remains to be seen whether this will truly be Chip and PIN or if the term is being used generically to refer to EMV chip cards.

However, it looks like Chip and PIN may itself have a few problems in the US. Some merchants might not acquire customer-facing PIN pads, which would make it difficult (though not impossible) to use a Chip and PIN card since the customer would have to get access to the payment terminal normally used by the cashier, likely by either handing the card across the counter to the customer, or the customer walking around behind the counter.

A bigger problem is restaurants. Currently, many restaurants use a model where the server takes the customer's card away from the table to process the payment somewhere else. With Chip and Signature cards, this works no differently than today since a receipt is printed and the customer signs it, no different than if it was swiped. But if the card is Chip and PIN, the card terminal is some distance away from the customer. With the current model, the customer would end up having to follow the server to the payment terminal to enter their PIN.

The other option would be for restaurants to change the way they work. One is to adopt a model where the customer pays a cashier near the restaurant's entrance. Some places do this, but they're typically more casual restaurants like Denny's, so many restaurants might not want to change to this model for fear of being seen as less service oriented or moving downscale.

However, there is another solution that's already available, and yet again we can look to Europe and Canada to see it in use. There, in many restaurants, when it comes time to pay, instead of the server taking the credit card away from the customer, the server has a portable wireless terminal where the chip card can be read (and non-chip cards can be swiped) right at the customer's table. The server hands the terminal to the customer to enter any tip (which has the bonus of eliminating tip fraud where the server changes the tip amount after the fact) and enter their PIN. For a Chip and Signature card, all that changes is instead of entering a PIN, they sign the receipt that gets printed on the terminal's built-in printer. So not only have we solved the PIN problem, we've eliminated tip fraud and removed the opportunity for a card's magnetic stripe to be cloned out of sight of the customer. It remains to be seen if American restaurants will adopt this technology though.

My current thinking is, for someone who doesn't travel internationally (or mainly to Chip and Signature countries like Singapore), any card issued today in the US is fine. But if they do travel to Chip and PIN countries, or prefer the added security of a Chip and PIN card, they might want to investigate a Chip and PIN card to have in addition to a Chip and Signature card; at this point I'd hesitate to have only a Chip and PIN card in the US until we see how restaurants are going to handle them.

So, one question that people might ask is, since the US is so late in making the transition to EMV, why not skip EMV chip cards entirely and go straight to mobile payments?

A good question. The simple answer is that, while it may seem like everyone has a smart phone, that's not really true, lots of older ones and even some still on the market (such as the iPhone 5S) don't have the necessary hardware to support contactless payments, and even a dumb phone is expensive to produce compared to a chipped credit card. Plus, phones have batteries that can run out.

But contactless doesn't have to mean just phones, though it seems like mobile payments (and Apple Pay in particular) is the driving force to get people in the US interested in contactless payments. In many other countries, it's common for credit cards to have the contactless capabilities built right into the card itself, so that people can just tap their cards, rather than inserting the card into the chip reader. The technology is available in the US, but despite advertising, never became terribly popular and so it's much less common for US-issued cards to have them. But they are out there, and with interest in Apple Pay, cards with built in contactless as well as other mobile phone payment systems like Google Wallet will also become more accepted as merchants enable support for Apple Pay.

Which is because, as it turns out, Apple Pay is EMV! Specifically, it uses the same protocols as defined in the EMV specification for contactless cards to communicate with the the terminal. It also supports another form that is only used in the US where the data sent is similar to the magnetic stripe data. All this is transparent to the user, though. It's why Apple Pay works in countries where contactless credit cards are more commonly used, even though Apple Pay hasn't been formally rolled out in those countries.

Contactless EMV in general seems equally secure to contact EMV. One concern that may have hindered contactless acceptance in the US is a fear that people would be able to wirelessly steal your credit card number without even knowing it. This doesn't seem to have become an issue in countries where contactless is more common, and as with the risk of card information being taken from  merchants' computer systems, they still wouldn't be able to generate a valid cryptogram thus making the information of limited use. Issuers and merchants have also typically limited the transaction amount allowed for contactless transactions, requiring either a card insertion or PIN for higher value transactions anyway.

A second factor that may have limited contactless popularity in the US is that many merchants are able to waive collecting a signature for lower value transactions, often those under $50. This makes swiping a magnetic stripe card as fast as tapping a contactless one, compared to inserting a chip card and entering a PIN, since PIN waivers for low value contact EMV transactions seem rare to nonexistant. For example, at Walmart, a customer using a Chip and PIN card will always be prompted to enter their PIN, while a customer using a Chip and Signature card will only be asked to sign if the transaction amount is above the store's threshold.

Apple Pay takes contactless security a bit further with two things. One is the use of the fingerprint sensor to authenticate the cardholder. PINs, while better at authenticating a customer than a signature, can still be observed and copied, but copying a fingerprint is rather more difficult.

The second thing Apple Pay does is implement tokenization, a process where the phone actually generates a unique card number and stores and uses that, rather than the actual number printed on the card. This unique number is translated in the payment network to link it back to the cardholder's actual account, and setting this piece up is why not all cards work with Apple Pay; the issuing bank needs to have tokenization support working on their end. Tokenization is part of the EMV specification and isn't unique to Apple Pay, so it's likely we'll see this spread to other forms of payment, possibly including contact EMV cards.

So, after all that, we've solved credit card fraud, once and for all, right?

Nope.

EMV addresses what's called card-present fraud (where the card itself is present at the time of the transaction), but does little for card-not-present fraud, which today tends to mean Internet transactions. Various things have been tried, but nothing that has had the broad base of consumer acceptance that EMV has. That's another topic for another day.

No comments: