About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« November 2011 | Main | January 2012 »

December 19, 2011


The many flavors of EMV

As 2011 comes to an end, EMV (Europay, MasterCard, and Visa) transactions are still the exception in the United States. However, the United States has made some progress towards an EMV migration—several financial institutions are now issuing EMV cards for select portfolios. Also, on the acquiring side, some large merchants voiced strong opinions during the year about adopting the EMV standard. And towards the end of summer, Visa announced details of its "chip migration and adoption of mobile payments acceleration plan."

The perceived cost of a full EMV migration has been a great barrier for the U.S. payments industry. Further complicating the migration are the different ways issues and merchants can implement EMV. In particular, the various transaction authorization processes of card authentication, cardholder verification, and payment authorization take place in an online or offline environment or a combination of the two.

This week's post highlights the differences between offline and online transactions and the implications for U.S. migration to EMV-supported card payments.

Offline EMV
Prior to the introduction of chip cards in the United Kingdom, cards used the same magnetic stripe technology that is currently the standard in the United States. However, the difference is that in the United Kingdom most card transactions were authorized offline. In an offline authorization environment, card transactions are batched over a given time period and then transmitted to issuers, usually at the close of business, for authorization. Because the offline authorization environment does not permit real-time authentication, fraud rates were significantly higher than in markets using online authorization. To mitigate the additional risk inherent in the offline environment, the United Kingdom adopted the EMV standard—more specifically, chip and PIN.

In an offline EMV chip-and-PIN transaction, the payment terminal communicates with the integrated circuit card (ICC), or chip, embedded in the payment card rather than using telecommunications to connect and communicate with the issuing bank. This communication between the ICC and terminal allows for real-time card authentication, cardholder verification, and payment authorization. However, because most payment terminals (not unattended terminals) now support online authorization, payment authorization usually occurs online while card authentication and cardholder verification usually take place offline.

Online EMV
In contrast to the United Kingdom's predominately offline authorization experience, nearly all card transactions in the United States are authorized online. This environment allows issuers to authorize transactions at the time of sale using multiple fraud and risk parameters.

In an online EMV transaction, the ICC-embedded card generates a cryptogram that is authenticated by the issuer during the authorization request. Assuming the card is authenticated and the merchant requires cardholder verification, either the terminal transmits the cardholder's encrypted PIN to the card issuer for verification or the merchant verifies the customer's signature to the signature on the card. Finally, for payment authorization, the terminal transmits payment-related information and a transaction-specific cryptogram to the issuer, which then authorizes or declines the transaction. This online payment authorization process is the same process that magnetic stripe cards currently use.

What does this mean for a U.S. EMV migration?
Unfortunately, the many methods for card authentication, cardholder verification, and payment authorization that EMV supports could lead to many different implementations in the United States. The few EMV-issuing financial institutions in the United States have reached no consensus when it comes to cardholder verification methods. Some issuers support offline PIN, others support online PIN, and still others support signature-only verification. Perhaps most critical to the EMV discussion is whether to support online or offline transactions, or both.

The costs associated with an offline implementation are higher. First, ICCs in an offline environment require an additional processor on the card—to support dynamic data authentication—that ICCs in an online environment do not. Second, PIN management in the offline environment involves manipulation of the PIN resident within the ICC, a process that requires issuers to purchase technologies they do not need in the online environment.

From a risk standpoint, both offline and online EMV card authentication support dynamic data and offer superior protection against counterfeit fraud compared to the magnetic stripe. For PIN cardholder verification, offline and online PIN offer the same protection against lost or stolen card fraud.

Offline EMV implementations were necessary in many markets around the globe because of a lack of telecommunications access at the payment terminals. Because the United States already operates in an online environment and the costs to implement an offline adoption are higher, the business case for an online EMV implementation is stronger than an offline adoption. Further, with most payment terminals in the world now supporting online transactions, global interoperability of online-only EMV cards is not the barrier that it was in the past.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 19, 2011 in cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01675efe7dfe970b

Listed below are links to blogs that reference The many flavors of EMV:

Comments

On your point relative to Online PIN I would like to suggest that most credit card networks (excluding the ATM portion) do not today support the transmission of the PIN from the POS device to the Issuer Host. To upgrade the credit networks to support the encryption and transport of the PIN to the Issuer has a cost. Not simply in the device but also in all the various processors in the chain. Further most POS devices now installed do not support Online PIN.

This whole question of Online versus Offline PIN is then compounded when one looks at the question of International acceptance. Again the International Credit Card networks and all the domestic networks would also need to support the transport of the PIN in order to allow PIN to be used as the means of cardholder verification.

Posted by: Philip Andreae | February 16, 2012 at 09:38 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 12, 2011


Retail Payments Risk Forum conference explores the role of government

In light of the many legislative and regulatory changes affecting the payments industry that are already underway, how and when does government intervene in today's highly dynamic marketplace? To answer this question and more, a mix of regulators, legal professionals, and law enforcement representatives participated in the Risk Forum's fifth annual signature conference, "The Role of Government in Payments Risk and Fraud," held November 17–18 at the Atlanta Fed.

Marie Gooding, first vice president of the Atlanta Fed kicked off the event with some opening remarks. Next up was Louise Roseman , director of reserve bank operations and payment systems at the Fed's Board of Governors, with the conference's keynote address. Roseman offered some historical perspective on the relevance of government in the nation's payments systems. The conference continued with five key sessions relating to the governance of risk and fraud in retail payments. We present the highlights of each session in this post. You can get the presentation materials on the Atlanta Fed website.

Changes in regulatory oversight and self-governance crucial
Government oversight of the nation's retail payment system is delivered through different models at the federal and state levels. Complicating matters further, regulatory oversight depends on whether the payment service provider is a bank or a nonbank third party. As the payments environment grows more complex with new nonbank entrants in the payment system and many new alternative payment alternatives, it will be challenging for traditional governance to fully understand the emerging risks Alongside regulatory oversight, self-governance in the form of compliance programs, rules, and standards can contribute to effective alternative models. This panel also explored the role and scope of the new Consumer Financial Protection Bureau and how it plans to fulfill its newly established mission.

Law enforcement challenges
Panelists discussed the importance of collaboration among law enforcement agencies as payment crimes become more sophisticated and proliferate across global geographies. Cross-border financial transactions will demand collaboration among international and domestic law enforcement organizations, as well as among the industry participants themselves and their respective regulators. The panel addressed the growing need for law enforcement to collaborate with regulators who have fragmented state-level authority and are not required to exercise prudential supervision.

The need for better fraud data
Panelists discussed the growing incidence of payment crimes, noting that the United States' efforts to address payments risk and fraud may be hindered by a lack of supporting data on the costs of prevention and the losses incurred. The United States is virtually the only country that does not keep comprehensive data on such losses and costs. The panel discussed how the industry could benefit from complete quantitative information. Armed with such information, the industry could more effectively allocate resources to payment mechanisms and channels posing the most significant risks. This knowledge will become increasingly necessary as payment providers and businesses plan future investments in payment fraud risk management programs.

Changes in the U.S. regulatory environment
2011 witnessed significant regulatory efforts such as the CARD Act, overdraft legislation, the Durbin amendment, and the effects of these initiatives on the behaviors of such stakeholders as the merchants, banks, and even consumers. Panelists engaged in a comprehensive discussion on the current state of these initiatives and what to expect. The audience participated in the dialogue on noteworthy issues such as payment authentication methods and fraud management systems resulting from the industry's response to the Durbin amendment, and the response from Congress to marketplace changes such as new bank fees.

Payment laws and regulations in a dynamic payment environment
Panelists in this session explored how a complex matrix of federal and state laws for retail payments in the United States poses challenges as the industry migrates to alternative payment mechanisms. At issue is the lack of a common playing field for banks and nonbanks regarding legal compliance and safety and soundness. Also at issue is the inapplicability of some laws and regulations to specific payment methods. While many panelists agreed that it is desirable to harmonize efforts under Dodd Frank, they noted that small changes in some payment systems can create significant complications in others. Finally, the panelists discussed the current need for commercially reasonable security methods to limit a financial institution's liability within the current legal and regulatory framework.

Conclusion
This event provides the Retail Payments Risk Forum with critical business intelligence from participants to drive our thought leadership and strategic planning as we move forward into 2012. Look forward to further discussion on these topics as our team explores these evolving issues, and as always, we invite your dialogue in the conversation.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

December 12, 2011 in regulators | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01675eaaddf0970b

Listed below are links to blogs that reference Retail Payments Risk Forum conference explores the role of government:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 5, 2011


The future of mobile payments

Although mobile payments have been much slower to develop in the United States than many industry observers had predicted, there have been a number of encouraging recent developments. Starbucks, for example, has processed more than 20 million mobile payments since launching its app, and the Chicago Transit Authority's new fare collection system will be able to accept mobile payments starting in 2013. Still, despite these small successes, the United States has not seen the mobile phone really take off as a vehicle for point-of-sale payments.

The Retail Payments Risk Forum recently interviewed David Evans, a payments industry consultant and the founder of Market Platform Dynamics, in a podcast exploring some of the challenges facing widespread mobile payments adoption. Evans maintained that a couple of obstacles have kept mobile payments from taking off in the United States. "Barrier number one is that there is not a very persuasive mobile payments alternative for consumers to use at the point of sale, and the second is that there's really not the technology at the point of sale capable of processing a mobile payments-type transaction."

In addition to these barriers, he said, is the simple fact that most consumers are satisfied with the way things are. Evans explained, "I can pull out a credit or a debit card at the point of sale, I can swipe it, and it works beautifully. Takes about a second. No fuss, no muss—the clerk knows what to do. The technology is all there. So we have this wonderful system that works really well right now that's extremely efficient." To change the status quo, a compelling value proposition must emerge for all parties. "Someone's going to have to come up with a really great alternative that adds value to the merchant and adds value to the consumers to make both of them want to do something different than [what] they are currently doing," said Evans.

Regarding the prospects for mobile payments outside the United States, Evans said, "I think that where we are going to see mobile payments take off around the world is primarily in countries that do not already have a very well-developed payment card industry with acceptance at the point of sale and that have very well-developed mobile phone systems."

The role of different types of market players has been a major source of debate among those forecasting mobile payments. Many disagree how the mobile carriers, such as Verizon and AT&T, will fit into the new landscape. Evans predicted that "the likely role of the carriers in payments is basically being a pipe." He stressed that mobile carriers do not have the expertise to operate mobile payments and are more likely to become pipes for others who will develop mobile payments alternatives.

When asked about his predictions about the type of technology that will ultimately support mobile payments, Evans said that it was still too early to know. However, he did say that "it's really the solution that is going to drive the adoption of a particular acceptance technology at the point of sale, rather than the acceptance technology driving the solution." There are clearly still a lot of unknowns with regards to mobile payments, and Evans wisely concluded that "we should talk about this in 10 years when we may actually know the answer!"

By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

December 5, 2011 in mobile payments, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c0153940f0841970b

Listed below are links to blogs that reference The future of mobile payments:

Comments

I completely agree with Evan's statement: Someone's going to have to come up with a really great solution that adds value to the interaction. The majority of consumers are not going to adopt mobile payments because it's cool to pay for something with your smartphone. Early adopters will, but the rest of us won't. We will adopt mobile payments when it is clearly more valuable (more convenient, more fun, etc).

I think a good example of this is Square's Card Case mobile payment app which allows consumers to pay for stuff through their Square account without ever taking the phone out of their pocket.

To read more about this, you can check out my blog post on the subject here: http://www.zootweb.com/blog/index.php/mobile-disruptive-innovation/756/

Posted by: Alex Johnson | January 18, 2012 at 11:50 AM

I fully agree with Mr Evans - it will take something really ground-breaking to change the way we pay for our shopping. None of the alternatives being proposed or in some cases rolled out right now seems to have what is takes to stop us from using cash and cards in most transactions.

Posted by: Merchant Services | December 7, 2011 at 06:18 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad