The Europay, MasterCard, Visa standard, overseen by EMVCo. and commonly known as EMV is the chip-based card technology that's been adopted in virtually every global market outside the United States. EMV is widely regarded for its enhanced security. Yet the U.S.'s reluctance to adopt the technology is exposing security gaps in an ever-shrinking global payments infrastructure.
Andreae, an EMV forefather who's been involved with the payments space for most of his career, says the U.S. will have to embrace an EMV-like technology sometime very soon, unless it expects to accept U.S cardholder headaches and increasing fraud.
During an exclusive two-part interview with Information Security Media Group, Andreae shares his insights about the history of EMV and the future he sees for this growing and emerging technology in the U.S. "We can't continue to have two different card technologies," he says. "They can coexist for a while, but we have to move forward."
During part one of the Andreae interview, Andreae discusses:
- Why the U.S. might look to the Federal Reserve for leadership and guidance regarding a mandated move to EMV;
- The impact a chip & PIN transaction environment could have on interchange, based on the experiences of other global markets;
- The role mobile is expected to play in the EMV push.
Don't miss Part 2, when Andreae shares his thoughts about the connection between mobile chip payments and EMV.
Philip E. Andreae has worked as an industry consultant, focusing on EMV, contactless and mobile payments technologies. In 1993-1994, Andreae helped to found a consortium that developed the EMV standard in Europe. He also served as the managing director of Europay International, where he oversaw and developed technology for transaction processing, clearing and settlement. In 2002, he helped drive Visa Canada's adoption of EMV.
The Mag-Stripe's End of Shelf LifeTRACY KITTEN: EMV, interchange and regulatory reform - what changes can the payment industry expect to see in 2011? I am here today with Philip Andreae, an industry consultant who has been involved with the EMV movement since the early '90s, who shares his perspective about EMV in the U.S., smart cards and ecommerce. Philip, you have been involved in the payments space for a number of years. As the discussion revolving around a possible move to EMV in the U.S. heats, can you talk about your perspective on EMV and its inception? Can you tell us a bit about your background and experience with EMV in Europe, where the standard actually got started?
PHILIP ANDREAE: Well, Tracy, thank you for the opportunity today. My history in the payments industry starts back in 1991, when I joined Europay International based out of Brussels, now part of MasterCard. One of the first pieces of work that my team was involved in with was a European study on the card authentication method that was being driven by the European Council for Payment Systems. In that study we came to the conclusion that the only effective way of addressing the problem of fraud related to magnetic-stripe cards was to move toward a chip card or a smart card, as it was then known. With that activity, in 1992, one of our key members, France, was reaching critical mass in the introduction of chip cards as a mechanism for authenticating payments in the French marketplace -- a project that had started back in 1984, when they testing the technology and came to an agreement as a community that this was the way forward. As I just said, in 1992, they reached a moment in time where all of the point-of-sale devices and all of the cards had become chip-enabled.
Obviously, this created some interesting acceptance problems that we are now reading about in the U.S. press, as Americans travel to Europe and are confronted by merchants who are now familiar with smart cards and are comfortable accepting smart cards and are uncomfortable accepting magnetic-stripe cards. In 1993, in about October, my boss, the CEO of Europay, walked into my office and said, "Philip, I need the definitive specifications for smart cards by the end of next month," and gave me, basically, 30 days. What he didn't tell me was that he was going off to an EFMA conference, the European Financial Management Association down in Cannes, France, where he was going to challenge Visa on dates. At that conference, in the morning, Ed Jensen, the then CEO of Visa International, said that on the 23rd of November he would publish a specification, and later on that afternoon got up and had a chuckle and said to Ed that we would be producing our specifications on the 22nd of November. About that time, I was then tasked with forming EMV and went off to Chicago to meet with Visa and MasterCard to argue about the name: Should we call it MDV or MEV or VME? We subsequently agreed that we would call it Europay MasterCard and Visa, based on the ascendancy of the alphabet and the fact that smart cards were coming out of the European marketplace, in terms of patents and first use.
In 1994 we began to look, from a collective perspective, the three payment associations, at what would be the foundations for a business plan that our members would be able to use and that we would use for driving the technical development that we were embarking on. Obviously, our first thought was fraud, and we were looking at counterfeit cards; we were looking at lost and stolen cards and trying to mitigate that fraud through the use of the chip. The second was to continue to allow the off-lying authorization or approval of credit cards in an environment where telecommunications costs were rather expensive and people were talking about 30 or 40 cents per call to authorize a credit-card transaction. They, therefore, didn't want to move, like the U.S. and North America had, to a 99 percent authorization rate; they wanted to stay down in the 25 to 40 percent rate that they were used to in the European market. Interestingly enough, in the French market, they had reached about 40 percent before they began their migration; they had reduced the online authorization rate to about 10 percent when they completed the migration to smart card or chip and PIN, as it is now being called.
The third piece of the business plan was that the signature was not an effective cardholder verification method, and we wanted and liked the use of a PIN, as we were seeing a need in the debit card marketplace to move also into a mechanism for assuring the identity of the cardholder, like we did when we looked at credit card transactions. Unfortunately, to go to an online PIN environment is a very expensive investment, especially when you think about cross-border transactions, which were rather important to us at Europay, given that was our mainstay of business -- international transactions between the various countries within the European markets. So, we were looking at a way of adding PIN to a credit card without requiring an online authorization.
The fourth and final piece of our business plan was to look at value-added services, what I will call the "multiapplication dream," the ability to put multiple payment cards on a single piece of plastic, to add loyalty, identity, healthcare, whatever facilities and services the issuing bank might agree on with its partners.
EMV: A Gateway to More?KITTEN: I would like to come back to that kind of multi-purpose card discussion when we talk a little bit about mobile going forward, but I want to recap some things that you and I have spoken about in the past so that we can share some of this with our audience. We have spoken about EMV in the U.S. and the challenges that the industry faces. One of the challenges revolves around the markets fragmentation. With so many card issuers, processors, networks and merchants, we have a lot of decisions to make. If a move to EMV were spearheaded in the U.S., what entity would lead the charge?
ANDREAE: Well, this obviously is a key issue, and as we look at the other markets that have moved to EMV, there is consistently a central body, an association, where all the financial institutions and the card brands meet on a regular basis and are able to share common needs and common views on particular areas of concern. Fraud, being a criminal activity and not in the social good, has always been a consistent topic for these common groups. Unfortunately, in the United States there, is not an association where all the debit card issuers, all the acquiring processors, the acquirers and the card brands come together and share a cocktail and share conversation and talk about non-competitive issues. So, we do have a major issue here, in terms of creating that forum where the various constituents, the various stakeholders, can sit down, share their concerns and begin to talk about a collective way forward. One of the other things that we have seen on a global scale is that the government tends to have some view on this, because, obviously, the consumer, the citizen, is effected by fraud and are the ones that go through the trials and tribulations of dealing with customer service to get any transactions that were fraudulently transacted against their accounts corrected. So, sometimes the governments will go to these associations and basically say, "If you don't, we will," and then you get kind of a collective view that it is driven by some policy makers who are saying, "Get on with it; we don't want to regulate."
Recently, I had a chance to sit down with Richard Oliver (link) at the Atlanta Federal Reserve, who has been fairly outspoken on the need to look at a more secure payments environment, specifically around the cards world. We talked a little bit about what role the Fed could play, and he mentioned the Durbin Amendment (link) and the responsibilities the Fed has been given relative to looking at debit fraud and, more importantly, risk mitigation. It is a possibility that the Fed may, because of that particular requirement, be in a position to make some statements that will drive the industry, at least the debit card side of the industry, which frankly is most of the financial institutions, to seriously looking at a way of mitigating fraud. The other comment he made is that in a forum, what he calls the Mobile Payments or Retail Payments Risk Forum, they have talked about magnetic-stripes. He said that all of the people there have come to unanimity in the understanding that the magnetic stripe as a tool for combating fraud is a waste of time; it doesn't work any longer. It is too easy to skim the magnetic stripe and it is too easy to capture the PIN, as we have seen in many of the ATM attacks.
The other thing that he did say, and one of the concerns that I walked away with, is that here in the U.S., the government prefers be more laissez-faire in the way the economy evolves. The government has a certain role to play, but they don't believe that they are in the position, necessarily, to dictate how an industry, the card industry, is to move forward. So, I suspect that the Fed will take on a role as a facilitator, bringing the right parties together to have the conversations and then allowing those parties to continue their conversations offline. Simultaneously, I think the press is making enough noise and there is enough coming out of the industry, in terms of the acceptance problems on a global scale, particularly in the European market for the 10-plus million Americans who travel on an annualized basis. Things are happening. I have also heard a rumor that one of the payment schemes is going to make an announcement with respect to chip; so we are going to have wait and see. But there is a concern, on my part, in terms of where do all the parties come together, and how will the government engage while at the same time respecting that the government is not supposed to impose?
KITTEN: And I don't suppose, Philip, that you would be able to shed some light on what payment scheme that might be?
ANDREAE: I have heard rumors that Visa would say something; I have also read press about what MasterCard is doing on a global scale, which would suggest that MasterCard might do something. I have spoken to one or two acquirers who have mentioned that Visa (Visa link to EMV piece) has come in and talked about pilots, so there is activity. The question is that a pilot is not necessarily a statement of intent, and it is a statement that we want. I do suspect that we are going to hear more from Visa a drive than we are from MasterCard.
EMV and InterchangeKITTEN: Great. And going back to the debit issue you noted, interchange is something that is expected to be an issue. If a move were made to EMV chip and PIN, how might that impact interchange in the U.S.?
ANDREAE: Well, let's first look at what has happened outside of the United States as kind of a template for providing a consistent solution. You think about people like Wal-Mart and some of the larger retailers who have extensive global presences; they are going to want to see the same kind of activity in this market as they have seen in others. What many countries have done is introduce what they call an "incentive," using it as a mechanism to help the merchant and the acquirer with the investment that they need to make in the point-of-sale structure; and the incentive typically is a reduction in interchange, anywhere from 5 to 10 basis points, or .05 percent of the transaction.
The other thing that we need to take into consideration, and was clearly understood when we embarked on developing EMV back in '93 and '94, is that if we look at what interchange was originally designed to do, it was designed to cover three costs: the cost of fraud, the systems' cost on the issuing side of the equation, and the cost of providing the ability for the merchant to get paid well in advance of the consumer receiving their statement and making payment on their credit card. If fraud is to be mitigated by the introduction of chip and PIN -- as has been clearly demonstrated in the U.K., France, etc. -- then an incentive through a reduction in interchange makes sense. Those markets have all clearly seen a reduction in fraud, of a significant amount, as they have introduced and reached critical mass of EMV cards and terminals. One would then expect that the costs incurred by the issuer in the fraud domain would come down. Therefore, there should be a reciprocal reduction in the interchange rate for transactions that are conducted at an EMV terminal where an EMV card is also present.
If we look at interchange today, a key-entered transaction or a card-not-present transaction bears a very different interchange than a fully electronic transaction. I suspect that we are going to see a new interchange rate, like we already have in the Visa/MasterCard interchange tables for international transactions, where there is recognition that when a chip transaction is performed, there is a lesser cost to the issuer, therefore there is lesser interchange.
EMV and Mobile: What's the Fit for the U.S.?KITTEN: Now, going back to another issue that has come up during this conversation: the mobile component. I would like for you to talk about chip-based mobile payments. They have been suggested as a way that the U.S. could bridge its move to EMV; but how would a mobile move jibe with the EMV standard that is already in place in other global markets? And how might this move to mobile impact the multiuse card you mentioned earlier, as far as loyalty, identification and other things are concerned?
ANDREAE: Absolutely. While mobile is clearly a much talked about topic these days, if we leave the United States and we look at contactless, there are two forms of contactless transactions being conducted on a global scale. There is an EMV-based form of contactless that we see outside of the United States, and there is the magnetic-stripe form of contactless that we see here in the United States. So, if we move into France, we move to Canada, we move to Korea or Indonesia or Thailand, they have already embraced a form of EMV in a contactless, near-field context. All of their implementations are based on a proprietary implementation of EMV contactless.
What is simultaneously happening, because they all recognize that we need to have global standards, is that EMVCo., the body that manages the EMV specification, has committed to producing an EMV contactless specification in 2011. They have already produced some baseline specifications that deal with how to recognize that there is an EMV contactless application on the card, but they want to go the next step and define a coherent and consistent EMV application for the point-of-sale device and also for the card.
MasterCard, in a recent London presentation, has made the statement that Visa and others have embraced the MasterCard version of PayPass that is being implemented in Europe and that they have contributed that as a baseline for the work that EMV is doing. So, coming back to your original question: Where are we with mobile? If we look at what many of the merchants are now saying, they see mobile and near-field communication and EMV being launched simultaneously. They recognize that there is a fraud issue in the U.S. marketplace. They recognize that they have a responsibility, and they also recognize that there is value in near-field communication, when we talk about other applications such as loyalty and couponing. So, they are willing and ready to make the investment, as long as the timescale is reasonable, as long the specification is stable and as long as they get to decide when they do it and are not mandated by such and such a date "thou shalt do something," when such a such a date is much earlier than the date that they would typically retire or replace the equipment they currently have in the marketplace.
If we then move to the question of multiapplication, there is a lot of conversation around the context a mobile wallet, and some of it sounds like people are using the mobile wallet as a branding mechanism to talk about their unique solution. When I think about a mobile wallet, I think about taking my current leather wallet and taking everything that is in it and moving it into an electronic format into my mobile phone so that I only carry one thing; I carry my mobile phone and I leave my leather wallet at home, and hopefully I even leave my keys at home.
ISIS, the recent joint venture between AT&T, Verifone, T-Mobile with Barclaycard and Discover, in the background, have talked about the idea of a mobile wallet and they clearly identified credit cards, loyalty cards, and other coupons and tickets as things they would see in their mobile wallet. So, they are actually talking about a mobile wallet that takes our leather wallet and merges it. EMV already has built into it a concept called "multiapplication," and it recognizes that we could have multiple payment mechanisms. I could have my debit card, my credit card, my AmEx card, my Discovery card, my Visa Chase card all inside the same smart card, and using that same specification that EMVCo. is trying to move into a mobile environment, we will see the ability to migrate all of our plastic cards into the mobile wallet of the future.
Google has also recently acquired a company up in Canada that has patents around the concept of a multi-application wallet so it will be interesting to see what they are doing, and then there has been a lot of press around Google's activity and the idea of the search for the digital wallet. Apple has been reported of doing something as well and there are a lot of people chasing this dream and I suspect the biggest concern is how many consumers will embrace the dream.
This is part one of a two-part interview with Philip Andreae. In part two, Andreae shares his thoughts about inevitable steps the U.S. payments space will have to take in 2011, and why Andreae believes a move to a more secure card technology and standard would eliminate the need for so many investments in fraud detection.