Next-Gen Authentication

Expert Says Chip & PIN Reduces Need for Neural Networks
Next-Gen Authentication
The balance between consumer satisfaction and protection is one card-issuing banks struggle to find. In the wake of increasing incidents of card fraud, such as the Michaels breach, the financial industry knows it has to make a change, but choosing a direction to move in has proved challenging, says Philip Andreae, a payments consultant who helped develop and launch the Europay, MasterCard, Visa standard in Europe. "That balance is never-ending," Andreae says. "But if we look at identity, and we guarantee the authenticity of the card, then I need less detection. ... I am going to it [authenticate] at the point-of-transaction and not try to do it as part of the transaction

Andreae says the industry spends too much time talking about fraud detection, not enough time talking about viable ways to stop card fraud. "We hear a lot about fraud detection and neural networks, and systems on the issuers' side that are looking for patterns," he says. "That means that they have to have people who are building rules to recognize those patterns. We have companies that are developing software and maintaining that software; and then we have criminals who are very good at figuring out what we are doing." Ultimately, Andreae says, by relying solely on detection and patterns to reduce fraud, banks must decide whether to deny the consumer convenience or accept the fraud. "No fraud-detection system is ever going to be able to successfully satisfy the consumer's want to get money or buy goods and the criminal's desire to steal money or steal goods," he says. For Andreae, the answer to the convenience-fraud balance is chip-based mobile payments. In fact, Andreae sees mobile playing a significant role in a U.S. migration toward an EMV or EMV-like standard.

Taking the RFID contactless method we are accustomed to in the U.S. and applying it to the mobile chip could be the ticket to an easier passage to EMV, Andreae suggests. Bridging the global gap with mobile also opens doors for more innovations like the "mobile wallet," which could facilitate stronger loyalty programs, enhanced security and payment-card unification.

During this second half of a two-part interview, [transcript below] with Andreae, a former industry consultant who's been involved with the EMV movement since the early 1990s, we discuss:

  • The role contactless transactions will play in the move toward EMV in the U.S.;
  • The connection between EMV, merchants and the Durbin amendment;
  • Why contactless RFID payments will improve cardholder authentication.

Andreae, who now works for one of the world's major card brands, worked as an industry consultant for numerous years, focusing on EMV, contactless and mobile payments technologies. In 1993-1994, Andreae helped to found a consortium that developed the EMV standard in Europe. He also served as the managing director of Europay International, where he oversaw and developed technology for transaction processing, clearing and settlement. In 2002, he helped drive Visa Canada's adoption of EMV.

Chip-based Mobile and EMV

TRACY KITTEN: This is the second part of a two-part interview with Phillip Andreae, an industry consultant who has been involved with the EMV movement since the early 1990s, who shares his perspective about EMV in the U.S., smart cards and e-commerce. We begin part two with a discussion around chip-based mobile payments and the role mobile is likely to play in the U.S. migration toward and EMV, or EMV-like standard. EMV interchange and regulatory reform: What changes can the payments industry expect to see in 2011?

Chip-based mobile payments; they've been suggested as away that the U.S. could perhaps bridge its move to EMV, but how would a mobile move jive with the EMV standard that is already in place in other global markets, and how might this move to mobile impact the multi-use card that you mentioned earlier as far as loyalty, identification and other things are concerned?

PHILIP ANDREAE: Mobile is clearly a much talked about topic these days and if we leave the United States and we look at contactless, there are two forms of contactless transactions being conducted on the global scale. There is an EMV-based form of contactless that we see outside of the United States and there is the magnetic stripe form of contactless that we see here in the United States.

So, if we move into France, we move to Canada, we move to Japan Korea or Indonesia or Thailand, they have already embraced a form of EMV in a contactless near-field context. All of their implementations are based on a proprietary implementation of EMV contactless. What is simultaneously happening, because they all recognize that when we need to have global standards, is that EMVCo, the body that manages the EMV specification, has committed to producing an EMV contactless specification in 2011. They have already produced some baseline specifications that deal with "How do I recognize that there is an EMV contactless application on that card?" They want to go the next step and define a coherent and consistent EMV application for the point-of-sale device and also for the card.

MasterCard, in a recent London presentation, has made the statement that Visa and others have embraced the MasterCard version of PayPass that is being implemented in Europe, and that they have contributed that as a baseline for the work that EMV is doing. So, coming back to your original question, where are we with mobile? If we look at what many of the merchants are now saying, they see mobile and near-field communication and EMV being launched simultaneously. They recognize that there is a fraud issue in the U.S. marketplace. They recognize that they have a responsibility, and they also recognize that there is value in near-field communication when we talk about other applications such as loyalty and couponing. They are willing and ready to make the investment as long as the timescale is reasonable, as long the specification is stable, and as long as they get to decide when they do it and they are not mandated by such and such a date that thou shalt do something, when such a such a date is much earlier than the date that they would typically retire or replace the equipment in the marketplace.

If we then move to the question of multiapplication, there is a lot of conversation around the context a mobile wallet, and some of it sounds like people are using the mobile wallet as a branding mechanism to talk about their unique solution. When I think about a mobile wallet I think about taking my current leather wallet and taking everything that is in it and moving it into an electronic format into my mobile phone so that I only carry one thing; I carry my mobile phone and I leave my leather wallet at home and hopefully I even leave my keys at home.

ISIS, the recent joint venture between AT&T, VeriPhone, T-Mobile with Barclaycard and Discover in the background have talked about the idea of a mobile wallet, and they clearly identified credit cards, loyalty cards, and other coupons and tickets as things that they would see in their mobile wallet; so they are actually talking about a mobile wallet that takes our leather wallet and merges it.

EMV already has built into it a concept called multiapplication and it recognizes that we could have multiple payment mechanisms; so I could have my debit card, my credit card, my AmEx card, my Discover card, my Visa Chase card, all inside the same smart card and using that same specification that EMVCo is trying to move into a mobile environment we will see the ability to migrate all of our plastic cards into the mobile wallet of the future.

Google has also recently acquired a company up in Canada that has patents around the concept of a multiapplication wallet, so it will be interesting to see what they are doing, and then there has been a lot of press around Google's activity and the idea of the search for the digital wallet. Apple has been reported of doing something as well and there are a lot of people chasing this dream and I suspect the biggest concern is how many consumers will embrace the dream.

KITTEN: Going forward, regardless of what direction the industry takes in the U.S., a change is inevitable and we have talked about that during this discussion. You recently shared some insights after reviewing our Faces of Fraud survey and one point that you raised is that the industry continues to focus too heavily on fraud detection rather than addressing the real issue of identity assurance.

The identity, you say, really needs the technology to authenticate the consumer who is conducting the transaction. EMV and the secure element within the smart phone are ways of introducing a higher-level of authentication; can you explain?

ANDREAE: There are two pieces: one I am going to call a CAM, or a card authentication method, and the other is a CVM, or a cardholder verification method. The CAM, the card authentication method, basically says that the secured element - be it a SIM in your mobile phone or a secured, trusted component in your mobile phone or your PC or whatever your physical device is, or the chip card, in the context of the existing magnetic-stripe card with a chip on it -carries secrets that the terminal is able to challenge to assure that the issuer of that card was authorized to issue that piece of plastic. Because there is a secret in there, it is almost impossible - and you always have to leave the word "almost" in when you use the word impossible - to counterfeit that card, to replicate that card.

Back when we first introduced EMV, we used to talk about the cost of replicating a card and we said, "Well, what you have to do is find the secret in each card," and the secret is unique by card. So, the criminal has to spend the time and the money to get your card, get the secret out of it, replicate your card, and spend the exact amount of time and money to do it for the next one, so he doesn't have an easy, replicable solution. Now we suddenly have the ability to assure that the token - the card or the mobile phone - was issued by an authorized party, whether it be the issuing bank or the government, if it was your Social Security card or your passport. It could be any entity that wants to be assured that you are carrying their means of identification - their token, their card; and the mobile phone gives us that capability.

The second part is the cardholder verification method, the second factor in a security architecture. What we do there is we ask the terminal to request a PIN - ask the point-of-sale device to request a PIN from the consumer and then deliver that PIN, that password, to the card. And the card, in its secured environment, goes and validates that that PIN; it is the PIN that the card recognizes.

So, we now have what we call two-factor authentication: What I have, the card, and what I know, the secrete/the PIN. And we have a means of protecting the integrity of the payment system in a very effective yet not that expensive of a way. When we start thinking about the card as maybe $1.50 versus 50 cents, and we will find a way of affording that luxury to the consumer and as we talk about multiapplication, how many of us are willing to pay to get rid of the 50 cards that we carry and be able to reduce that to one mobile phone with all of those cards inside? There is value and potentially revenue that can be earned by the various parties in providing that wallet.

Reducing Investments in Fraud Detection

KITTEN: And, as you have rightly noted, if this were to replace some of the fraud-detection technologies and systems that financial institutions are investing in, that could be a cost savings, too.

ANDREAE: Yes, a very valid point. We hear a lot about fraud detection and neural networks and systems on the issuer's side that are looking for patterns. That means that they have to have people who are building rules to recognize those patterns. We have companies that are developing software and maintaining that software; and then we have criminals who are very good at figuring out what we are doing.

We have this constant, escalating cost of fraud detection, and then we the criminal sitting on the other side, saying. "Let me see if I understand how to get around this." If that consumer uses an ATM in their local neighborhood, is the bank willing to challenge the consumer by calling them on their phone or denying that transaction? As the criminal, I think, "If I break that card down, I skim the magnetic stripe, if I capture the PIN, let me make sure that I only use that card in ATMs that are local to that consumer's residence." Well, how does a fraud-detection pattern resolve that conflict of the consumer in his locale and the criminal conducting fraud in his locale? The problem is that we have to deny the consumer or we have to accept the fraud. No fraud-detection system is ever going to be able to successfully satisfy the consumer's want to get money or buy goods and the criminal's desire to steal money or steal goods.

The balance between consumer satisfaction and protecting the consumer from fraud becomes a never-ending, escalating investment on the part of the issuing banks. Whereas, if we look at identity, and we guarantee the authenticity of the card, then I need less detection, because I am going to do it at the point-of-transaction and not try to do it as part of the transaction.

The Future of Payments

KITTEN: In closing, Phillip, could you give us some perspective on the top three points that you would say revolve around the future of payments in the U.S., and some of the movement and challenges you expect the market to face in 2011?

ANDREAE: I think the first one is this whole discussion of fraud and what are we going to do and who is going to drive the mitigation of fraud. Fraud migration is happening, and I am reading more and more articles, U.S.-centric, where criminals are putting fascias on ATMs and putting cameras on ATMs and using Bluetooth technology to capture my magnetic stripe and my PIN and putting my card at risk. So, we have fraud that we have to address. We have very smart criminals who are making really good returns on their investment to break the system and we are going to have to combat that. We are seeing issuers recognizing that the magnetic stripe is not secure; that fraud detection, while good, is not great; and recognizing that the government may at some point in time say, "Enough is enough, and you need to do something."

So, No. 1 is fraud.

No. 2 is the convergence of mobile, and do we have a compelling business case for the merchant surrounding mobile payments. Do we look at mobile loyalty, mobile couponing, some form of marketing and advertising that draws payments into it? Then you sit there and go, "Who is going to play?" It is a full world out there, with people like Google and now the three major carriers in the United States with their ISIS consortium. You have people like Amazon, who is sitting in the wings, watching all of this taking place and wondering where their game is. You have a lot of people who see significant revenue opportunities. So, the convergence of payments, mobile, couponing and other services that can be enabled through the mobile device will be a major area of conversation in 2011.

The third piece is going to be Durbin: What will be the net impact on interchange, and what will be the net impact on revenue to the bank? How are the banks going to justify any investments that they have to make, and will the consumer actually receive the benefits from Durbin. If interchange is to go down, will the merchant reduce the cost of the goods we buy?

If we use Australia as an example, that did not happen; the consumer ended up paying more because they got hit with card fees and the merchant kept the profit from reduced interchange. So, the third piece of my concern for 2011, an area of discussion, is this whole thing around interchange. Where will the Fed come out? What further legislation will we see coming out of Congress? What further debate is going to take place as various alternative payment mechanisms come into the game and say, "Well, I've got a cheaper payment method than Visa or MasterCard," and merchants are embracing that.

KITTEN: It's a lot to consider.

ANDREAE: Yes. This is a complicated space; so as we think about fraud, we think about interchange, we think about mobile, there is a lot of conversation that has to take place. There are a lot of people believing there is a lot of money to be made, and there will be confusion until somebody pulls everybody around the table and tells us what we are going to do: Let's be coherent. Let's write the specifications. Let's write the standards. Let's agree on a common timeframe, a common architecture for how we are going to make this all happen. Otherwise, we are going to have chaos in the marketplace.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.