HOME
ANALYSIS
COMMUNITY
AWARDS
TOOL KIT
INDUSTRY RESOURCES
SUBSCRIBE
ABOUT US
ADVANCED SEARCH
LOG IN
01 June 2005 Features
Looking for an edge
Roll-out of the latest card technology is nearly complete and banks are now looking at how they can take advantage of what has been put in place. Georgina Stanley reports on their activities
When European banks began rolling out EMV chip and PIN cards the initial objective was clear — cutting card fraud. But now card rollout is well underway and merchants have started picking up the fraud liability, banks are starting to look seriously at how they can make the most of the investment they’ve already made.
Whether the intention is to extend the additional security benefits to online banking and e-commerce or to introduce contactless payments, how easily banks can add additional services depends on how they went about implementing chip and PIN in the first place.
“The cost of an EMV migration programme is quite large,” says Jan Dart, head of technology at Aconite. “The early adopters had to adapt and choose cost effective offerings. This meant they may have gone for cheaper cards that couldn’t be changed as much as they can now. You can fall into the trap of taking simple offerings that stop you moving forward and then you have to reissue cards much earlier than you would like which leads to additional costs.”
By rushing to meet the liability deadline of 1 January this year, issuers in the UK and elsewhere in Europe may find it more difficult to benefit from extra functionality than those in countries which began rolling out chip and PIN later in the day.
“I think in the UK they’ve gone into EMV with the lowest common denominator of it,” says Paul Meadowcroft, head of transaction security, Thales. “They were trying to meet the liability shift and the deadlines but they’re now starting to look at what else they can do with it.”
“The real focus has been getting to 1 January 05,” agrees Greg Twitcher, vice president, Visa UK. “While everything has gone very smoothly there and we’re seeing the benefits of all that work I think people are starting to look at what the next set of opportunities is going to be for them.”
Meadowcroft thinks that while UK banks were right to start with a simple rollout of chip and PIN, sometimes with proprietary cards, it may make things more difficult in the long-term as some of the cards will not support multiple applications.
“To do multiple applications they may need to change their card type,” he explains. “The question is should they be heading towards more standardised multi-application cards like Multos which can support multiple applications at issue and also manage that card in the field? It would mean banks could tailor the card to their desires and add, say, a loyalty application, without reissuing the cards.”
Jan Mooijweer, smart card business consultant at ACI, which offers software to help issuers manage their chip cards once issued, agrees some European banks are not making the most of their EMV cards at the moment. He thinks they’re failing on two points — firstly by underestimating the potential uses of the cards and secondly byissuing the chip cards in the same way as EMV cards without being able to control the data on the chip and manage it once it has been issued. He explains:
“A lot of banks don’t really understand the value of the card. They think it’s something the customer needs for ATMs and POS but actually it’s the link between the cardholder and the bank. There’s a lot of information on the chip and the possibility for the bank to increase their service levels to cardholders is the key to success.”
In contrast, banks in the Middle East and Asia, which began their chip and PIN projects later with broader objectives, are already using the cards for more than just securing point of sale transactions.
According to Toni Merschen, senior vice president at MasterCard’s Chip centre of excellence, nearly all of the millions of cards issued in Asia Pacific over the last few years have been multi-application and the focus from the outset has been additional features such as loyalty, transport tickets or government identity applications.
Despite this, he maintains that functionality alone is not the most important reason for banks to invest.
“Banks need to use technology for their business needs, whether that’s growing the number of cards, increasing acquisitions, supporting cardholders or extending the reach of card payments into areas where today cash is dominant. It’s not technology for the sake of technology it’s about the business drivers technology can address,” he says.
And smart cards offer a number of ways to help banks boost their business by increasing the services offered and attracting new customers.
The most obvious use is extending the chip and PIN functionality to cover online banking and purchases. By using a separate smart card reader in conjunction with the PIN, a one-time password is produced, verifying that both the card and the cardholder (or at least the cardholder’s PIN) are present at the time of the transaction.
This is being rolled out by banks worldwide and Barclaycard is set to develop it further after successfully completing a UK trial with around 1,000 customers. But even with this well-known application, there are complications — such as the cost of deploying the readers.
“Everyone agrees that moving to chip and PIN in other payments channels is the right thing to do but the question is how do they go about it? How do they fairly distribute the costs among all the banks?” asks Meadowcroft.
He also thinks that ideally there should be a separate EMV authentication application on the card, in addition to the payment application, to make authentication easier to manage across different channels. He claims that for some card issuers this will mean waiting for the next card deployment.
Others, including Mooijweer, argue that even two-factor authentication is not fail-proof. He believes biometrics need to be integrated into the card to prevent someone stealing both the card and the PIN to successfully carry out fraudulent transactions.
The second big additional use of the cards is to add loyalty applications. Loyalty schemes are already popular in many countries. Some have single loyalty schemes attached to the card while others have multiple loyalty schemes, making it possible for customers to spend in one store and redeem their points in another. Because of the possibility of storing non-financial data on the card, offers can be tailored to match the interests of individual customers.
“The idea is to make the product more competitive and increase the loyalty of the cardholder to the card,” explains Merschen. “We have banks in Malaysia and Iceland using our OneSmart project to do this.”
But the application seemingly getting Visa, MasterCard and American Express most excited is contactless payments. The card schemes are heavily pushing their respective contactless platforms as a means of increasing card usage and phasing out cash for smaller purchases.
MasterCard PayPass is used in the US without EMV in cinemas and in fast-food outlets such as McDonalds. It also launched its first OneSmart PayPass chip combi card in Taiwan earlier this year. The payment solution was arranged by the Kaohsiung City Government transportation project. The TaiwanMoney Card is being issued by Cathay United Bank and E.SUN Bank and integrates contact and contactless chip payment solutions with an e-ticketing transportation system. It combines MasterCard credit, debit, and Mondex stored value, with PayPass contactless using MasterCard’s M/Chip 4 EMV smart card chip.
Visa has similar contactless schemes with Visa Contactless and Visa Wave which is being used in Malaysia. It also has a multi-application smart card being used in Russia for transport.
“I think it will be the biggest development in the next few years and could fundamentally change the way people pay for a lot of their mass purchases,” says Twitcher. “The main use would be mass transiting and ticketing but it doesn’t have to be restricted to that.”
“These are dual-interface cards which can act in contact as a standard chip and PIN card and can also transact in a contactless mode,” says Merschen. “It will mean card re-issuance and it needs readers as well but we’re targeting this for cash replacement opportunities for low value payments in certain places where it can be implemented in a way that doesn’t need independent cardholder verification.”
Despite the assertions of Visa and MasterCard that contactless payments would be every bit as secure as full contact payments with PIN because the user sets aside a pre-determined amount for contactless payments and because the card can only perform a set number of transactions offline, others are less convinced.
Meadowcroft says: “I’ve a concern that you’re paying for the convenience of contactless at the cost of security. We’re back to one factor authentication again. You put all that effort into chip and PIN to improve security and then you move to contactless and go we’ll not bother with any of that we’ll just go back to handing over the data.”
In addition to the applications mentioned above if card issuers use the chips to their full effect they can choose to introduce a far wider selection of applications.
One potential use according to Dart is to use the cards for dynamic risk management. He suggests that by using EMV scripts to control the card once it has been issued, the type of transactions it is authorised for can be changed once it is in the customer’s hands.
“Initially when you get the card it has parameters set on it depending on your risk profile. Chip lets you change that without having to reissue. It’s like having a mini PC. Banks could take control of their risk profiles giving good people a better experience with more freedom and bad risk holders less freedom and more online transactions, helping them manage fraud and go out to different cardholder segments.”
Mooijweer adds: “There are going to be bank specific applications that haven’t been developed yet — what’s important is that they develop new programmes as individual banks to stay competitive.”
Bookmark with: (What is this?)