What can kill EMV

For those in a hurry, here is an executive summary: ISO 9798, assisted by the likes of Verayo (as well as femtocells and in-store Wi-Fi).

Anyone remotely familiar with EMV knows that it's a mess. EMV is a global standard that covers inter-operations of "chip" bank cards and compatible devices (POS terminals and ATMs). There are 16 (!) variations of EMV implementation when it comes to card authentication, transaction authorization and cardholder verification. EMV is at v4.5 and runs into over 700 pages. It represents interests of just four companies - I don't count the merchants and the issuers here (a subject for a separate blog post). The main purpose of EMV is to provide secure authentication of transactions.

There is another global standard for secure authentication of remote transactions, used over 10bn times every day. It is concisely spelled out on just seven pages and represents interests of over 800 companies. Like EMV, it relies on the use of "chip" cards. Unlike EMV, it does not require secure/approved/certified equipment - any mobile phone will do. Secure POS card terminal based on this standard costs less than $10. Including NFC.

I am, of course, talking of GSM - more specifically, ISO 9798 (which GSM authentication protocol was derived from).

EMV is "curated" by Visa and MasterCard - the global, universally accepted, payment channels. They are known within the payment industry as the "schemes" and that is where the problem with EMV lies. Well-intended desire to be universally accepted forced Visa and MasterCard to work with merchants even at remote locations where no means of communications were available. For that purpose, offline authentication was included into the EMV protocol specifications.

That was fine twenty years ago, but the world has since moved on. Telecom and the internet have become omnipresent phenomena. There are very few "unconnected" places left out there, with no fixed or mobile telecom facilities. Hence, there are no longer any strong reasons for not using online-only authentication. Allowing offline authentication for the sake of offering EMV acceptance in a few "off the grid" places drags the whole EMV concept down.

When - not "if" - payment transactions move to online-only authentication, the role and importance of EMV (and, potentially, of Visa and MasterCard) could be greatly diminished. I don't want to oversimplify things here, but one of the key functions of the schemes is to act as a "gateway/router" for channeling the transactions between the parties involved (acquirers, issuers, processors). That is something that Cisco has been doing efficiently and successfully, on a much larger scale, for years. Without charging any, let alone percentage-based (!), "interchange fee".

If the "schemes" do not become a "network", somebody else will take that space. There are several players - big and small, both insiders and outsiders - who are eyeing that opportunity. For example, the Mobino's CEO who worked with Tim Berners-Lee on HTTP and HTML is planning to bring the same logic to payments.

I am at the NFC World Congress in Nice next week where I am moderating the "Transport and Ticketing" session as well as taking part in the "World's Smart Cities" panel, representing London - will no doubt get some material for more thought-provoking blog posts.