Community

Should have migrated to EMV chip!

Interesting discussion.  I did some work on this in the UK recently and concluded that the best we can hope for, realistically, is that payers include a simple, meaningful payment reference in the payment message and that if the remittance data is at all complicated they should use the same reference to link to a separate out-of-band remittance message.  This in itself seems to be difficult enough, but it should be achievable.  Yes, a rich, standard, in-band, ISO 20022-type solution would be wonderful, but I fear that apart from closed loop transactions between highly sophisticated companies it will remain a pipe dream for many years to come.

Nice post Jim.  I agree.  See my own post on Linked-In:  http://www.linkedin.com/groups?viewMemberFeed=&gid=130718&memberID=731357&goback=%2Egmp_130718

I think there's a growing realisation that the business case for EMV migration in the US is as strong as it is in the rest of the world, maybe stronger as fraud increasingly migrates to the US.  With Visa's announcement and other indicators I think we've reached a tipping point and migration will happen sooner and more rapidly than most people expect.  And yes Jim, I totally agree that mobile NFC is enabled by EMV, rather than being in some weird sense an alternative.  Not that I think mobile NFC will happen any time soon - in fact it's been massively over-hyped IMHO - but that's another story!

Nice post!  Totally agree!

Completely agree with you Steve - strong two-factor authentication based on something I own and something I know must surely be the standard for all remote financial transactions.  There's a lively discussion going on on this subject at http://lnkd.in/_Pxvpy if you're interested.

It's possible to make a very positive business case for CAP/SecureCode, not just in terms of less fraud, but also lower fraud prevention costs, lower password management costs, less call centre enquiries, most use of cost-effective remote channels etc.  The cost of the readers is about £5 or less now, and if you don't like them then we're just begining to see CAP/SecureCode on Display Cards.  As to US banks being any kind of model for the rest of the industry - well just look at the mess they've got themselves into by lagging behind on EMV chip!

Hi Ketharamen - This is quite a new solution and I think MasterCard banks are leading the way, with CAP/SecureCode.  As far as I know, Nordea, and all the Belgian banks (KBC, Dexia, Fortis, ING ...) use this solution, as well as several in Eastern Europe and Turkey.  Technically, it's very straightforward - as an issuer you just treat the OTP as a SecureCode and authenticate in the same way as you would an online banking transaction.  Cardholder education and marketing is more challenging - you have to explain that the cardholder must use their EMV card and cardreader to generate the SecureCode when the SecureCode window pops up.  But I understand it's catching on as a really secure and cost-effective answer to CNP fraud.  If you email me on nick@ncollin.demon.co.uk I'll send you an article I wrote for banking Automation Bulletin on the subject.

A very simple EMV solution to CNP fraud is for cardholders to use the EMV cardreader they already use for secure online banking to generate a dynamic SecureCode/VbV for secure e-commerce. More and more banks around the world are already deploying such Remote Chip Authentication - effectively transforming CNP into card present.  Note that the one-time-password can also be used over the phone, and the only thing the cardholder needs to remember is their existing PIN.

Finally, the US is beginning to understand that rather than try and protect a "secret" (the card details) which is not really secret at all (the PAN is, after all, embossed on the front of every card!) it makes more sense to use Chip and PIN to render the information useless to fraudsters.

I predict nothing can stop full US migration to EMV now.