Community

Nick

I know you're in the business of selling biometric authentication, but to do so by attacking chip and PIN is misleading to say the least.  Here's the facts as I see them:

- As you point out, chip and PIN has been tremendously effective in reducing face-to-face fraud in the physical world.

- But chip and PIN is also the best solution for tackling fraud in the virtual world via Remote Chip Authentication (RCA - what MasterCard calls CAP and Visa calls DPA): ie inserting your card in a reader, entering your PIN, and generating a one-time-password OTP).

- RCA is widely used to reduce online banking fraud.  Barclays PINSentry for example has been quoted as reducing Barclays' online banking fraud to zero.  A key point about this solution is that because the reader is physically separate from the PC, malware and phishing are not effective.

- Increasingly, RCA is starting to be used to tackle Card-Not-Present (CNP) fraud, by the simple expedient of treating the OTP as a MasterCard SecureCode or Verified by Visa code.  In other words the user only has to remember the one PIN which they already use in the physical world.  All the Belgian banks have rolled out this solution.

Tackling card fraud is difficult and takes years of effort.  The global migration to EMV chip started 15 years ago and is still evolving through RCA and 3D Secure, but it's the best solution we've got and a magnificent achievement.   There are undoubtably niche markets for voice authentication and other biometric solutions, but the card payments market is I fear not one of them.

Well said Andy - my sentiments exactly - it's about time someone drew attention to the strange saga of Faster Payments and the curious behaviour of the UK banks.

First they needed to be pushed into developing a real time credit transfer system despite the fact that the market had been crying out for it for years.  Then they developed a really sensational, world-beating product in the form of Faster Payments - I've blogged before about what a revolutionary step forward this is.  But then they can't get their act together to implement it in a coordinated fashion, and they don't tell anyone about it.  No branding, no marketing, no development of added value products, certainly no selling, since somehow they decided to give it away for free.  Very weird.

Online banking customers must be very confused.  To give an example, if you pay your taxes by direct credit, then you might assume that if you pay on the "due date", HMRC would be credited on that date, especially if you are used to routinely making same day transfers to family and friends.  But oh no, turns out the small print requires that you allow 3 to 4 working days, presumably because HMRC's bank doesn't support Faster Payments.  How crazy is that?

Are we allowed to name and shame on this site?  As Andy implies, it seems unfair that the leading banks are being constrained by a few laggards.  I'm surprised this hasn't yet been raised as an issue by the mainstream media.

Sorry Brett, but I'm with Matt on this one, as I explained in my Finextra blog "Contactless, Mobile, NFC - is it all Hype?" [why can't I put a link in here?].  Like Matt, I think it will take off eventually, but not nearly as fast as most would have us believe.  In the meantime, the really big cash-displacement story, which no-one seems to have noticed, is that with chip & PIN, the humble debit card is now increasingly and routinely used for low value payments such as buying a pint of beer in a pub.  It's fast, easy, familiar, highly secure, convenient for both cardholders and merchants, and crucially, the acceptance infrastructure is already in place (no need for new terminals, never mind fancy new phones or different consumer behaviour).

iDEAL in the Netherlands is a good example of a non-card e-commerce payment scheme.  Several other countries have similar schemes, eg Giropay in germany, and are apparently quite successful.  Cross-border payments are more difficult, but I believe there are plans to link up these schemes via agreements between ACHs within SEPA.  And non-card payment schemes such as Faster Payments in the UK would get round the delayed payment problem.

Having said all this, I still think card payment is the bset option for e-commerce, especially if Remote Chip Authentication combined with 3D Secure is used for high security - eg MasterCard CAP + SecureCode is now used widely in Belgium.

Not a very big egg (or chicken)!

According to APACS, there were 1 million POS terminals in the UK in 2006.  So even if there has been no growth since then, and even if the figure of 40,000 working contactless terminals is to be believed, the maximum penetration is 4%.  Hardly critical mass.  Once again, the acceptance side of the proposition seems to have been overlooked.

As usual I agree with everything you say Stephen!  As a form factor, the plastic card is hard to beat and has many years left to run.

Incidentally, CAP is used by the UK MOD for secure remote login, although I take your point about the need for other solutions to digitally sign rich content.

Hi Antti

Your mobile solution sounds quite similar to Remote Chip Authentication (RCA) in principle.  However, I would be nervous about any solution where you need to enter a PIN into an inherently insecure device such as a PC or a mobile phone.  Maybe I'm paranoid, but the statistics on spyware infection of PCs are horrifying and I suspect the same will be true of mobile phones soon, if it's not already.  At least with RCA the PIN verification is carried out entirely offline within a highly secure EMV chip.

I'm convinced Remote Chip Authentication (RCA) is the best method.  You insert your standard bank card in a simple reader, enter your PIN, and a one-time-password is generated which you can use to identify yourself over the internet or phone.  This is known as CAP by MasterCard and DPA by Visa and is now widely used by banks across Europe.  It's very secure, cost effective, familiar and intuitive, physically separate from your PC or phone, and can be easily extended to challenge-response or digital signature modes if necessary.  The latest developments use Display Cards where the reader is in effect built into the card itself.

... and for another parallel discussion on this topic see "Contactless, Mobile, NFC - Is It All Hype?" (ID=4847)

Thanks John.  Yes, the lack of a "lively debate" is disappointing - I'd expected a deluge of angry replies - but undeterred, here's a few more comments.

I agree with you that billing directly to the mobile account does indeed represent a genuinely new form of "mobile payment", and I can see that it has real potential for digital downloads to mobile phones, but could it be extended to the physical POS?  Also, from what I can see the amount the merchant pays is an order of magnitude higher than with card payments.  Do you have any stats on PayForIt volumes?

I also agree with you that using the mobile as a terminal may have potential, irrespective of whether the back end processing is via the card payments networks or the telecom operators.  I know there is interest in this as a possible replacement for cheque payments to plumbers etc.  However, I suspect the real alternative in this sort of situation will continue to be cash payments, simply for anonymity and tax reasons.

Getting back to contactless/mobile/NFC, I think it might have a chance of taking off if the whole card payments business model was reengineered to drive down costs by simplifying and stripping out things like receipts, chargebacks and itemised statements.  I believe this was the original intention, but it never seems to have happened.  Probably too difficult, which is another reason I think that if this sort of thing does take off it will be in 10 years rather than 2.