Chip card implementation remains fundamentally flawed
Sometimes when I read the debates on chip, PIN and EMV I feel I am listening to the Flat Earth Society. America is home to some home truths including gun ownership, religion and mag stripe in ways that just seem contradictory to common sense.
That said, when it comes to chip there are aspects that payment security adherents are probably not addressing in sufficient clarity otherwise one would think logical thinking people would come around even if they are American. (I love America by the way)
So what is the issue ? Why is it so hard to make the coherent case for chip?
But at a payments conference organised by automated clearing house Nacha in San Diego this week, three of the nation’s largest retailers hit back, arguing that the move to EMV will impose huge costs for a minimal reduction in fraud rates.
There are multiple issues which confuse the technologists seeking that optimum single solution.
- One device; The Single Solution Problem
- One Law; The Border Problem
- One Customer Preference; The Customer Problem
The Single Solution Problem
Internet is largely to blame for the incoherence of solutions. Internet creates a natural desire for a common solution and common approach for things, whether banking, shopping, or reading. However criminals are adept at finding specific attacks for whatever solutions are developed.
The basic chip card concept is rock solid provided you follow the chip card rules. Stick your card into a secure card reader and boom … you are secure. However take that same card and buy something in a web page, and the chip security is gone. The security is based on what you type, and the chip security is irrelevant.
Then when you travel to a non chip country, such as US you must use your chip card by swiping the mag stripe. Immediately all the benefits of chip are gone.
The Border Problem
When travelling with your secure chip card, that security is compromised by the strategy employed for your card which is the lowest common denominator of security. That is the mag stripe mentioned above.
The Customer Preference Problem
Finally the card must be designed to accommodate all customer needs. The card is the centre of the universe and must be dead secure when required, but also flexible when that security is not available.
The real solution
The current chip card is an obvious choice that tries to satisfy all needs yet satisfies none. I have worked first hand with chip people at my bank and many do not see the obvious. We need multiple solutions.
- The chip card ought to be just that; a chip card with no mag stripe. This card will only work in ATM’s and card readers that are chip secure. End of story.
- Online Solutions; here we must forget about the credit card metaphor. Lets design a payment method that fits the online environment.
- Mag Stripe: Never put a mag stripe one a chip card. I have preached this for 10 + years and will never stop. Mag strip and chip on the same card is just stupid.
- Travel cards: Banks must offer separate cards for travel. Remember Travellers Cheques – when customers travel they will accept the idea of a different card with a different credit limit for travel. Many people have credit cards with $40K credit limits but that card is not needed for drinks at the resort.