One discovery I made when I first entered the payments industry is that despite there being over 170,000 words in the English dictionary, payments people like to use the same word or acronym to mean many different things. Take for example SMS – in daily use to mean Short Message Service (text messages on your phone) as in SMS authentication, but then there’s Single Message System and Systems Management Server and perhaps a few more out there. But the one where it gets most complicated is the word ‘online’. There are a few uses of the word ‘online’ in the card world and during the recent travels to the US, I realised (realized?) that one of them isn’t in the sights of the ongoing roll-out of EMV there. Perhaps it got lost during the voyage across the Atlantic?Payments in the online space, or eCommerce as it’s often known, creates Card Not Present transactions – and is the one place where fraud typically increases dramatically after the implementation of EMV. Why? Because adding an EMV chip to your card doesn’t help in transactions where you don’t put your card into a reader.
Figures from the UK, Brazillian and Canadian rollouts reveal the sharp uptick in CNP fraud post-EMV rollout – and yet not a single statement or mandate from the International brands looked at how this could be tackled on day 1 rather than on day 1500 (take a look at slide 17 here)
One of the simplest ways to do this is through inclusion of EMV-CAP in the standard card profile for all cards – and of course the corresponding rollout of 3D Secure using dynamic passcodes. For those of you not to familiar with this concept take a look at MasterCard’s explanation (here) or Barclays (here). EMV-CAP also enables ebanking security, and can be used to activate mobile profiles for payments rather than downloading authentication data using OTAP and SIM technology (read ‘How does it work’ here for an example)
EMV-CAP isn’t perfect – I know it all too well as it is a product that I had a small hand in – however, it is a great facilitating technology that will bridge the gap to whatever the future online payment world will look like. Plus it doesn’t require any additional PIN, mobile app, change in user behaviour or interaction with the dreaded Telcos (sorry to any Telcos reading…). What EMV-CAP is, is a way to bring the security keys that you’ve delivered to your cardholder into use in payment environments other than face to face POS. Just like EMV in the F2F space, EMV-CAP isn’t a silver bullet, but implemented hand-in-hand with Device ID, IP geolocation, velocity checking and all the usual CNP anti-fraud techniques, it adds a valuable cost-effective layer that can really slow down the fraudsters.
However, getting something like EMV-CAP to market isn’t easy – and it’s not the fault of the technology. When you introduce something in a typical bank that uses card infrastructure (team card, yay!) and uses it for security in ebanking (team ebanking, yay!) and for enabling mobiles (3 team mobiles out of 4, yay!) and asks the IT department to run a single authentication service (team ICT, yay!) then you can immediately see the problem, the disparate nature of banking departments and the usual silo-ed approach to solutions creation and management. The solution is generally having a champion high up in the bank or processor that realises that a moderate investment now will prevent a huge cost down the line – but history shows us that few organisations are lucky enough to have those visionaries in the right position.