Emotions were heated and tempers flared this week at the Federal Reserve Bank of Chicago as the Secure Remote Payments Council held a symposium to address the problem of fraud and card-not-present payment transactions, according to reports about the event. Several speakers from throughout the payments industry voiced their concerns about the issue at Monday’s session. Digital Transactions has some highlights:
Terry D. Dooley, senior vice president and chief information officer of Iowa-based Shazam, one of the few electronic funds transfer networks still owned by financial institutions, agreed that EMV is coming to the U.S., the last industrialized country where chip cards aren’t already in use or being rolled out. But he criticized the idea of “one or two entities” dictating things. Dooley’s specific issue was preserving PIN-based authentication on chip cards. Visa’s proposed system would rely on so-called “dynamic authentication” using one-time transaction identifiers, and some U.S. banks favor chips coupled with signatures for authentication rather than the chip-and-PIN system common in Europe. Dynamic authentication “is good,” but still can be spoofed, according to Dooley. “You shouldn’t be told how you’re going to implement security,” he said.
Dooley followed a blistering attack on “false gods” of payments delivered by Annmarie D. “Mimi” Hart, chief executive of MagTek Inc., a Seal Beach, Calif.-based vendor of hardware and software systems for bolstering the security of magnetic-stripe card transactions. Her main target was the PCI Security Standards Council, which administers the Payment Card Industry data-security standard, with which card-accepting merchants, processors. and issuers must comply. She claimed the PCI Council is more interested in perpetuating itself than actually eliminating fraud. “After all, no fraud means no PCI,” she said, adding that, “it has and will continue to stifle innovation.”
EMV is another of Hart’s false gods. She said an EMV card costs five to 10 times as much as a mag-stripe card and still transmits data in the clear (unencrypted), meaning that a chip-card-accepting merchant would not be excused from PCI compliance. Mag-stripe cards also are capable of dynamic authentication, according to Hart, who also warned against the industry being forced onto “a centrally dictated path.”
Most other speakers agreed that EMV, despite its faults, eventually would displace mag-stripe, though no one could say when or exactly how. Robert O. Carr, chairman and chief executive of merchant acquirer Heartland Payment Systems Inc., predicted the mag stripe would be around for another 10 or 15 years. “I think the cell phone is going to cause the demise of the mag stripe,” he said. While many observers have noted that mobile devices have their own vulnerabilities when used for payments, Carr said the security issue “is manageable.”
