Stop me if you’ve heard this one: A Martian travels to Earth and examines the U.S. payments system. He is perplexed by the dogged persistence in using a 40-year-old technology for payments cards by a nation that, in the same period, landed men on its moon, invented the personal computer and brought the iPhone to life.
“Maybe that’s why you keep looking for water on my planet, when the Earth is covered with it,” the Martian observed. “It seems some of you Earthlings are only comfortable with the paradigms you already know.”
Imagine the Martian’s intergalactic horror at discovering that America conducts many of its financial transactions using undisguised plastic cards, with financial account information embossed on one side and encoded in the magnetic-stripe data on the other. And how, in a digital economy, this antiquated anomaly had resulted in a black market with tens of millions of stolen and compromised card credentials that can be obtained for less than a dollar each. Who in the universe would do that — no matter how comfortable the payments industry was with mag-stripes?
The point is not whether NASA is as hidebound and stuck in the past as retail banking. The real question at hand is why the industry so stubbornly clings to this payments paradigm, when another, perfectly good alternative — contactless — is at hand?
Contactless cards and phones offer all the necessary advances in security, functionality and convenience that digital technology has promised the card business for more than two decades. Moreover, the ability to conduct contactless payments with near-field communications (NFC) transmissions — from cell phones with antennae on stickers, or embedded in the mobile devices with secure chips — has many forecasters extremely bullish about the prospects for multichannel payments.
Yet industry inertia and fear of change renders this promising new paradigm all but still-born thus far.
Consumers, according to the research, don’t regard contactless as safe — though putting account credentials on a plastic card for all to see, and for capture by $10 mag-stripe readers available on eBay, has spawned a cottage industry of fraud and made data breaches big business. But banks — even after seeing new transaction revenues from converting cash and checks to a sexy new technology that’s much more secure than magstripe — refuse to market the need for anything safer.
Merchants, based on anecdotal assessments from the field, seem willing to install the tap-and-go readers when they’re provided for free, but don’t promote conversion of cash transactions or invest in training their checkout counter staff to help customers use them because the payment options available are limited mostly to expensive, signature-based credit and debit.
“We would love to have contactless-enabled phones used as payment devices in our stores,” said the payments chief of one of the nation’s largest retailers. “But we need payment options like stored value for customers who don’t have signature cards and PIN-debit, which is our stores’ most popular payment type. If we offered contactless with just signature-debit — which is the only type we’ve been offered so far — our incremental cost for converting PINdebit transactions would cost us more than $200 million a year.”
“We would like nothing better than to get cards — and cash — out of the hands of our counter staff — especially at our drive-thru windows,” said a technology executive for a major fast-food chain. “But signature-card rates for us are $.17 to $.27 on an average sale of about $8.00, and the cash transactions they would replace cost us only $.02 in company stores and $.04 in franchises. The business case just isn’t there yet.”
Promotions and Pricing Problems
While contactless offers the best opportunity in years to begin the migration from the outdated magstripe, the problems in uprooting this venerable payment paradigm go much deeper than simply how card companies market and price these more secure and convenient new transactions. History shows us that the mag-stripe is deeply buried into the consciousness of the industry — much as water is to potential life on Mars.
Back in the 1970s, as credit cards began to catch on, so did fraud. In those days, accepting merchants had no electronic authorizations, transported their sales slips into banks for processing after-the-fact, and were relegated to looking up bad card numbers from booklets issued at least a month before to avoid fraud.
Electronic draft capture and dial-up terminalization changed all that by the end of the decade. Merchants could capture the card and transaction information electronically by swiping the mag-stripe through the terminal readers, adding related inputs, then dialing out for authorization to the card issuer by phone. This process resulted in far less fraud than before while dispensing with most of the paperwork. Mag-stripe was a big win all the way around and helped fuel the massive growth in card acceptance and use through the 1990s.
But by then, both the formal and “informal” criminal worlds had moved beyond the efficiencies of the mag-stripe payment processing world. Efforts to extend this system from where it was designed to work — the physical point-of- sale — to the emerging world of catalog mail orders and telephone orders were only partially successful. While this market segment grew smartly to $150 billion in sales by the mid-1990s, the volume of so-called “card-notpresent” charge-backs swelled.
Nearly half of that new charge-back volume, according to MasterCard figures from that period, came from transactions repudiated by cardholders. A big portion of those early, “I didn’t do it” chargebacks turned out to be conducted by the cardholders’ relatives, friends and even some by the cardholders themselves, “gaming” a system that — in the infinite wisdom of the card companies — shifted all the risk and liability for fraud to the remote merchant.
In 1996, fewer than a million cardholders produced more than two-thirds of all charge-backs, according to one study provided to MasterCard. Such users came to be known as “charge-back recidivists,” and while one would have thought issuers would eschew such costly abusers of the system, they always seemed to have some bank willing to transact their business. Clearly, something else was needed, as the mag-stripe paradigm had spawned a huge, unnecessary cost of doing business that came to be known as “friendly fraud.”
Making Payment Cards ‘Smart’
Meanwhile, in Europe, where dial-up authorizations were much less available and reliable — and very expensive compared to the United States, where telecommunications innovation (and price compression) was rampant — the problem with both friendly and unfriendly fraud from using payment cards was compelling enough to shift the paradigm.
In the 1980s, banks in those countries began testing “smart” cards — computer chips on payment cards that could help identify the cardholder and verify the account use as the information on the chip was read by a reader at the point of sale — or, conceivably, at the cardholder’s home or place of business. Chips got faster, smaller, cheaper and safer all the time.
So by the mid-1990s, Europay (then the separate European partner of MasterCard), MasterCard and Visa came together with a joint specification for interoperable chip-based transactions that could be used anywhere in the world. The resulting EMV standard covered credit, debit and purse (stored value) transactions.
U.S. banks, however, remained somnambulant about their card markets and security, and only dabbled with the idea of transitioning from mag-stripe to chip cards, despite strong pushes from Visa and MasterCard. The card brands sprang for chip card tests around the country, including highly publicized pilots at the Atlanta Olympics and New York’s West Side during the mid-1990s. At one point, the card brands even communicated a mandate, which was later rescinded, that all Visa- and MasterCard-branded cards would carry chips by 2005.
But in the view of many observers, the straw that broke the camel’s back for smart cards in the United States came in 2001, when Tower Group’s Ted Iacobuzio published a report estimating it would cost $13.4 billion to convert American check-out counters, cards and issuer authorization systems to accommodate chip — and 58 percent of that cost would have to be borne by merchants. The industry’s diagnosis: dead on arrival.
Instead, since fraud still wasn’t a very big issue for banks compared to the money they were making on mag-stripe signature-based cards, banks and merchants alike set out determined to cope with the familiar and well-known mag-stripe paradigm for the longer term.
eCommerce: a Chance to Shift the Paradigm
Meanwhile, the World Wide Web’s creation in 1989 had opened a bonanza of global shopping opportunities, but thousands of Web site merchants coming online needed a way to get paid by the millions of anonymous shoppers. The credit card was electronic and worked decently for mail and telephone orders, so why not use it for the Internet, too? And, oh by the way, let’s just have the merchants carry all the liability and risk on this channel, like they do elsewhere; and add an interchange premium to boot, in case issuing banks needed to cover the expected incremental fraud. What’s not to like about that?
In fact, Visa (with Microsoft) and MasterCard (with Netscape and IBM) worked feverishly (and competitively) in 1995 to create a security overlay for using credit cards on the Internet, in both cases requiring that digital identities (certificates) be exchanged by all parties of a transaction in order to ensure that cardholders, merchants and both acquiring and issuing banks knew (and could trust) each other.
Later on, the Internet had a better idea. Taher El-Gamel, head of security for browser-inventor Netscape, bequeathed his Secure Socket Layer (SSL) encryption protocol to the public domain, for free. SSL protected the mag-stripe data while it traversed the Internet channel (though not at either end, which remains a problem). Free is good, so the world rushed off merrily on its way to pursue what soon would become the Internet bubble years, and never looked back.
Several efforts over the years to encourage (or force) cardholder registration for VerifybyVisa or SecureCode have often been heavyhanded, disruptive or ineffective at getting cardholders on board. Merchants that were cultivated over the years to participate in the protocol have experienced significant consumer complaints and transaction abandonment. As a result, a Visa official conceded at a conference in 2006 that they expected VerifybyVisa penetration to peak out at only about 10 percent of their online volume. So, there’s not much payments leadership in the online arena either.
As a result, there are more than two dozen different ways to pay online with more security than the venerable mag-stripe offers — even with the assorted enhancements that were bolted into signature card risk management, such as address verification service and cardholder verification numbers.
Some, like the one-time password protocols, merely substitute pseudo mag-stripe data for the real credentials, and make the match-up offline. Other efforts to replace the use of mag-stripes included putting PIN-debit cards online (with suitable protection for the PIN, of course), and the use of ACH systems, where the merchant never gets the payment account information, but rather a confirmation from the shopper’s bank that they’ve logged an order with online banking authentication. All seem promising.
But don’t forget the latest gambit by the card brands to preserve the magstripe payment paradigm at all costs: the Payment Card Industry Digital Security Standard requirements to protect bankcard credentials from data breaches — particularly at merchants and processors. Merchants will bear more than a billion dollars in costs and untold frustration dealing with this well-intentioned but doomed effort to keep up with mag-stripe hackers and thieves.
Not that U.S. merchants have been entirely without blame for keeping mag-stripe on its throne. PIN-debit security for point-of-sale transactions With major processing players beginning to offer PIN-debit payments, and NFC antenna stickers for cell phones, hope springs eternal that meaningful transaction volume will still materialize. hope springs eternal has been available for decades, yet millions of smaller merchants can’t bring themselves to make the $50-a-month investment in PIN terminals — despite substantial interchange advantages and much cleaner transactions. And EFT networks have been largely a “no-show” as a superior payment option in the online environment until very recently.
So, at least in the United States, the mag-stripe paradigm has withstood all efforts to relegate it to history’s hall of fame for payments (along with the signature-based card). Maybe the Martian was right to be shocked that such an advanced society could be technologically dooming itself to investing and re-investing in such a primitive form of electronic payment — over and over again. What powers exist on Earth that could impose their will on society to keep it from digging a deeper and deeper hole for itself?
Is Contactless the New Hope?
And so there is the remaining hope: payments by contactless cards, keyfobs, stickers or mobile phones. By year-end, ViVOtech, a leading vendor of contactless readers and systems, projects there will be an estimated 60 million devices in consumer hands and more than 200,000 merchant-accepting locations. With major processing players beginning to offer PIN-debit payments, and NFC antenna stickers for cell phones, hope springs eternal that meaningful transaction volume will still materialize.
And so it should. Contactless security, its functional breadth and flexibility and its usage convenience is on par with contact-based smart cards used around the world. There’s even an EMV specification for global interoperability with contact-based chip cards nearing completion. All that’s needed is for banks to declare to their customers that they’ve come up with a faster, better, safer and cheaper way to transact than the mag-stripe option they’ve been stuck with all these years.
In a year when there’s a tidal wave of Congressional and regulatory backlash over business practices with signature-based cards, the time may well have arrived for U.S. banks and merchants, and all those who support them throughout the payments industry, to climb on the contactless bandwagon before it’s too late and legislation or court action relegates good-old mag-stripes to the ash-heap of history.