Payments: Whither AES?

By: Dean Macinskas, GEOBRIDGE Corporation

Next month (November 2011) the Advanced Encryption Standard (AES) will be 10 years old. But its impact on payment systems in the US is almost invisible, owing in large part to the immense infrastructure investment US banks, card associations and networks made to support the Data Encryption Standard (DES), originally released in 1977. I find it ironic that NIST stopped validating two-key triple-DES implementations for US Government use at the end of 2010, about the same time these same implementations have finally achieved mainstream status in the payments sphere.

So I am really looking forward to attending the X9F6 committee meeting in San Antonio this month, because one of the discussion topics is an update to the venerable X9.8 PIN block specification for AES. The fact that AES’ data block is 16 bytes, rather than DES’ 8 will require major changes to interchange formats, notably ISO 8583, and the software that process these messages. Also, since AES key lengths can be 16, 24 or 32 bytes, there will be big changes to key management applications too.

Implementing change in large systems is always time-consuming and expensive. Technological innovation, though, is accelerating. Will the payments world speed up their adopting advances in cryptography, on which the security of all electronic payment systems depend?

The next few years are going to be interesting. At least I’m enjoying the ride!

 

Will Fraud Losses Bring U.S. Issuers to the EMV Table In Earnest?

By: Robin Moser, GEOBRIDGE Corporation

U.S. adoption of EMV/chip card payments has met a fair amount of resistance.  As with any new payment technology that requires costly and far-reaching infrastructure changes, getting chip and PIN cards issued and accepted in the U.S. is as agile an undertaking as making a u-turn in a barge. 

Wal-Mart has been pushing for EMV as a means to reduce PCI scope and mitigate the risk associated with magstripe cards.  The merchant investment to get point-of-sale systems updated to support chip card technology is significant.  However, the recent announcement by Visa regarding waiving requirements for annual PCI assessments if at least 75% of a merchant’s Visa transactions are conducted on payment terminals supporting contact, contactless and NFC payments may be incentive enough for U.S. merchants to make the investment.   Furthermore, the Visa mandate that U.S. Acquirers support chip card payments by 2013 also lays critical groundwork for the acceptance of EMV payments.

So what about the Issuers?  While a handful of large Issuers have produced chip cards for the U.S., these cards are typically only offered to cardholders that travel internationally and need a card that can be used in EMV countries.  Recent data published by The Nilson Report shows that while Issuer fraud losses decreased globally in 2010, 47% of these losses are attributed to U.S. transactions.   This is an increase of .5% over 2009 and roughly 3% over the past few years.   Overall losses due to fraud reflect a relatively small percentage of total transaction value on a global level.  The fact that nearly half of all fraud losses in 2010 occurred in the U.S., with the numbers continuing to rise, may provide more incentive for Issuers to ramp up EMV card issuance for U.S. cardholders. 

Many Issuers are already exploring EMV as the basis for NFC-based mobile payments, which leverage the contactless payment model.  Layering on the increased fraud risk associated with the prolonged use of magstripe cards might just turn the ship’s wheel a little more swiftly towards EMV in the U.S. payments market.