Payments: Whither AES?

By: Dean Macinskas, GEOBRIDGE Corporation

Next month (November 2011) the Advanced Encryption Standard (AES) will be 10 years old. But its impact on payment systems in the US is almost invisible, owing in large part to the immense infrastructure investment US banks, card associations and networks made to support the Data Encryption Standard (DES), originally released in 1977. I find it ironic that NIST stopped validating two-key triple-DES implementations for US Government use at the end of 2010, about the same time these same implementations have finally achieved mainstream status in the payments sphere.

So I am really looking forward to attending the X9F6 committee meeting in San Antonio this month, because one of the discussion topics is an update to the venerable X9.8 PIN block specification for AES. The fact that AES’ data block is 16 bytes, rather than DES’ 8 will require major changes to interchange formats, notably ISO 8583, and the software that process these messages. Also, since AES key lengths can be 16, 24 or 32 bytes, there will be big changes to key management applications too.

Implementing change in large systems is always time-consuming and expensive. Technological innovation, though, is accelerating. Will the payments world speed up their adopting advances in cryptography, on which the security of all electronic payment systems depend?

The next few years are going to be interesting. At least I’m enjoying the ride!

 

Will Fraud Losses Bring U.S. Issuers to the EMV Table In Earnest?

By: Robin Moser, GEOBRIDGE Corporation

U.S. adoption of EMV/chip card payments has met a fair amount of resistance.  As with any new payment technology that requires costly and far-reaching infrastructure changes, getting chip and PIN cards issued and accepted in the U.S. is as agile an undertaking as making a u-turn in a barge. 

Wal-Mart has been pushing for EMV as a means to reduce PCI scope and mitigate the risk associated with magstripe cards.  The merchant investment to get point-of-sale systems updated to support chip card technology is significant.  However, the recent announcement by Visa regarding waiving requirements for annual PCI assessments if at least 75% of a merchant’s Visa transactions are conducted on payment terminals supporting contact, contactless and NFC payments may be incentive enough for U.S. merchants to make the investment.   Furthermore, the Visa mandate that U.S. Acquirers support chip card payments by 2013 also lays critical groundwork for the acceptance of EMV payments.

So what about the Issuers?  While a handful of large Issuers have produced chip cards for the U.S., these cards are typically only offered to cardholders that travel internationally and need a card that can be used in EMV countries.  Recent data published by The Nilson Report shows that while Issuer fraud losses decreased globally in 2010, 47% of these losses are attributed to U.S. transactions.   This is an increase of .5% over 2009 and roughly 3% over the past few years.   Overall losses due to fraud reflect a relatively small percentage of total transaction value on a global level.  The fact that nearly half of all fraud losses in 2010 occurred in the U.S., with the numbers continuing to rise, may provide more incentive for Issuers to ramp up EMV card issuance for U.S. cardholders. 

Many Issuers are already exploring EMV as the basis for NFC-based mobile payments, which leverage the contactless payment model.  Layering on the increased fraud risk associated with the prolonged use of magstripe cards might just turn the ship’s wheel a little more swiftly towards EMV in the U.S. payments market.  

Lack of Interoperability is Preventing Mobile Payment Adoption

By:  Jason Way, Vice President GEOBRIDGE Corporation

While each new Mobile Payment announcement is interesting, the unique qualities of each one is the very reason mobile payments have not yet been widely adopted by users and merchants alike.

Merchants cannot afford to support multiple options.  Users will not employ multiple options. Effectively, the concept, which is preventing mobile payment adoption, is the lack of interoperability.

Major players appear to have recognized this dilemma, yet they all possess an understandable tunnel vision for maintaining enough uniqueness to maintain their own profitability.  Near Field Communications have emerged as the Holy Grail meant anchor interoperability between merchants and users.  While NFC capabilities are becoming more readily available at the point of sale the number of users and phones, in existence, significantly outnumber the total sum of merchants.

At best, users will (years from now) have a mechanism to store multiple NFC sources on any number of different phones.  At worst, the majority of users will resist the challenges of managing multiple applications and NFC sources causing Mobile Payments to remain an unachieved utopia.

The application of NFC to deliver mobile payment capability is technically sound.  However, the only realistic hope is that a NFC Mobile Payment solution will be a short-lived novelty that will cause a temporary revenue spike.  If we’re depending on NFC, the sheer number of users, phones, and merchants will prevent interoperability and frustrate users attempting to leverage a mobile payment option.