[Dave Birch] I've read quite a few stories about the new Citi card with a chip in it. Not an EMV chip, of course, but a chip that allows the cardholder to dynamically rewrite the "magnetic stripe" on the back of the card so that it can switches between a credit card and a rewards card.
Next month, Citibank will begin testing a card that has two buttons and tiny lights that allow users to choose at the register whether they want to pay with rewards points or credit, at most any merchant they please.
These are the "dynamic stripe" cards from Dynamics. The idea of them is that since US retailers are not going to replace magnetic stripe readers with chip readers, the way to deliver new services to customers is by emulating the magnetic stripe.
Called “Redemption,” the cards will work at any merchant where mag stripe readers are used. The new cards include programmable and electronic components such as a battery, an embedded chip, buttons and a card-programmable magnetic stripe.
You can see how this kind of thing might have a window in the US where the retailers don't have chip terminals. It would make no sense anywhere else: in the UK, for example, Barclaycard's new Freedom rewards programme works at the POS so when you put your card in it asks you if you want to pay with Pounds or Points, which seems much easier than press a button the card, but anyway. And if you try to use a magnetic stripe card in a UK terminal, whether it's dynamic or not, they'll assume you're a fraudster and call the police.
So why do I say that using this kind of technology in the US may have a window?
Well, consider the example of the Cutty Sark. The Cutty Sark was a tea clipper, built for speed, and at one time was the fastest ship of its size afloat, famously beating the fastest steamship afloat and doing the Australia to UK run in 67 days. At the time, get tea from Asia to Europe at high speed was economically important and so there was pressure from the tea companies to get the fastest ships (so they weren't built just for the fun of it, or to show off the technology, but because of the economic imperative.
What's the point of brining this up? Well, it makes the point that the fastest sailing ship was built after the steamships arrived. In Christopher Freeman and Francisco Louca's "As Time Goes By: From the industrial revolutions to the information revolution" they note that
However, it had taken a fairly long time for the steamship to defeat competition from sailing ships, which also began to use iron hulls. The competitive innovations in sailing ships are sometimes described to this day as the 'sailing ship effect', to indicate this possibility in technological competition for a threatened industry.
In the long run, the sailing ships vanished, except for leisure, and the steamships took over. But when the steamships first came on to the scene they stimulated a final burst of innovation from the sailing ship world, which was then stimulated into building some great ships as a kind of "last hurrah".
Source: Historic Naval Ships Assocation (2004).
Perhaps we should look at the Citi initiative as the "last hurrah" of the magnetic stripe. I bumped into our good friend Adrian Cannon from Edgar Dunn while I was writing this, and he summed it up as "a very complicated way to achieve a partial answer" to the problem of card security, which strikes me as an accurate description.
The dynamic stripe isn't the only alternative to EMV that is developing in the US. There are many companies working in this field, some of them focusing on the (Incorrect) business model that targets fraud reduction.
Diebold recently launched its out-of-band authentication that uses a mobile device to authorize a withdrawal at the ATM. When the withdrawal transaction is initiated by a card holder, the system sends an authorization code to a mobile device. This code needs to be entered on the ATM in order to complete a withdrawal transaction.
These sorts of solutions are already implemented in various places. There are also other strands of thinking around improving magnetic stripe security.
MagTek, meanwhile, has developed MagnePrint technology. It examines the unique traits of the iron particles in a card's magnetic stripe, based on the fact that the low-level magnetic noise emitted by individual magnetic stripes is as unique as a fingerprint (according to the vendor). The system is therefore able to detect whether the card used at the ATM is indeed the original or simply a fake with stolen card data.
Many people, however, see moving away from the stripe interface as the best path and this has already started in the US (albeit on a smaller scale than had been hoped) with the shift to contactless interfaces: Blink, ExpressPay and all the rest.
Gemalto is betting on contactless payments technology, as a first step toward possible future chip and PIN implementation. The technical specifications of contactless and chip and PIN standards are closely aligned, and both formats define the way a smart card communicates with a card reader. However, the contactless approach still requires significant investment into card exchanges and infrastructure.
Indeed it does, and yet some people are making that investment outside the EMV framework. Look at what is going on with Bling and RFinity, for example. When I was last down at PayPal in San Jose, everyone had "Bling powered by PayPal" stickers on their phones and seemed very happy using them: merchants accepting Bling have to have entirely new terminals to do so. The point is that there are paths opening up in many directions: so which should the US choose (and should it have national strategy to do so, or should it leave it to the market to choose?)
what exactly should policy makers at the Fed do with respect to card payment fraud in the US? Is Fed intervention required to impose new requirements that wouldn’t otherwise be adopted by individual stakeholders acting alone
There is another EMV way forward, and that's to go for a kind of "EMV Lite" that keeps the chip and PIN but ditches offline working and all of the risk management and complexity that goes with it. That would simplify the implementation and reduce the cost considerably. Since almost all EMV transactions in UK are authorised online (less than half were when the first — here's one for the teenagers — UKIS cards were introduced), the cards would work here to. In Spain, all transactions are online, as they are in other countries too. Bizarrely, one of the key benefits of EMV, offline authorisation, has not only not grown, it has all but vanished.
Perhaps the solution is more radical, though. In a twitter conversation with Scott Lofteness of Glenbrook I mentioned a strand of thinking that I think is more than idle speculation, and that is that the alternative to chip and PIN in the US will be chip and PIN, except that the chip will be the SIM in the mobile phone and not the chip on a card (whether an EMV chip or a Dynamics chip). In other words, "chip and PIN" will be overtaken by "SIM and PIN", just as it already has been in some other markets around the world.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]