EMV is neither a 20-years-old nor an obsolete technology but simply the best solution

11th June 2014, Exactly like Karen Webster, CEO Market Platform Dynamics in her blog post: http://www.pymnts.com/news/2014/is-the-emv-journey-worth-the-price/#.U5gWrPnV95E ), at SPA we are also skeptical. Indeed we only develop and sell payment technology that we fully control and trust.

We are not believers but a pragmatic industry offering the best smart card technology for retail payments. Our cards fit remarkably well the requirements of the financial industry and the consumers, and that’s probably the reason for their successful history.

Following the publication of her blog post (http://www.pymnts.com/news/2014/is-the-emv-journey-worth-the-price/#.U5gWrPnV95E), SPA has been in touch with Karen Webster to exchange views with regards to the future of chip card technology in the US.

We appreciated her willingness to discuss with us even if our approach and vision differ substantially from hers. Confronting arguments is always a good way to move ahead. But we disagree with her opinion that the smart card technology is obsolete. We explain hereafter why.

In our opinion, Karen’s paper misses a fundamental point: the reason why in an evolving technological world the so called “20-years-old” technology is still cutting-edge. The answer is that smart card technology solve functional and security problems intrinsic to retail payments in a more efficient way that any other alternative. For instance, despite the huge amount of energy and money invested in breaking the card, no one has been able to install a virus or worm and extract the secret information that the card protects.

A second point that Karen somehow overlooks is the fact that in our industry the point is not about reinventing the value exchange between merchants and customers, but to provide them with safe and convenient payment instruments which don’t put users at risk… and facilitate that way commercial transactions. Because the trend is to use mobile devices to pay, the smart card technology is offered with different form factors, so that the advantages of the traditional credit & debit smart cards are extended to the mobile payments world (eg. SIM, Secure Element)

The smart card industry is certainly very innovative. Yet in the payments world hype comes after other more important features such as security, speed, control of funds transfer and almost real time settlement. The cardholder knows his/her account data are locally stored in his/her card under his/her own control, because there is a PIN code that only he/she knows. The data generated by the card is dynamic, cryptographically protected and rendered useless for fraud purposes. Phasing out magstripe and SDA cards and replacing them with DDA and CDA EMV cards means overcoming obsolescence of the US market and protecting the users of card payment systems.

The term “obsolete” is to be used with caution. For instance, the aerospace industry was still using discrete electronic components to emulate a microprocessor function many years after the introduction of the microprocessor as a single integrated chip in electronic consumer devices. Nobody claims that hardware technology used by the Aerospace technology is obsolete. The term obsolescence is in itself misleading because it gets rid of the purpose of a technology in a given context. In particular, the smart card technology support advanced security cryptographic services because it is certified against the strongest security requirements… which are public and transparent. It is hard to figure out what obsolescence means in this context.

Karen states correctly that EMV technology could not have prevented the Target security breach. But she fails to explain that attacking databases storing card and cardholder data is first and foremost motivated because of the ease to counterfeit magstripe cards using the stolen data. These data could also eventually be used to impersonate the cardholder for e-commerce and m-commerce payments, when data are entered manually in a merchant payment gateway. Aware of this, the smart card industry proposes hardware secure elements for mobile payments to protect all the stakeholders and specially the online merchants, whose chargebacks will be dramatically reduced if the secure element usage is widely adopted.

It is true and we share her concerns that in the payments world technology migration periods are longer that in other sectors. As pointed out in her article, one of the reasons is that card payments are a two-sided market. This means three things: First migration requires taking into account legacy to protect user experience, second incentives are to be provided for adoption of a new card payment technology and third interoperability standards are essential to achieving market growth. Not surprisingly, these are core business requirements for the EMV Next Generation program.

This leads us to the final part of Karen’s article on the need for a global payment standard for any connected device. SPA members invest a lot of time and money in the setting-standard process. That’s the reason why we don’t support market fragmentation due to the existence of multiple standards or proprietary de-facto specifications. The global interoperability standard for card payments already exists, it is EMV and works remarkably well. Moreover it is complemented with a certification and type approval process. It is true that EMV specifications at present don’t cover all the mobile payment methods. This is why in collaboration with US big banks and the European commercial banks of the European Payments Council we are pushing for ISO 12812, the first international standard for mobile payments and mobile banking.

Finally, it is correct that EMV smart cards cannot solve all the security issues. In the payment security industry we are well aware of this, including EMVCo members and card issuers. But it is also true that the technology tackles down card payment fraud to almost zero. The consequence is that fraudsters target weak card implementations and as a result the cardholders of these weak card implementations are put at unnecessary at risk. Considering the Target data breach, the decision by US major banks to speed up their migration plans for the issuance of smart cards is a very wise one.