The diminishing aura and utility of Coin

Coin

Much has been written of late, about Coin and its peers. Coin, Loop and others are worthy emerging players who have focused on innovating on the edges of the current payments framework – and consider convenience a more lucrative goal vs disrupting it altogether. Despite bank’s aversion to having their brands wrapped by a 3rd party – Coin and its peers have much consumer support. I have little to say about the product as-is – I think it’s a sexy widget, but for me – I am too cheap to pay for a plastic replacement when I carry around one already. However I believe they are intentionally evasive when it comes to their respective roles in an EMV landscape. Much of that follows focuses on Coin, but really – applies to Loop and others as well.

When Coin launched mid-November of 2013, EMV wasn’t a critical waypoint on a card issuer’s roadmap – than less than a month later when Target happened. There was little consensus across the board on what EMV was supposed to accomplish – but Target breach crystallized the debate by focusing the role of EMV in eliminating counterfeit card fraud. A number of the larger card issuers in the US have all but committed to issuing chip cards over the next two years – much of it being a segmentation play – focusing on travelers, card expirations etc. And if you accept that US is on an accelerated course to a certain EMV landscape – then where does Coin fit within it? Coin and its peers use the excuse of a drawn out merchant terminal upgrade process and mag-stripe support as reason for its raison d’etre – but that is a contestable notion as I have laid out below.

I have primarily two reasons for questioning Coin’s utility in the inevitable EMV future.

#1 Technological and business alignment challenges working with Banks & EMV Cards

Currently, for Coin to emulate a mag-stripe card, it has all the requisite data available on the Tracks #1 and #2 of a Mag-stripe card. However with EMV Chip cards – additional security capabilities come in to play – including a chip that can create a strong cryptogram that is verified by the issuer in the transaction path, and a response cryptogram that can be verified by the chip on card in return (to prevent man-in-middle attacks). This occurs so that the card can verify itself unambiguously to the issuer, and the chip alongside of a customer-input pin can provide the second-factor authentication that not only verifies the card – but also verifies the customer.

Now – with Chip cards – the task of emulation is impossible. The chip contains a private key that is used to create the unique transactional cryptogram – and without the private key – one cannot consistently create the cryptogram to pass issuer authorization. An issuer would have to hand it’s private keys to Coin for it to provision these credentials in to a “future Coin chip compatible product” – but the technological complexity that ensues can only be matched by the unwillingness of card issuers likely to be approached by Coin. How do you convince banks that it is in their best interest to wrap their cards behind your brand?

Thus, to me – Coin is a bridge solution, of limited utility before chip cards become prevalent. But the inevitable squeeze comes from both directions. Coin is not only made irrelevant by the inability to clone chip cards – but also by a narrowing footprint for acceptance as merchants clamp down on reducing their liability exposure as we get closer to the October 2015 date.

#2 Fraud Liability Shift & Merchant acceptance

Coin states thusly on the topic of EMV Chip cards –

Q. When I get an EMV card, will it work with my Coin?

A. If it has a magnetic stripe (Chip-and-Signature), load that bad boy onto your Coin and use it wherever you go.

I believe Coin is being disingenuous on this piece of advice. Here’s why.

Coin makes you believe – that if you received a Chip/Signature card from your bank, you could import the mag-stripe data in to Coin as same as any other mag-stripe card, and you could use it where ever you shop. Coin is correct in the assumption that at least for the next decade – EMV cards supplied by your bank will continue to support mag-stripe – for backward compatibility with merchant terminals that do not support Chip cards.

However, in preparation of the merchant liability shift dates – scheduled to fall on October 2015 – merchants such as Walmart and Sam’s Club have already toggled their EMV Point of Sale terminals to force customers to dip their Chip cards instead of swiping. What this means is: If I carried my Citi AAdvantage Chip card in to our local Walmart today and attempt to swipe – the Point of Sale terminal is smart enough to ask me to dip my card instead.

citi-executive-aadvantage-world-elite-mastercard

Forcing me to dip my chip card is not a decision taken lightly by the merchant – it is so that the ensuing transaction can rely on the most optimal authentication measure where the card verifies itself to the terminal using the best verification capability available to it. And when a customer presents a chip card to an EMV equipped merchant terminal – to achieve maximum fraud and liability coverage, the merchant must require that the customer use the best available card verification possible (normally chip & pin – but in the case of US – chip and signature).

Currently, I am unaware of merchants other than Walmart and Sam’s Club who forces the customer to dip a chip enabled card vs tolerate a swipe. Accommodating this change, well ahead of the Oct 2015 liability shift, enables Walmart to prepare and condition it’s checkout lanes, employees and in-turn customers before every customer is carrying a chip card and checkout lanes grind to a halt. Another reason is to bust international fraud – where fraudsters use cloned mag-stripe cousins of valid European EMV cards to commit fraud in US Walmart stores. If Walmart allowed the fraudster to swipe vs dip (and thus fail to verify authenticity of card) – it would be unable to prevent fraud and thus be on the hook for any fraud that follows.

So how does the Walmart Point-of-sale terminal know I should dip instead of swipe?

When I swiped my Citi AAdvantage chip card – the card reader will read the magnetic stripe and by interrogating the contents of the first byte of the service code in the Track 2 data it can quickly determine if I am using a Chip or a Mag-stripe only card. At this point, depending on how the merchant or acquirer intend to proceed – the point of sale can either allow the mag-stripe supported transaction to proceed or interrupt and prompt the customer to dip the card instead. And in the case of Walmart, Sam’s Club and soon to be – many other merchants – the latter would be the norm. And it’s a sound strategy for the merchant – who will be on the hook if it does not mandate the use of the best available card verification measure when one is present. And in the time before Coin, Loop and the many other “hardware wrappers” waiting in the wings – choosing to swipe when chip is present, is a predictable indicator of a fraudulent, counterfeit card.

So what happens with my Citi AAdvantage card – if I – as Coin indicates “load that bad boy in to Coin” and head on down to Walmart?

Upon my attempt to swipe – the smart(er) Walmart Point-of-sale will challenge me to dip, and after multiple attempts to do so with my Coin, I would either resort to another card within (if chip – rinse and repeat) or give up and use a plastic alternative. So Coin’s claim that it will continue to work with merchant EMV terminals that support mag-stripe is misleading at best and disingenuous at worst – because success of a swipe depends on the merchant’s risk appetite and certainly cannot be controlled by Coin or the consumer.

And what happens if the bank notices the many incomplete swipe attempts of their Chip cards – transactions that would have netted some revenue that instead – went to a competitor?

What happens when the retailer notices that it’s taking on more liability risk due to a payment choice issued by a third party?

Now – the Venn diagram of people who use Coin and people who shop at Walmart may look more like a pimple on an elephant. But this problem is only going to get more visible for people using Coin – as inevitably more EMV cards are issued by banks, and more merchant terminals force a dip. And as that happens – the reported 85% terminal support figure will begin to evaporate – and Coin customers will have to reconcile with its rapidly diminishing utility and acceptance.

Comments?


You can connect with me on LinkedIn here.

Board of Advisors at SimplyTapp - creators of Host Card Emulation driving democratization and open access to NFC in Android. Mobile Commerce & Payments Lead at Experian Global Consulting, serving Experian's clients in Banking, Retail, Consumer Credit & Payments. A strategic adviser w/ over 17 years of international Tech & Business Strategy consulting, advising firms in banking, retail & asset mgmt that seek clarity & insight in to the myriad business models around payments, fraud & commerce. Founded DROP Labs, a mobile payments/commerce strategy & advisory practice. Tweets here. I'm on LinkedIn here.
Cherian Abraham
View all posts by Cherian Abraham
Tagged , , , , , , , ,
  • Thomas Normann

    As a European, I find this quite amusing. In Norway, we did this some ten years back. I agree on what you’re saying, and I do hope that the push for EMV can also help with adaption of contactless terminals. What is the penetration of NFC capable terminals in the US now, do you know?

    • droplabs

      I have not yet seen a total number of deployed contactless terminals from the likes of Verifone or Ingenico. I doubt it is above 7%. Even when contactless is embedded and comes with a terminal refresh, merchants are so far apathetic.

      • Thomas Normann

        Thanks for the reply! Hopefully, the numbers will rocket with all the focus on Cloud Based Payments.

  • Pingback: Coin - [No referral links] Single Card To Replace All the Plastic in Your Wallet - Page 10 - FlyerTalk Forums()

  • Sean

    I heard, though I’m not certain it’s true, that coin could essentially change that byte with the service code when it clones the magnetic strip, such that the terminal wouldn’t know the card was originally EMV.

    Is this actually something possible? Although, I feel if they did this, they would quickly find themselves with a Cease and Desist order from Visa/MC, as that would be akin to committing fraud.

    • droplabs

      I would definitely like to see this scenario play out. V/MC and the Issuers would be so quick with a C&D that it would make our head spin.

      • luis

        The service code is used to compute the CVC1, using a secret key known only by the issuer. If they change the service code, the CVC1 written within the magnetic stripe won’t match and the authorization request may be denied by the issuer.

  • Andre

    Good post and you make some very valid points. Perhaps, then, the only business case left for Coin will be storing magstripe based loyalty cards rather than payment cards.