From Chip to NFC: A necessary evolution

Consider this: Over its Sept 19th launch weekend, Apple has effectively shipped over 10 million EMV cards. Maybe these weren’t actual cards – rather, containers that could end up being a host to over 80M issuer cards eligible for Apple Pay. So how many among those will knock on a retailer’s door at launch? Initial device sales are to a loyal fan base. Should be easy to guess. Should be easy to spot too, as the aggregate NFC payment volume in US has never been more than a whimper.

The question I have seen asked much is – will it be sustainable? Is tap using Apple Pay such an improvement over a swipe that the consumer be willing to learn a new behavior? I believe it is – even though much of what realizes that improvement is abstracted away before the customer even gets to the point of sale (tokenization for example) – such that merely comparing the act of transmitting a credential is an incomplete measure. Even so, comparing a tap to a swipe is irrelevant when the latter is giving way to ‘chip and dip’. Except with dip, that behavior change is instead being forced on the consumer by the retailer and the issuer. And with little real consumer benefit to boot.

More issuers are scaling issuance of EMV cards in the US, largely equipping international travelers with a chip card so that their top of wallet preference is not swayed by merchant acceptance choices abroad. But issuers are also sending chip cards at renewal – which I believe to be largely counterintuitive in the domestic landscape, due to an unprepared consumer audience and a confusing PoS landscape.

Walmart is one of those few. I am yet to come upon a payment experience at a Walmart terminal with chip cards, that has not taken less than a full New York minute – and these days I am usually the poor schmuck caught behind the unfortunate chap struggling to insert the card long enough for the transaction to complete – while keeping up with the cryptic reader prompts. The cashier is apathetic. Having accidentally chosen chip cards out of my wallet on prior trips at Walmart – and knowing firsthand the broken experience that follows – these days I consciously choose another credit card when I get to a Walmart point of sale. And having those choices in my wallet today – I am not willing to tinker nor linger – with a six person deep queue behind me. One of the few places where strangers can still openly critique your competency is around your ability to navigate a credit card reader.

I remember hearing that it would cost Walmart $4M annually in payroll if every transaction took another additional 5 seconds. Shift to EMV would be bloody and I wonder how much retailers are willing to bet on this bold, costly and temporary experiment? For Walmart, it is an understandable move – motivated to knock out the cross border fraud it sees from fraudsters cloning swipe cards (to be used in US stores) from legitimate (European EMV) chip cards.

Yet, EMV is not a panacea – it is a set of tools to verify – unambiguously – the legitimacy of the card being presented. It is hardly the best option today, because the PAN is sent unencrypted to the point of sale, and because it is still possible to clone the card – sans chip and cryptogram – to create a swipe-able magstripe card that can be used at a non-EMV merchant terminal. It does nothing to protect online transactions. So tell me – How long must we treat these differently – one approach to protect the plastic, and another for e-commerce? Especially now that these two are coalescing…

On the other hand, Tokenization has in one fell swoop, solved for both. And now, maybe the payments stack as a whole – including consumers, can have a say in protecting both privacy and commerce. Retailers must act fast to adapt marketing and loyalty efforts – and further decouple retail and CRM systems from the PAN. And issuers should not look to simply shifting liability when it suits them – and instead approach transactional risk more granularly. A reduced risk overall must translate to economic gains for all – not just some – in the value chain.

But, for all the nuance we are now able to bring to solve for fraud holistically – plastic offers no help. That requires a connected device. So if between the mobile device and tokenization we can cure for transaction fraud – then why are we still messing around with chips embedded in plastic cards anymore? EMV is forcing a behavior change today across the retailer landscape – except, we now have the ability and the reason to preempt the wrong behavior from taking root.

If EMV was a head fake for NFC then screw it… let’s not fake it anymore.


You can connect with me on LinkedIn here.

Board of Advisors at SimplyTapp - creators of Host Card Emulation driving democratization and open access to NFC in Android. Mobile Commerce & Payments Lead at Experian Global Consulting, serving Experian's clients in Banking, Retail, Consumer Credit & Payments. A strategic adviser w/ over 17 years of international Tech & Business Strategy consulting, advising firms in banking, retail & asset mgmt that seek clarity & insight in to the myriad business models around payments, fraud & commerce. Founded DROP Labs, a mobile payments/commerce strategy & advisory practice. Tweets here. I'm on LinkedIn here.
Cherian Abraham
View all posts by Cherian Abraham
Tagged , , , , , , , , , , ,
  • Marinka

    Always appreciate your blogs, they never fail to open great points
    for discussion/debate.

    I don’t disagree that the evolution towards tokenization for NFC transactions makes a lot of sense. Providing additional security to a payment transaction originating from an inherently insecure device is a requisite safeguard.

    Plastic cards however, are not going away. Despite the seeming ubiquity of smart phones not everyone owns a smart phone. In addition, people who own smart phones may not want to use the phone as a payment device, may not always carry their phone or for a myriad of reasons, need to use a plastic card to complete a financial transaction (in my case, despite weeks of effort and approximately 15 calls to customer service at CIBC/Telus can’t get the mobile payment app to work on my Blackberry Z10).

    EMV transactions are not inherently complex, cardholders will figure it out. You put your card in the terminal, you confirm the amount and enter a PIN (I refuse to even acknowledge signature as an EMV CVM), the terminal is patient, it will wait, you don’t have to race along hoping the terminal doesn’t outstrip you to reach the end of the transaction first.

    Is a dip transaction slower than a tap or a signature-less swipe, yes, but don’t forget you are the nation who fervently rejected contactless (tap) payments ten years ago (the slow progression towards contactless payments worldwide is your fault (well not yours personally)). And I do admit, at least in Canada, Walmart has awful, clunky, unfriendly EMV payment terminals.

    And as for the security, EMV contact transactions can also be encrypted and tokenized. And even without encryption, they provide a high level of security not
    available with a mag stripe card. As mag stripe channels disappear and CNP transaction security improves, fraud rates associated with chip cards will be further reduced (in Canada, Interac (debit) which does not support CNP or fallback (use of the mag stripe on a chip card), has seen fraud rates plummet since the intro of chip).

    In the end a variety of payment alternatives will emerge and co-exist to meet different user needs.

    • droplabs

      Marinka – Thank you and it’s been a while since we caught up.

      As for the points you raised – all valid, but I’m not convinced that the friction we now have to endure at the point of sale is Infact translating to something meaningful for all parties in the payment value chain. I know cards are here to stay, I am making a case that they don’t add materially to the improvements that we now require to secure commerce and it’s time we ditched any feelings of guilt to keep them in play.

  • disqus_1jXNt1mH7N

    Cherian,

    I’m a lay person who has been following the mobile payments developments for investable opportunities for the last couple of years. Can you clear up some confusion I have from your article. Thank you for all your insight!

    You say tokenization (using NFC) solves both possibilities of card-hyjack theft (stealing the card’s data strip info from a POS or stealing the card’s number from an online use). (Am I interpreting this correctly?)

    How does one use NFC or Apple Pay online to bring about tokenization for a safe purchase? What’s the equivalent of an online POS machine?

    What are CRM systems and PAN?

    -Thank you….-Margaret

    • droplabs

      Margaret –

      Tokenization is a method in which the PAN (Primary Account Number – the card number embossed on your CC) is replaced with a different unique number. The latter can have a broader context attached to it – such as restrictions of usage with a specific merchant or channel, therefore making it useless to a fraudster. Tokenization does not require NFC, which is really the standard used to move the card information from your phone to the merchant terminal.

      NFC comes in to play only when the merchant and the consumer are in close proximity – and thus security in online payments has been solved for by a number of other measures. Tokenization is applicable online as well – because it is a step that guarantees that the payment credential is secure in transit or at rest.

      CRM: Customer Relations Management (Or Merchant Loyalty systems).

      • disqus_1jXNt1mH7N

        Thank you!