What is EMV Chip Technology? 11 FAQs about EMV Cards

emv chip card technology expert

This is an FAQs for the emerging USA market that is today moving towards EMV – i.e. in the USA – EMV is now starting to happen quickly in order to catch up with the rest of the world where EMV has been implemented over the last 15 years.

1. What is EMV?

EMV is the standard that was created about 15 years ago to increase the security of payments globally and reduce fraud at the same time as making payments easier for all parties. It was originally conceived by Europay,MasterCard and Visa – hence the name. It was a US company initiative, but was adopted much faster around the rest of the world for a number of reasons.

2.Does EMV work – Is it proven?

Yes.

It is used almost globally now. The USA market may be a large market in itself, but it is now just a small final part of the global solution left to implement EMV. Overall, EMV has reduced fraud where cards are present at the point of sale to almost $0 and created a safe card processing architecture for all parties. There has been a lot of misreported problems that often stem to articles written 20 years ago, but all the pre-EMV doom-mongering has proven unfounded. EMV has been a global success.

Sadly, the US market is where the fraudsters have moved their operations to – i.e. away from from the markets that have implemented EMV – where EMV based OTC fraud has reduced to almost $0. The compromised cards from say, the Target and Home Depot data thefts have been little more than useless in EMV environments.

emv chip card

3.Why has the US become one of the last markets to adopt EMV?

The easy answer is to say: ‘we do not know’.

The more complex answer is that there were a series of technical, strategic, legal (Dodds Frank / Durbin) and operational issues that delayed implementation of EMV. There were also many less relevant reasons that managed to be cited for non-adoption of EMV over the years.

4.What are the main reasons that have held us back in the USA?

The reasons are many, but fall into the following broad categories:

  • The US does not have a national payments ‘card strategy’ direction body. In the rest of the world, implementations have been either directed by a government or national body or have been supported by a strong collection of interested parties who have created the business cases, statistics, and losses for the problem. Similar bodies that have driven forward the solutions and project managed the communications, and change management.
  • Many interest groups have examined their own costs of implementing an EMV solution in isolation from the industry as a whole – and based upon assumptions that benefits would not be realised or passed-on. The average interchange costs from the schemes for ‘secure transactions’ – which are defined as EMV transactions in an OTC environment – are lower than those for non-secure transactions; which form a large part of the financial benefits differential for an EMV implementation .
  • Without a strong ‘national’ lobby group, retailer groups in the US have not been able to so readily ‘demand’ softer benefits for an EMV programme such as making the customer journey easier, cheaper, and quicker at the till. Retailer groups have assumed that the costs would fall to them, without benefits.
  • The payments market is fragmented with so many different parties with their own P&Ls; and interests – e.g. card schemes, Issuer banks, Acquirer banks, processors, technology providers and merchants. Some of these groups are stronger and bigger than others, and the best decisions for ALL parties may not have been made.

emv chip and card

5.What other reasons have been cited for not implementing EMV?

There are many of these, so it is hard to know where they start and finish, but the main ones seem to be:

  • The costs of card upgrades is perceived as high – whereas in costs have fallen exponentially over the last 15 years; and we still see people who quote costs associated with the 1990s. Costs of CHIPs on cards or on SIM cards are now a cheap commodity.
  • The costs for merchants is perceived to be too high : which is a perception that is unfounded. Most merchants upgrade their POS equipment regularly and in doing so, the wise-ones will implement CHIP readers. This technology is relatively cheap and technically much more robust than magnetic stripe readers. In other markets, large retailer groups have demanded PIN implementations because this removes the need to take and store signature; and puts the card and customer ‘checking’/ security process back into the hands of the card issuers rather than as a part of the duties of a till operator. Experienced PIN users find the ‘signature processes’ both slow and cumbersome. Retailers like PIN as the throughput of customers is faster, documentation storage, production and retrieval is removed.
  • There are legal reasons that prevent adoption in the US. The main reasons seem to be associated with a need for payers to be allowed to select payment methods at the point of sale (often associated with the Durbin Act). EMV standards were amended many years ago to permit such choices at the point of sale in order to accommodate needs for such flexibility within other countries in the world.
  • EMV is only for off-line transactions – A belief that EMV is either only for offline transactions, or mainly for off-line transactions persists. EMV has security, handshakes and flexibility for all parties in many ways, and it allows for cards to be used in off-line environments securely and safely too, but ONLY if defined by the card issuer as a requirement. Many issuers will not require such functionality, as the world is moving fast to become fully ‘online’. Where customers travel to countries (or indeed regions without ‘on-line’ capability in the US or EU, i.e. where they need to deal with merchants which are away from a telecoms infrastructure, it can be useful for banks to allow customers to spend in such locations that may be off-line. Scheme rules are however continuously changing and Telecoms are becoming much better than they were 10 years ago.
  • The USA infrastructure is too complex to change: often accentuated by the woes of the numbers of suppliers, gateways and issuers/acquirers within the market. This may well be perceived to be the case, but we also have to bear in mind that the experience globally is of far greater complexity, and that times change as solutions and markets evolve. We must also remember that we moved (globally) from zip-zap machines (knuckle-busters) to magnetic stripe processing, and exactly the same arguments were used then.
  • NFC is not supported in EMV – this is very incorrect. The EMV standard provides ‘the rails’ upon which NFC runs – and removes the insecure NFC that is based around ‘open’ unencrypted magnetic-stripe ‘Tap and Go’ cards that were issued a few years ago in the US. There has been a long-term re-hashed investigative TV reporting on card details being stolen via NFC readers, which is just not possible in an EMV environment. Of late, we have also seen reports that the EMV is vulnerable because of NFC – which again is incorrect and confusing.
  • There are better solutions – if we wait. This is true – There are always better solutions tomorrow, for any market and any solution. However, in payments there is nothing proposed or planned that will work – nor anything that is being designed by any significant body anywhere. The EMV standard was designed 2 decades ago by US companies, agreed to by most of the global card schemes and has been implemented as the global standard almost everywhere. It has also become the global standard and platform for building upon, with amendments adopted to accommodate things such as PCI DSS, greater levels of security, NFC and multiple transaction routings. ApplePay and AndroidPay are technologies that are evolving fast, but they adopt the security that forms part of the EMV standards – rather than replacing them or evolving them.
  • Delays are inevitable now that retailers need to accept Applepay and Googlepay/Androidpay: No. The EMV architecture can be used for these payment types with no need for further POS Terminal changes. The EMV infrastructure is all that is needed and around which these payment methods were designed.
  • Restaurants cannot accept tippingwith EMV: Another Urban Myth, but one that is still quoted widely.

We would be happy to add other interesting entries to this list if you please provide them to us. We know of many others, but those provided above are the main ones that have substance and traction; and where we can see where some of the confusion or misunderstanding might have come from.

emv chip card

6.How will EMV stop frauds associated with the big data compromises like Home Depot?

Generally, with Data Hacks /Compromises that seem to be common news these days, card details are captured from the records kept at the retailers and these are then used by the fraudsters to create fake cards or use them on the internet. Fraudsters can purchase a magnetic stripe Card encoder for less than $10 and go into business making magnet strip cards with stolen details. So the card numbers have great re-sell value on the ‘Dark Market’.

Card details can also be collected from an EMV card, and whilst these cannot be used to re-programme another EMV card, they CAN be encoded onto a Counterfeit Card onto the magnetic strip. In this case the Card Issuer will know that this has been done and stop any fraud. If the Merchant’s terminal has a Chip reader the card will not communicate correctly, and if it is a magnetic stripe card the correct magnetic strip security details will not be present as these are not available on the EMV chip. Fraudsters can try and re-programme an EMV card chip; but this is a lot harder and has not successfully been done. Even if it was possible to re-programme an EMV Chip card, there are much easier ways to commit card fraud.

So, whilst the EMV Chip will not stop data compromises, the stolen data becomes very much harder to use and almost not worth stealing. Indeed today, whenever data is stolen from anywhere in the world, the fraudsters will sell the data for use in non-EMV environments – which is why the US has the largest fraud losses globally.
7.What happened on October 1st 2015?

Counterfeit Liability Shift for the US market began on this date. From this date card issuers around the world with EMV Chip cards can recover money from counterfeit transaction in the US (and anywhere else), where their card details have been placed on a Counterfeit card and where the transaction is undertaken with a magnetic stripe (usually because they have been stolen or compromised as in Q5 above). Accordingly, the losses go to the merchants / acquirers who do not have EMV Chip processing in place.

see more about this on our 1st October liability page – here, or on our roving reporter’s blog.
8. What is all of this happening at the last minute and so quickly?

Fundamentally, this is NOT ‘last minute’ at all: plans for EMV have been in place for more than a decade.

President Barrack Obama signed an Executive Order requiring all government departments are EMV implemented/secure, to lead the way.
9.What are the issues around Signature vs. PIN?

Simply, Visa requires Signature under it’s Chip and Choice program and MasterCard prefer PIN.
10.Why is the USA moving towards a less secure Signature as an authentication of a customer rather than PIN ?

We do not have a clue! Maybe the FBI can explain it to you. Maybe not – it will all depend on the time of day when you ask.
11.I have Signature, but I have to use my PIN abroad – What do I do?

IF your Card Issuer has set-up your card for overseas use, then it will work with Signature in the US and PIN overseas. If not, a merchant may accept Signature overseas, so it will still work!
Please contact us on bill.trueman@riskskill.com for more details or with any questions that we should add, or with any details that are incorrect – but please do provide supporting details and documents to support further FAQ answers that we can add to this list.

The author, Bill Trueman a highly experienced specialist in payments, risk review, fraud prevention and due diligence. Bill is a member of AIRFA, and director of RiskSkill and UKFraud.

 

 

Advertisements

Judges Pave Way for Banks in US to Sue Target over 2013 Data Breach

I read with interest that news in Finextra and elsewhere that the banks have been given the go-ahead to sue Target for $30m for the reissue costs associated with the data compromise in 2013. This puzzles me, as I then want to know how the figure of $1200 per card is calculated.

The cost of re-issue will be less than a tenth of that per card. How they can justify that size of loss based upon a reissue alone is not conceivable.

To continue reading visit here.

Bank Fraud Charges Against Former President of Rural Bank of Subangdaku Inc.

Another case of bank fraud surfaced this time in Phillipines. The Bangko Sentral ng Pilipinas has filed criminal charges against Radaza, the ex president of the mentioned bank, for allegedly taking part in creating fictitious loans amounting to P2.6 billion when she was the president of the defunct Rural Bank of Subangdaku Inc.

To read full coverage, please read here.

 

Will Apple Pay kill the QR code?

apple pay

An interesting question – and of course Apple Pay will not kill the QR code per se, because the QR code does a lot of different things – most notably allowing a camera on a ‘connected’ device to quickly access material without the need to type into the device, and to effect various instructions.

However, with Apple having just ‘raised the bar’ significantly in its launch of ApplePay it will undoubtedly remove the possibility for the QR code to ever gain any ground – or to make any business case again as a payment enabler. The ApplePay infrastructure is very clear now (well it is not clear at all, but we can draw together the following parts of the infrastructure:

a) The adoption of EMV and a well-practiced security is adopted.

b) NFC enabled transactions (whether you like it or not – whether it has an EU or USA adoption rate) – which ensures that the NFC standard is adopted, and they the EMV Co protocols and encryption is present.

c) Tokenisation – to protect the personal details

d) Two/Three factor authentication – i.e. using the scanned fingerprint (or whatever is scanned to validate the transaction) and then Geo-location and/or device profiling too.

e) A reduced costs (interchange fee) and liability protection for pretty much all parties.

So why not do any of this with a QR code? Technically, this is almost all possible, but of course technical possibility and a good idea in the QR codes won’t make this work. Using a QR code produced by a device (that the consumer has) would look pretty, but would mean that:

– The customer has to enter the transaction details to validate – unless another way of communicating with the merchant was created and standardised globally.

– The protections that are in the chip on a card and in the secure area in the device where the card details are stored including floor limits, counts, rules, service codes and resets would all be bypassed.

– The secure part of the chip used and set-up by Apple would have to be accessible by developers to create QR codes – which Apple should never allow (due to a compromised of that secure element (and probably not allowed by the banks/schemes either); and because they would probably not want others to use their rails – due to commercial protectionism.

– Retailers would have to create new software and protocols for reading the QR codes at the points of sale, and then create EMV CO protocols to be used to secure the transactions – which of course would preclude the retailer validation or a two way dialogue with the card / secure element.

– And ALL vendors would have to build standards for this and compete with their proprietary protocols and add massive costs for retailers.

– 3FA or further authentication validation would be impossible/hard to introduce without the EMV / NFC standards backbone.

This creates the underlying problems in:

a) The EMV Co and NFC standards, which require that there is a 2-way hand-shakes and communication with the device and the secure element and a decryption process would be circumvented.

b) The card schemes, who will have required the NFC to be adopted as the communication vehicle for the transactions to be permitted in Apple Pay would be removed,

c) The issuers to allow the transaction to attract the interchange concession, to be transacted using the EMV Co / NFC standards and a channel that can be used to validate the transaction and ensure closed security would be gone.

Accordingly, the security, payment guarantees, standards and security would all be removed or circumvented. So QR codes in the transactions for payments can now never be progressed – as Apple has surely killed it off in one single stroke by introducing something far superior, far more future proofed and adopting all the latest and global ‘industry standards’ to do this through – in a way that no-one else could have achieved and made to happen.

QR codes were only a transient interim technology, that only had a place in small ways to bridge the gap that has now been theoretically bridged.

We have heard a LOT about the impact of the ApplePay announcement on who/what will be affected, but one thing is sure: It has killed the QR code as a payment vehicle – but of course it will ‘live on’ as a very good ‘informational application’ tool where it has been used thus far – i.e. to stop people needing to type various things into a device.

Adopting QR code developments with access to secure elements in the device CHIP is NOT an option, and it is VERY VERY VERY VERY VERY unlikely that the access to the secure element (i.e. the underlying security) will be accessible to TP developers in this way either.

Author Bill Trueman, is an independent Payments, Fraud & Risk Specialist and Managing Director of UK Fraud and Riskskill

Source: https://www.linkedin.com/pulse/article/20140915153149-6227568-will-apple-pay-kill-the-qr-code

Will The PSR changes work

fraud and risk management specialist

The Payment Services Regulator may make major UK infrastructural changes and legal changes to ‘open up’ the payments industry and access to it in the UK in order to encourage innovation. They have the powers to do many things, but care is certain needed. Caution is most certainly needed.

a) Only yesterday, I received an email telling me that they are not well staffed and resourced; and from my discussion and the stakeholder meetings so far, it appears that they have very little payments industry experience in the team. The objectives of the PSR need to be clear and not driven by a few disgruntled small banks wanting free access to many established infrastructures that are maintained and paid for by all of us.

b) There seems to be a format for these types of regulators who adopt an ‘economic’ regulator agenda. This format of addressing these things has opened up the telecoms networks to new operators, and the water pipe infrastructure in the water business (and Gas and electricity), and the PSR CEO comes straight from one of these. But payments are not the same, and without payment industry knowledge there is a danger that the PRS will regulate in the same way. Some creativity is required by the PSR – to ensure it does not simply act in ‘the same way’.

c) The biggest danger is that because payment systems are global and becoming more global, and as the UK is a leading global payments hub, that action by the PSR will make the UK market something different – uncompetitive, and isolated – so care must be taken NOT to do this.

d) The main restrictions on the payments ‘gateways’ are not competitive or restrictive as they were with water, electricity, gas and telecoms. The payments infrastructure is open to anyone who wants to ‘play’. The bigger restrictions are quite rightly about the governance and controls over money laundering – which requires very tough controls and restrictions to be imposed, managed, and governed. Again, The PSR needs to step carefully.

Author Bill Trueman, is Payments, Fraud & Risk Specialist and Managing Director of UK Fraud and Riskskill

Source: https://www.linkedin.com/pulse/article/20141015091911-6227568-will-the-psr-changes-work

 

Is the US ATM industry making too big a fuss about EMV?

Being based in Europe (though working globally), the U.S. reporting on EMV becomes more and more astounding to me as time goes by. The debate amazes us in Europe, and no doubt, observers globally, mainly because of the extremely strange logic being applied, and the major inaccuracies that are being propagated in the anti-EMV debates. So let’s get some of these issues aired.

EMV is a European thing. This is the most surprising revelation, and people have got to stop, stop saying this. The U.S. principle of “not invented here” does not apply. EMV is a wholly U.S.-developed, -owned and -domiciled solution that Europe adopted because of the mandates to do so coming out of U.S. companies, and because Europe saw the fraud problems looming.

With the obvious exception of Europay (which does not exist today), the original forefathers of EMV — Europay, MasterCard and Visa — are all U.S.-owned, -controlled and -headquartered companies. The EMV standards authorship and member organizations are all U.S.-owned and -based with the exception now of a Japanese and a Chinese company.

The need for EMV was driven by the fraud needs of markets outside of the U.S. coupled with the desire for enhanced cardholder verification and the ability to manage Issuer authorizations, either online to issuer host or offline at an Issuer’s agent — i.e., an EMV-enabled chip card. The European market saw the direction fraud was going; saw increases in domestic fraud losses; saw increasing cross-border fraud problems, not because we have more borders, but because in the U.K. or Germany or France we could measure it and publish it nationally because we collected national data on fraud losses.

And please stop spreading the myth that France was first to adopt EMV. It wasn’t. France was the first country to adopt cards with chips on them, using a domestic and proprietary standard, but these chips contained only low-level security that is associated today with all the inherent problems of the magnetic stripe — skimming, reproducing, counterfeiting, etc.

In Europe, though incredibly challenging to “cut through the treacle” of economic and cultural stubbornness (i.e., red tape), markets collaborated to deploy EMV-enabled cards, ATMs and point-of-sale devices. This was not delivered overnight, but it was delivered through the cooperation of a multitude of stakeholders across the financial services sector, merchant industry segments, suppliers, regulators, and others. It also took significant “championing” skills by the international card schemes — primarily Visa and MasterCard — to educate, facilitate, coerce, and reward or penalize, as the case may have been, and clearly is at the moment in the U.S..

It is also interesting to see that many other key markets and regions around the globe took lessons from Europe — both the positive and negative — to shape their own national and regional migration plans.

The ‘business case’ does not work. Well that is a corker! The business case has been established now in almost every jurisdiction around the globe. I imagine that national markets, individual stakeholders, and card schemes both regionally and globally have prepared their own weighty tomes. I am sure that if we were to read some of these individual masterpieces we would have a little “titter,” but it was a business justification that was required more than a business case.

Why is there no business case made in the U.S. yet? Why has the U.S. not been able to develop a logical, and yes expensive, business justification? I have been seeking out these mythical business cases for the last two years, and every time someone quotes from these ethereal documents, I have asked for a copy. Strangely one never appears.

Business justification is more than just cost vs. revenue. Everyone has looked at the EMV migration as a very long journey — over the long term. This does make it difficult though for a financial services industry that is fixated on next quarter’s performance reporting.

The U.S. does have an exceptional set of circumstances and problems, in that it does not have a single (or even a collection of) industry bodies that have been (or could be) coordinating a business case, costs, and losses; or developing a series of fixed vendor costs along the way.

The U.K. and Canada are just two examples of where this collaborative approach was essential, necessary, delivered and successful.

And if the business case does not exist, then why not? Business justification is more than just bottom line costs vs. revenues. It is about doing the right thing for the marketplace, corporate social responsibility, brand reputation, defending against and managing regulatory interference, new business development opportunities and, yes, the question of ROI.

Have we collectively learned nothing from the debacle at Target, to pick on just one recent case of management blindness?

In developing chips, cards, point-of-sale devices, terminal software, standards, certification requirements and the necessary supporting infrastructure, the hard work has now been done and valuable lessons learned. Key elements are already in place and these things are now all commodities.

The supplier community is ready. Merchants will take some more encouragement, but those with an international footprint already get the message and also wonder why the U.S. is so far behind. Accordingly, the costs of putting ICCs on cards are approaching single-digit percentages of the costs the European early adopters had to pay more than a decade ago at the behest of the U.S.-mandated requirements. The same applies to much of the rest of the infrastructure required.

The U.S. has so many more different suppliers, systems, infrastructures, etc. Hmmm … The U.S. does have a small number of national languages (not dozens) and a single currency (not dozens). Yes, the U.S. political stage is overly complex with federal and state legislature —  not dissimilar to the multijurisdictions of the European marketplace and those playing, or not, in the Eurozone.

Germany, France, Italy, Spain and other nations have local states and languages spread across them, and they’re often much more diverse in these single countries than within the U.S. as a whole. The telecoms-communications infrastructure in Europe has had to evolve faster as there are so many countries and in each one, different standards and architecture.

And rest assured, in most European countries (again, dozens of them), there is a completely different set of issuers, acquirers, processors, POS device suppliers and integrators, gateways, standards for these things and encryption, security, screening solutions etc. There are different European laws about data protection and transmission and privacy — and it goes on. As in the U.S., European players need to be cognizant of international law and how this affects the jurisdictions of the seller and buyer.

Durbin Act — Why this “red-herring” has suddenly become an issue is rather odd. This type of legislation is not adopted in some European countries, but it is in many others. Accordingly, one of the features that EMV had to develop to meet such legal requirements of the EU (and other countries) was multichannel functionality and the opportunity for consumers to be given choice through account selection at the point of sale. Equally, merchants can still facilitate processing options for debit and credit transactions.

Contrary to popular myth, routing logic is not prevented by the introduction of EMV. In fact, EMV functionality makes it easier to determine and communicate at the point of interaction. All that is needed is for all key stakeholders to sort out the legal debate and agree on the business rules.

Would somebody please track down the first person that started to propagate the Durbin EMV fallacy and see why they started this hare running, and would everyone else please check the facts and stop believing it?

EMV does not support NFC. Really? Check the numbers for all NFC-enabled card programs outside of the U.S. EMV supports the pixies at the end of the garden; it is the founding technology behind warp-drives, cloaking devices and time travel; it will make the supper; and it contributes towards world peace. Again all fallacies, though the last maybe nearer to the truth than all the rest put together. But it is this world peace question that is worth debate and thinking about — especially in the context of the challenges of card acceptance in Russia at the moment!

Author of this post is Bill Trueman, who is an UK based independent Payments, Fraud & Risk Specialist and Managing Director of UK Fraud and Riskskill

For more information visit http://www.ukfraud.co.uk/ and http://www.riskskill.com/

News Source

,,,

UKFraud Seeks To Reduce Mobile Wallet Payment Risks

Following the recent launch of its mobile wallet consultancy practice, risk and fraud prevention consultancy UKFraud (www.ukfraud.co.uk) has launched a range of analytical, consultancy and advisory services aimed at helping businesses in the mobile commerce and payment solutions space to ensure that their products are ‘right’ before they hit the market.

The consultancy practice was established to provide strategic advice and direction to protect mobile solution providers from creating new payment architecture solutions with insufficient protection from data breaches and other risks.  In addition, the new services offered by the practice are designed to deliver a comprehensive  assessment of new wallet product strategies. In particular, the UKFraud services will ensure that wallet providers incorporate the right customer ID and authentication technologies and processes.

In advising producers of future wallet type products, the practice’s services draw upon the research, findings and in-depth analysis of the market by UKFraud’s own Mobile Payment Special Interest Group (SIG). In its findings, the SIG recognised the need for all financial product stakeholders to develop risk reduction strategies capable of matching the projected rapid growth of the global mobile payments sector over the next eighteen months.

The launch of the new range of services  reflects a significant increase in the development and appearance of a range of wallet type products in the market. These include a number of recent, positive and influential developments, such as those from Google with their Wallet, mPowa, Skrill, and Apple with the launch of its well-received iPhone 5S with integral fingerprint reader.

The UKFraud practice also advise on a broad range of devices, architectures and platforms including smartphones, tablets and app software along with the likely fraud risks of transporting mediums such as the internet and/or mobile carriers, including NFC, Bluetooth or Wi-Fi, and entry into traditional payment gateways.

A key element of this advice is in the areas of ID and authentication. There are a number of different forms of ID and authentication techniques that wallet products can use.  These  combine traditional physical processes and technology checks with increasingly more contemporary ones such as biometrics. UKFraud aims to ensure that all elements of these technologies and processes are developed or evolved to be ‘user-proof’ as well as ‘fraudster-proof’. Key elements of a proper wallet infrastructure should include:

1. Authentication of user identity.
Someone, somewhere must always be able to verify the identity of the individual who owns the device, or at least to have protection against possible identity theft attack in the future. This is as true for any such form of identification, whether it is through a traditional approach or through evolving biometric checks. Currently there are few consistent standards in the methods with which a user’s bank account, payment preferences, or even credit history is  tied into biometric records in order to gain access to such details. This area is especially significant, as there are serious existing layers of legal requirements for identifying customers for all money transmission providers who have to meet Money Laundering, Drug Trafficking and Prevention of Terrorism compliance standards. Future Wallet providers cannot be exempt here if they are involved in the creation or handling of financial ‘events’. Thus the authentication of IDs to meet these current standards must accompany all biometrics validation tools and not be replaced by them. For this reason there must be careful planning to ensure that new identification methods are founded on strong foundations.

2. Validation of the technology architecture.
Emphasis also needs to be placed on any secure repository for the data collected. This includes analysis of where the data is securely held and how accessible such repositories are to others and just how well encrypted the data is. However, equally all transmissions that contain sensitive data need to be ‘looked after’ and protected over time. In addition, the processes, technologies, validation of identity and the transmission of sensitive data must all be based upon a technology and process base that is globally useable, acceptable and safe. UKFraud feels that this explains why so many organisations are baulking at the prospect of taking action in a non-standardised direction which risks everything.

3. Interoperability
As so many solutions are still evolving, ‘wallet events’ especially those where payment occurs, can be very different in nature. Equally where any biometrics or codes and/or passwords are used and transmitted this must also be stored somewhere in the ‘wallet’, in a device or in a cloud based solution. This is a point of risk and the potential target for attack. Further, there is  also other personal user identity data such as  entry tickets, vouchers, discount codes, club memberships, allegiances, contacts and diaries that the market has have not yet contemplated storing electronically on the mobile ‘wallet’.   This all needs to be compatible or interoperable. This interoperability often needs to be global too. The only global operability standards today rest with the major Card Scheme payment solutions which are globally linked, and completely standardised, by virtue of the authentications and controls that have evolved over decades. These are also safe and robust when dealing with criminal attacks and failures.

4. Transferability
Taking it a step further; consumers will most likely require the ability to change ‘wallet’ or data solution provider, so that we can have everything that we need still available to us when our ‘device’ breaks or changes. This facility needs to be built into the wallet and UKFraud will question whether  the new and innovative solutions they examine  follow the same or common standards that enable customers to move their funds, data and information from one provider to another with ease.

5. Reliability
A challenge that some biometric authentication has traditionally had, in addition to the commercial rollout realisation, is how well it actually works. Some of these technologies, through lack of global standards and specifications, have on occasion been the subject of perceptual concerns about some of the systems’ reliability in storing and validating data against biometric records as a consistent form of identity.

UKFraud believes that it is essential that the issues of what is stored, along with where and how it is stored need to be governed well. This includes a wide range of issues around what the fall-back is – i.e. what happens when users get locked out of their smartphones for instance – and where the data is stored and how recoverable / retrievable is it?

According to Bill Trueman the CEO of UKFraud, “Our clients understand these practical ID and authentication issues as part of their ‘wallet’ designs, and we assist them in closing gaps and weaknesses. Once these are ironed out, they can plan for the future in what is a fast and growing market filled with uncertainty and challenge. It is inevitable that many of the growing businesses in this area will fail simply because of criminal attacks or because the consumer, the merchant, the supplier or market simply ‘goes in a completely different direction’. Future-proofing is a prudent course of action and one which UKFraud helps with but of course no-one has a crystal-ball.

“As there are already so many new technology developments in mobile payments and m-commerce in general, we still haven’t seen a ‘full-on’ response from some of the main traditional ‘payment’ organisations yet. Equally, outside of  the excellent steps being taken by the European Payments Council, there is not enough heard from governments and regulators relating to governance of the sector, controls and requirements for eMoney, enforcement direction or  strengthening of the Money Laundering requirements to cover the sector. We are confident though that The European Payments Council will take a strong lead here soon.

“Fortunately, the recent launches by sector leaders such as Google and Apple have had extremely positive impact and have influenced the market greatly for the better. Our aim in recognising both the beneficial impact of recent market developments and the prospect of announcements from Europe will help other organisations navigate the best route forward for their products, thereby helping them reduce the risks of their own solutions within the broader mobile solutions and mobile ‘wallet’ space.”

News Source