RiskFinancial CrimeAdopting EMV Cards in the Middle East: Too Slow to be Smart

Adopting EMV Cards in the Middle East: Too Slow to be Smart

Deadline for EMV Compliance

Banks and the other segments of the Middle East payment industry, including those in the UAE, may be moving too slow for the adoption of EMV-compliant smart cards for the deadline set for the region by the card companies. The deadline for the region, along with the European markets, is January 2006, but most banks have so far achieved little progress in planning and setting up the infrastructure and are therefore likely to miss the compliance target. In fact, there have been very few issues of the chip cards into the UAE market. Mashreqbank has been one of the first movers with its chip-based WOW! Card.

Recently, in a deal that is described as the largest of its kind in the Gulf Cooperative Council region (GCC), the bank awarded a contract to acquire 4,600 high-speed point of sale (PoS) terminals, which are equipped to recognize smart cards as well as commonly used magnetic stripe ones. More recently, the National Bank of Abu Dhabi (NBAD) rolled out the Visa smart debit and credit card programme (VSDC), combining full issuer and acquirer functionalities, marking a first for the region.

Both the Mashreqbank and NBAD programmes involve the upgrade of terminals with their retail merchant networks, but it is not clear how far the merchants are involved in funding the upgrade. Generally, the experience is that the retailers are reluctant to upgrade their PoS equipment to accommodate the more sophisticated plastic, although the issuers and acquirers can be expected to increase pressure by shifting the full liability for fraud arising from the use of magnetic stripe cards to the retailers.

Delays in Meeting the Deadline

The mandated deadlines for EMV still seem a long way off and there are other issues that may be considered more pressing from a business viewpoint. However, the danger is that there will come a point where vendors do not have the capacity to supply the demand in the remaining time available, says Jim Davis, managing director at Thales e-Transactions, a company that provides card payment solutions ranging from standalone PoS terminals and secure PIN entry devices to integrated payment solutions and related services.

One of the reasons most frequently cited in the delay in moving to EMV, apart from no real business case, is the current restriction on budgets, Davis says. Two other reasons are a lack of information and technical skills. He cites the case of a European project, where significant delays occurred beyond the original target for roll-out due to the complexity of amending the local payment protocols to support the additional messaging and security for the EMV and national debit system.

Various funding initiatives are in place to encourage migration. The majority of European banks consider EMV compliance as a high priority. According to their responses to one recent survey, almost 90 per cent of organisations expect to be in live production with their EMV projects, meeting the EU regional deadline of 2005. Still, at least 10 per cent of PoS terminals are predicted to remain unequipped to process EMV cards.

Given the countdown, it is likely that there will be a rush as the date looms nearer; squeezing the amount of time technology vendors can devote to each issuer. There may also be a lack of capacity to assist in resolving some of the problems that inevitably occur during the integration and testing stage.

Difficulties of Implementation

The smart payment card carries risk parameters and spending limits and can provide some stand-alone authorisation capability, thus reducing the need for online authorisation of low value transactions. Both these features mean that a significant amount of additional data has to be processed and transmitted between the card, the terminal and the authorisation system, making implementation more complex.

According to Davis, successful migration is achieved only through joint co-operation between issuers and acquirers, card schemes and the community of technology suppliers. Each group is an essential component in the payment system and its role in making the project a success must not be overlooked.

For example, most credit cards are authenticated at the point of sale by reference to the cardholder signature. At the ATM, the authentication is done through the PIN. With the EMV card, using a PIN at the point of sale and ATM will be common for both credit and debit cards. So, the actions for PIN at the points of sale need to be simple and intuitive. If it is too complicated it is very likely to be subverted.

On average, 60 per cent of payment transactions happen in the high volume, multiple location environments such as supermarkets, and, therefore, EMV stands no chance of success unless this sector supports it. But so far this sector has not played any great part in the EMV discussions although there is significant cost to be incurred by them in upgrading their points of sale. According to Davis, the lack of retailer participation in the early stages of migration discussions has also contributed to the migration delay.

Another major problem relates to the rollover period, during which both types of cards will have to be honoured. In fact, to ensure that the card can be accepted as widely as possible, EMV cards will support both chip and magnetic stripe for some years to come. There may also be a case to continue embossing the account number so that cards can still be used in imprinters if necessary.

Scale of Changeover to EMV Cards

Typical schemes with three-year replacement cycles mean that cards issued in February 2003 will still be in circulation beyond the 2006 January deadline. Typically an EMV smart card is issued to the cardholder when the existing magnetic stripe card passes its expiry date. This will make the EMV rollout a long project, possibly running into several years. The strategy will determine how far in advance and what volumes of cards and chips need to be ordered and also the budget requirements.

Without EMV-capable card acceptance devices, there can be no EMV card usage. So for global acceptance of the cards, some 32 million stand-alone devices, 4 million integrated devices and 2 million ATMs will need to be replaced or upgraded.

Standards and specifications need changing and then certifying, both at a national and international level. This includes changes to, and certification of, the card scheme network interfaces, PoS and ATM networks as well as the internal processes that route the EMV transaction data between in-house authorisation and authentication systems.

Ensuring Consumer Acceptance of EMV

The biggest fear for the merchants is that EMV transactions will take longer than magnetic stripe and that the slower check times will raise costs or lower consumer opinion. For cardholders and their increased interaction with the device, any uncertainty about what they should do will also increase the time it takes to complete the transaction and thus may reflect badly on the device.

So in order to ensure EMV acceptance, the device must be intuitive to use and the performance at least as fast as a magnetic stripe transaction.

Challenges for Banks

Card-issuance systems must be upgraded in preparation for all relevant data, including cryptography for security, which will be loaded onto the chip. EMV does not specify the cryptographic algorithms and key management schemes to be used for authenticating transactions, these can remain the same as existing magnetic stripe transactions. However, it does specify the cryptographic methods of card authentication.

Similarly, new payment channels such as mobile payment through GPRS, or home payment through the internet will require different gateways to host systems and a rethink on network security to balance security level with performance.

A major challenge for the issuing banks migrating to the smart cards is how to provide automated support facilities similar to those available for magnetic stripe card issuance and management. Single application smart cards are significantly more complex and demand stronger support systems than magnetic stripe cards. So upgrading or modifying existing support systems to handle smart cards may not be cost-effective.

Multi-application smart cards present back office support systems with an even more complex support task. The route preferred by most issuers, particularly those moving to multiple-application cards, is therefore to concentrate smart card issuance and management support in a separate, dedicated solution that interfaces to the legacy back office issuing and acquiring systems. This invariably implies bigger investments.

The Fastest Growing Industry

Complaints of malfunctioning ATMs, disputed transactions and credit card frauds have become so commonplace that hardly a day passes without newspapers reporting such menace. Gangs of ATM fraudsters are moving from one country to another, leaving trails of losses to the respective banking systems and untold miseries to cardholders and account owners. Fraud has become a global problem, requiring a global solution.

In the US, nearly 2 million people had their checking accounts raided in the past year, and most of them were paying bills and shopping online, according to Gartner.

There has been an increase of about 700 per cent between January and May this year in the activities of ‘phishers’ who persuade people by fraudulent e-mails to send them their credit card details. Similarly, identity thefts by scammers to obtain credit, loans and services in the name of the cardholder have grown at an alarming rate. Last year, it was the most common complaint received by the US Federal Trade Commission.

According to estimates, fraud costs the European Union over €3.5m every day. According to the UK’s Association of Payment Clearing Services, credit card fraud losses rose to nearly €680m in 2002, up 53 per cent in two years. All this is part of a $2.5bn problem for the global banking and financial system.

With credit card fraud increasing by more than 20 per cent per year in recent years, credit card companies and banks are no longer willing to absorb the losses created by credit card fraud. It is in this context that card companies such as MasterCard and Visa have come up with the EMV smart card standard in a move that is aimed at significantly reducing this fraud and modernising retail banking payments services. The introduction of the EMV is the most significant change in global payment technology since the introduction of the magnetic stripe card over 30 years ago.

EMV can be summed up as being a system that provides security through enhanced authentication and allows increased off-line authorisation through additional security checks. The functions required to process an EMV transaction are largely the same as those used to process a magnetic stripe transaction. The main difference is the source and contents of the card data. Better security is provided through highly protected data storage on the chip, which is much more difficult to copy than it is from a magnetic stripe, and through the cryptographic processing performed by the card and terminal.

The card companies have set January 2006 as the date, after which they will not accept liability for magnetic stripe card fraud.

K Raveendran is the Editor of UAE Banking Review

Comments are closed.

Subscribe to get your daily business insights

Whitepapers & Resources

2021 Transaction Banking Services Survey
Banking

2021 Transaction Banking Services Survey

2y
CGI Transaction Banking Survey 2020

CGI Transaction Banking Survey 2020

4y
TIS Sanction Screening Survey Report
Payments

TIS Sanction Screening Survey Report

5y
Enhancing your strategic position: Digitalization in Treasury
Payments

Enhancing your strategic position: Digitalization in Treasury

5y
Netting: An Immersive Guide to Global Reconciliation

Netting: An Immersive Guide to Global Reconciliation

5y