Thales Blog

A Step Forward In Payment Security But An End To Universal Card Usage?

December 3, 2010

Speaking at the Next Generation Cards & Payments Conference held in Brussels late last week, Gertrude Tumpel-Gugerell, a member of the Executive Board of the European Central Bank, made several New Year's resolutions. One of them highlighted a section of the 7th SEPA progress report, published in October, which for the first time contains a whole chapter on the security of retail payments.

Amongst the ideas highlighted in the chapter is the potential to set up a forum for Security Issues. Before this forum is constituted, the report has highlighted some security directions the Eurosystem sees as important. The first that leaps off the page is that, “…from 2012 onwards, all newly issued SEPA cards should be issued, by default, as ‘chip-only’ cards.” It goes on to say, “The industry will have to be prepared to offer the cardholder cards with legacy magnetic stripes upon request as long as there are still regions outside SEPA which have not fully migrated to EMV.”

The other security focus is on Card Not Present transactions, where it says, “The need for the implementation of stronger security measures is especially evident for ‘card-not-present’ payments. Although these still represent only a minor share of overall card payments, they already account for the majority of card-related fraud in many countries.” The progress report recommends enhanced security, “…for remote transactions, regardless of whether they are made by cards or through online banking…, user authentication should be linked cryptographically to the transaction data and should be based, as an absolute minimum, on two independent security factors, including a one-time password which is only valid for a very limited period of time and which, ideally, results from a challenge-response mechanism (e.g. SMS, token or chip-reader).”

If these two considerations were put in place, it would be a significant step forward in securing card transactions, but it may spell the end of universal payments cards. Want to visit Germany? OK to take your Belgian issued EMV card. Want to go to the US? Don’t forget to request your legacy mag. stripe card from your bank before you go.

The same thing is happening to US citizens wishing to visit Europe. The US papers have been full of stories in the last year about US travellers who are unable to use their mag. stripe-only cards in Europe. Some US issuers are now offering EMV cards for US travellers who are frustrated by their experiences using mag. stripe cards abroad. Travelex is the latest to do so. For this dichotomy to be resolved, the US would need to adopt EMV. Whilst there is still no certainty as to when/if this will happen, pressure has been mounting over the last year. Even if the US does decide to make the change, don’t expect it to happen overnight. Experience elsewhere says it can take five to ten years from project kick-off to full migration.