Can I see your ID?

credit_card_transaction_paul_burns18 March 2015

 

A major retailer just called me this AM. Theme of conversation is that the industry is creating a “perfect storm” for issuers in acceptance.  While LoopPay is very secure (because of Visa/MA tokens, phone ID, and transaction counters), the existence of a commercial grade mag stripe emulator in the hands of “bad guys” will create a little chaos… particularly when the cashiers think nothing of consumers (or fraudsters) waving their phones at the POS.

While both Visa and Mastercard have set rules that prohibit merchants for asking for IDs in a contactless EMV transaction (EMV), LoopPay (Samsung calls it MST) muddies the waters as it uses the phone to talk to the magnetic reader of the payment terminal. MST transactions are magstripe transactions which merchants are (and have always been) allowed to ask for IDs. Merchants can make the case that they have no idea which is which, and they have no way of “prohibiting” either, thus they must assume that it requires them to treat as something that requires them to validate (signature).

Let me see if I can list the different acceptance methods (looking for input into what I miss)

Acceptance Options

 

Add to this list Token authority (Tier 1, Tier 2, Visa, Mastercard, TCH, Bank, …) and TSM for GSM style NFC and we have quite a complex mess. The good news is that issuers have control over where their cards are presented.. Problem is that there are many new “exploits” which can be attacked by very well funded fraudsters.

Normally, all of this seems to put pressure to update and lock down your payment terminals. But merchants don’t bear any costs for POS fraud where they have validated signature/ID… it moves to the banks. How can Banks force merchants to lock down terminals? The incentives are very complex.. so complex that it may mean “can I see your ID” happens in every case.  So much for mobile making things easier.

In EMV transactions, issuers are normally in control of when PIN is required.. In mobile  there is no physical payment instrument (card)  for the cashier to validate signature … so when they ask for ID what do they validate against? (ie no embossed card with your name on it). This means issuers will naturally like PIN for mobile. In the US consumers don’t know their PIN (for credit cards)..

This is just too confusing.. lets just say small issuers will have a very challenging time adapting here, while the big issuers will maintain a substantial advantage. This is the normal course of [big] bank fraud strategy:  if a bear comes to your campsite you don’t have to be faster than the bear.. just faster than the slowest fellow camper (small banks)

7 thoughts on “Can I see your ID?”

  1. Tom, what do you think about biometrics like ID validation for eCommerce/mCommerce and good-old brick&mortar stores?
    Yeah, like in “Minority report” with Tom Cruise when customers didn’t have to carry cards or any gadgets with them. Looking at Facenet by Google it seems like inevitable in near future.
    Although I’m sticking to voice print as more robust and infrastructure independent biometrics.

  2. Tom, Paydiant’s solution is based on tokenization, presented in form of QR codes. They are low value tokens — a new one is issued for every transaction.

    With regards to your observation about EMV/PIN — if a card is validated correctly during the provisioning process, a mobile wallet can serve as a much more secure channel to transfer credentials to POS when compared to a physical EMV card because of:
    Tokenization
    Device fingerprinting
    Touch ID/PIN to access the app
    And the inability for a fraudster to capture PAN from a physical lost card to use for online transactions where PINs are not required

  3. Having someone sign for an AP transaction is almost asinine as there is nothing to validate it against. A PIN is another choice, but for the consumer, especially in America were it is not the status quo, is not preferable. There is also the predictability aspect. Can I go shopping and know I will not have to sign or enter a PIN and when? Will it be a dollar threshold or will it be random by merchant?

    If none of those are good solutions that leads to how can a bank be sure they are properly provisioning the cards/tokens. I think there is an underlying issue that has not been addressed around how your phone acts as a form of ID. There is a sentiment with AP that it is secure because of the Touch ID requirement — and don’t get me wrong it is a key to AP’s success. But, as we have seen, there are holes in this logic and it is what has happened with the provisioning fraud in regards to AP. Touch ID does not validate ID in the sense of “are you Mr. Xx Yy” it only validates that you are the same person who set up the Touch ID profile. The gate keeping aspect of tokens is going to become key in the coming months/years as they become more prevalent in the market (whether on AP, GP, Loop, etc.).

  4. I would not assume MST would use a PAN Token or provide an assurance value unless there is direct and integrated involvement of the issuer in enabling the credentials / data on the device or in the cloud. There would be nothing more than the data currently on the back of the card, without the help of the Issuer. I then wonder how Being able to read and offer the token does nto put the token at risk also!

    I also wonder what you mean by token. We could easily write one PAN to the magnetic stripe and print another to the face of the card.

    Same is true for EMV. I ask the question again. What is a token. Is it simply a number assigned to a device or area of storage linked back to an account. As I know you will remember the PAN is simply a number used to route the transaction and then identify the associated checking account or Line of Credit.

    EMV could, in conjunction with 3D-Secure and a card reader (NFC or Contact), support web payments (mobile, Tablet, laptop or deck top originated).

    Why would there be any difference between the assurance and validate ID between any tokenization scheme, MST or EMV. ID&V has as of yet not been identified and specified in a meaningful manner.

    1. That is the great thing about Samsung’s launch. The banks provision their cards into this environment just as they do with ApplePay.. and they do get assurance information (in app) as part of the transaction (since it can’t go on mag head), as well as a transaction counter. The problem is of an unapproved use of MST. Someone will create an app that has no bank provisioning… making the Samsung Galaxy 6 a huge success (with a very small and profitable demographic)

      1. Current LoopPay is essentially MST w/o bank provisioning (i.e. just MT, no “S”). The S basically adds a the tokenization to the mix. There are already a lot of non provisioned MT, see Coin, Stratos Card, etc.

        A token is just a credit card number, including proper BIN and Luhn check, that the bank links to a PAN. The secret sauce in all of this and what makes it more secure is not the token alone but combination token and token cryptogram which is the dynamic piece that works to validate the authenticity of the actual token (think CVV on steroids). LoopPay’s big push was merchants have a very useful tool already in the magnetic reader and that it is not outdated yet only the information it has been reading for the last 50-years has not changed and is vulnerable. MST essentially modernizes the information that flows to the magnetic head (via tokenization) to make it more secure and inline with chip or NFC transactions.

Leave a Reply

Your email address will not be published. Required fields are marked *