Last week’s Money20/20, the largest event in the payments and financial services space, ignited a flurry of discussions on the latest and greatest in mobile, retail and financial technology. With 2014’s agenda focused primarily on security and what was to come with EMV, the “what’s next” technology trends dominated this year’s conversations.
Hot topics included mobile payments, Omnichannel retail, and the role of mobile commerce – subjects that seemed to demonstrate the shift of interest from security and authentication technology (EMV) to what’s most convenient for merchants and consumers.
Suze Orman, CNBC host and Money20/20 Keynote Speaker, was not completely in agreement with this shift.
People “don’t want these digital wallets,” she says. They’re “confused.” The financial industry needs to change. But it needs to get simpler, not flooded with all the apps, and wallets, and tricks, and gizmos that litter the convention floor not 15 yards from where we all are sitting.
A valid point that had many attendees pondering her statement. Some argued that if there is confusion, it means there is money to be made. Others made a counterpoint that if security isn’t in place for “all of these apps and wallets and tricks and gizmos,” this “confusion” is also a target for money to be lost – and there is nothing cyber thieves love more than to prey on vulnerability created by confusion. Which unfortunately, the “implementation” of EMV has demonstrated.
Earlier this month, the Federal Bureau of Investigation issued a public service announcement warning that the computer microchips used in EMV cards are only partially protective and saying the cards should be used with a PIN, rather than a signature, in order to really reduce fraud.
The FBI urged the public to use a PIN with their EMV cards, thinking that the EMV rollout meant exactly what it does nearly everywhere else in the world: cards that have both a chip and a PIN. But what the FBI missed was that the U.S. EMV cards were being issued as chip-and-signature. In response to an outcry from bankers, the FBI pulled down its warning and replaced it with a softer recommendation that encouraged consumers to use cards safely.
With that enters the discussion of NFC at Money20/20, the new buzzword sure to replace “mobile” and “EMV.” Vinod Khosla, founder of Khosla Ventures, talked about the EMV system, suggesting that it was flawed as a consequence of the customer experience. And that it would become irrelevant in three years, and eventually be replaced by NFC-enabled mobile technologies.
Unfortunately, by now we know all too well that any new payment technology offering convenience as its first and foremost benefit will be an immediate target for cybercriminals. According to WSJ:
With NFC or digital wallet apps, users use their “Card Not Present” information to register for a service like Google Wallet or Apple Pay in order to make “Card Present” transactions. Essentially, these apps bridge the two scenarios and allow fraudsters to take credentials from “Card Not Present” transactions and use them in the real world, where buying high-value items is much easier. Note that purchasing credentials in the underground economy for making real-world purchases like this gets very pricey, making NFC even more lucrative to hackers. With this, it’s no surprise that Apply Pay was exploited by fraudsters shortly after its inception.
Some banks have added new security steps like requiring additional authentication when registering to use a digital wallet service, but these protocols are not universal, and just one bank not adhering to the process can create a tremendous opportunity for fraudsters to pounce. These type of “loopholes” are exactly the confusion hackers are looking for on a regular basis.
Whatever new comes next in payments, every payment technology will need to focus on security before convenience. Layering EMV with technologies like tokenization and Point-to-Point Encryption (P2PE) devalue sensitive cardholder data, and is the best defense against potential hacks. So while Money20/20 will continue to showcase the best in innovation, the payment security fundamentals need to be first priority.