When Visa introduced its Quick Chip for EMV on Tuesday (April 19), it placed retailers in an awkward — but interesting — position. The effort is a different EMV implementation that will allow shoppers to remove their payment card from the card reader in about two seconds, rather than what they have to today, which is to leave the card in the reader until the entire transaction is complete.
The good news: Quick Chip removes the most hated part of the EMV process, the part where the shopper has to leave the card in the card reader during the entire checkout duration. The bad news: Even though most consider this change to be highly favorable, it could actually set back EMV deployment efforts because it would be yet another behavior to learn. That forces the question: When the goal is mass adoption of a new behavior, is better necessarily preferable to consistent?
First, let's get the particulars clear. In the interest of communicating the advantages of this move to consumers, Visa issued a news release that took some liberties with the truth. For example, it said that Quick Chip "speeds up checkout times." It clearly doesn't do that. If a grocery customer has 72 items in the cart, checkout time will be however long it takes to process those items and get an authorization code for payment. How long the card needs to sit in the card reader doesn't impact that checkout time, given that even existing mechanisms have the card being released the instant the checkout is complete.
What Visa should have said is that the checkout may seem more comfortable for the customer, since it is closer to what they are used to with magstripe cards. If you want to really stretch the point, I suppose if someone was purchasing one item at a 7-Eleven, he might need an extra few seconds to take his EMV card out of the reader and put it back in his wallet — an action that could have otherwise been done while the cashier was doing the checkout magic. But that rare situation is about the only situation where Quick Chip might, infinitesimally, contribute to a faster experience. And even that wouldn't accelerate the checkout time.
That all said, the shopper's perceptions — of speed, convenience and comfort — are extremely important. Allowing the shopper to remove the card within about two seconds (which is what Quick Chip does) gets the experience much closer to the usual magstripe experience. Magstripe can be faster — as long as the first swipe is accepted — but it's close enough.
As many of you may have guessed, there is a security cost to this convenience, but Visa isn't that worried about it. There is potentially a slightly greater risk of a man-in-the-middle attack. To understand the security issue, we need to delve into how Quick Chip works. In creating the cryptogram needed for the EMV transaction, the EMV transaction is waiting for the final dollar amount. With the Quick Chip approach, the cryptogram is generated at the front end of the transaction, substituting a random value for the actual amount — knowing that the actual amount will be entered at the end of the transaction.
“We are allowing the card to be removed from the terminal before the authorization comes back,” said Stephanie Ericksen, vice president of Global Risk Products at Visa. This works fine in the U.S. because U.S. transactions are performed online, so there are no offline counters to be reset. This online-only transaction reality differentiates the U.S. market from many other markets.
Randy Vanderhoof, who is executive director of the Smart Card Alliance, agreed with Friedman’s security take. “The data security flow has been interrupted by not waiting for the actual transaction value of the sale to be included in the cryptogram that gets sent up to the issuer and that the merchant terminal doesn’t validate the cryptogram that comes back,” he said.
Allen Friedman, vice president of payment solutions at Ingenico, said the security hole is small but definite. "It does eliminate updating the card from the issuer as part of the authorization response, and it also eliminates (one element of) validation,” he said. “The part that is being dropped is a second layer of security that has to do with man-in-the-middle attacks."
Specifically, there is a response cryptogram in the authorization response message, and the chip is supposed to validate that. “You then have two entities that are both validating each other,” Friedman said, adding that he didn’t see those kinds of attacks being a major concern right now.
Part of the reason for a lack of worry is that Visa doesn’t want all merchants to offer this — and neither does Friedman — so as long as most transactions still maintain full security, it shouldn’t be a problem. Here’s where things get interesting. This program is optional for merchants, and some types of merchants — QSR, convenience stores, multilane grocery, high-volume discount stores, coffee shops and anywhere else where speed is at a premium — are the only ones Visa is going to push. That means that not only will Visa EMV behave differently from MasterCard EMV and American Express EMV, but the experience will change from merchant to merchant.
And that's the real problem. To get consumers to change any behavior — especially a payments behavior — requires a lot of repeated, pleasant interactions. Indeed, that's been one of the biggest stumbling blocks for NFC payments such as Apple Pay and Google Wallet. Even for customers who love making those NFC payments, there are simply not enough merchants accepting it for NFC payments to become a habit, to feel normal.
EMV acceptance is growing rapidly, and there are plenty of mainstream retailers today who have upgraded to support EMV cards. The next trick is getting customers to use their EMV cards — and to use their chip capabilities, rather than swiping with the magstripe.
By decreasing the consistency of the EMV buying experience — having it change from merchant to merchant, from one card to another — the goal of rapid widespread EMV usage is pushed back. Indeed, even Visa's plans do not have all merchants adopting Quick Chip, thereby guaranteeing inconsistent experiences. It will mean that shoppers will need to watch the payment screen and do whatever it says — something that American consumers will just love to do. They especially enjoy following orders from a computer.
That's why Friedman isn't worried about the slight security hole. He doesn't expect enough merchants to use it to make a big difference.
I would feel much better about this had it been the united position of all of the card brands some six months ago, when EMV was aggressively pushed into the U.S.. And if it was therefore pushed on all merchants. That would have made a much better experience for all. Making it better for some people some of the time in some of the places is not exactly the stuff that goes into euphoria.
This article is published as part of the IDG Contributor Network. Want to Join?