[continued from part II]
Previous post in this series left off with a discussion of card-present versus card-not-present transaction models for accepting contactless payments directly from end-user machines. That becomes a segue into the broader problem of how exactly the payment network (in other words MasterCard, Visa, American Express) would treat such transactions. Assuming payment processors and websites are willing to make necessary changes to enable this scenario end-to-end– itself an uncertain prospect– should such transactions be treated the same as other Internet purchases? There are at least three scenarios.
View these as card-present transactions. Earlier we pointed out the backwards compatibility of some EMV payment protocols. Specifically they produce an emulated “track data” complete with CVC3 (dynamic CVC) that is compatible with the format obtained by swiping a plain magnetic-stripe card. Naively that would suggest one could implement contactless payments by forwarding this track 1 & 2 data to the payment processor and run it as ordinary card-present transaction conducted at point-of-sale terminal.
But the distinction between card-present and card-not-present goes beyond protocol minutia. It has fundamental implications for the economics of the transaction: CNP typically incurs higher interchange fees, faces greater fraud risks (consequently subject to different thresholds from fraud-detection systems operated by the issuer) and places burden of proof on the merchant in case of consumers disputing a transaction. In this case the card-holder is not physically “present” on any merchant premises. They may well be carrying out the transaction from anywhere around the world on their NFC-equipped laptop. Conferring CP status just because the protocol happens to be compatible seems unwarranted.
2. Status quo
A more cautious approach is to continue treating these transactions as standard CNP, leaving intact the existing distribution of risk skewed towards the merchant. This allows for a more cautious transition on a schedule decided by merchants. Since the economics and liability are identical to credit card numbers typed into an old-fashioned HTML form, it is up to each merchant to determine if there is an advantage to accepting NFC.
Strictly speaking EMV protocols– even the backwards compatible variants– are safer than the status quo for Internet transactions. Instead of typing in the same fixed payment information for each transaction (credit card number, expiration date and CVC2) a unique CVC3 value and sequence-counter are returned from the card. Even if one of these falls into the wrong hands due to a breach of merchant website or malware running on the machine used by the customer, it is not possible for miscreants to reuse the same values to perform another purchase. More importantly that CVC3 is computed as a function of a challenge from the “point-of-sale” terminal. By choosing the challenge the website (or payment processor, depending on design) can achieve higher degree of assurance that the response is indeed generated in real-time by the card, instead of being replayed from a past transaction.
Still there is a cost to accepting NFC payments, especially initially when few customers will be in a position to take advantage of them. Not only do they need laptops or phones equipped with NFC readers, they need to have credit cards with contactless payment capability– something that is entirely under control of the issuer. It is unclear if reduction in risk would justify the extra cost for such niche functionality. (On the other hand offering card-present treatment does create a far more compelling value proposition for merchants, especially online where profit margins are very tight. Even small reductions in interchange fee can translate into significant savings.)
Under the most strict interpretation, payment networks could outright forbid such transactions, declaring that contactless payments are only intended to be carried out at a retail location against “approved” point-of-sale hardware that has been certified by the network. This is where PCI requirements come in. PCI council has published a series of guidelines and recommendations on when mobile devices can serve as point-of-sale terminals. If the end-user hardware is interpreted as “point-of-sale terminal” then a specific PCI mandates apply, as well as individual recommendations from different payment networks. For example MasterCard best-practices require that PIN entry take place on approved external PIN-entry devices only, specifically ruling out commodity mobile devices.
There is a good argument that end-user devices should not be subject to POS criteria. This is not a case where the merchant is buying dedicated equipment for processing transactions. POS rules exist because such equipment concentrates and re-distributes risk. Cash-registers are produced by a manufacturer, installed at a merchant location and then used by thousands of individual customers who stand to lose from a security breach. By contrast the security of an end-user machine user for online purchases affects a small number of people using that particular machine.
It will come down to interpretation and partially, enforcement. Strictly speaking the original incarnation of Square would have been disallowed by these rules. The plastic dongles the company is known for used to pass track-data read from the card straight to an application running on iPhone or iPad, without any encryption. This design was obvious susceptible to malware running on the host machine. Later incarnations adopted encryption, reducing dependence on host security while still running on off-the-shelf iOS devices. But even before that particular improvement, it was arguably too late to cry foul over alleged PCI infractions– and in this case there is no question that the device qualifies as dedicated POS system. Square created a new market by capturing the long-tail of small merchants who had never accepted credit cards before. This new segment generated significant interchange revenues for payment networks. As long as observed fraud remained manageable, it would have been quite unwise for networks to shutter the system by nitpicking over PCI requirements intended to mitigate hypothetical future attacks.