Will the U.S. see additional apps with high-security cards?
It’s finally on the horizon: EMV chip cards are coming to the United States. EMV will give broader security against fraud than a traditional magnetic stripe, but it also opens the door to additional applications that could make the card a multi-purpose tool. Will U.S. issuers take advantage of EMV’s full range of capabilities beyond payment?
Because the EMV card is essentially a small computer, it’s capable of doing much more than payments. The chip itself is the equivalent of an IBM PC XT from the 1980s, explains Philippe Benitez, Gemalto’s vice president of marketing for Secure Transactions, North America. “The processor has the same amount of power as an old PC,” says Benitez.This means the chip has the capacity to enable other applications along side its secure payment functions.
The early days
Issuers began adding applications to EMV cards in the late 1990s, with loyalty programs being an early addition. According to a MasterCard case study, Turkey’s Garanti Bank became an early adopter when it launched the Bonus MasterCard multi-branded chip card in 2000. The card combined MasterCard credit with a loyalty program and public transportation services, all residing on the card’s chip.
Garanti established alliances with 5,000 merchants to take part in a single loyalty program. At 350,000 acceptance points, merchants track their customer purchasing patterns and cardholders earn cash back rewards.
Gemalto assisted in the launch of the card that ultimately increased Garanti’s market share in the country. “The [more] services they provide, the higher the utilization rate and retention rate,” says Benitez.
EMV chip cards can also support transportation applications including fare collection, ticketing and gas station and fleet applications.
Visa and Barclays issued the Barclaycard OnePulse card, that includes both credit and transit functionality. Launched in 2007, the card supports both EMV via the contact chip and a Visa payWave feature via the contactless interface. Additionally, the chip’s Oyster application can be used for travel on public transportation in London.
In a separate project, MasterCard partnered with the UK’s Manchester United football team for access and loyalty applications. A MasterCard-branded EMV card stores season tickets replacing paper tickets as the means to identify fans, says Benitez. The card also has a PayPass feature that enables contactless payment at bars and stands in the stadium.
In September 2011 Colsubsidio, the major compensation fund in Colombia, created the Colsubsidio Multi Service Membership Card. Members can use this card for EMV payments, as well as for additional services including an e-purse application, entrance to recreational parks and access to sport and convention centers.
The card’s contactless interface facilitates access to public transportation services in the city of Bogota. According to Benitez, this multi-application card is also used to distribute social benefits to cardholders, who then withdraw funds or use the card to pay for services at merchants.
Extra security for online banking
In terms of online banking, EMV chip cards can carry applications for one-time password (OTP) authentication to help combat phishing attacks. This application is in wide use in parts of the world where cardholders commonly use a card in conjunction with an OTP token to access online banking, explains Benitez.
The EMV chip enables the issuer to add features to the card. The chip is segregated so that it has the ability to store files in different secure locations to ID the cardholder. This means a number of different apps could be used in conjunction with the EMV chip. “If you don’t want credit card information to be shared with other applications, there’s segregation in the card for that,” says Benitez.
When thinking about other possible apps for EMV chip cards, single sign-on (SSO) also carries potential. In 2004 scholars Andreas Pashalidis and Chris J. Mitchell wrote a paper proposing the use of EMV for SSO. In “Using EMV cards for Single Sign-On,” published in Euro PKI, the researchers propose a login plan where an EMV card acts as the authentication token.
Banks have not yet seized upon this opportunity, explains Mitchell. “As far as I know, banks have not added SSO functionality to their EMV cards.”
Challenges to adding apps
While the possibilities for EMV applications can seem endless, Benitez says there are challenges to adding apps to the card. Because the card will always need to be read by some type of reader, the terminal side may require modifications, says Benitez.
Then there is the issue of security. Some applications may not be as secure as others that reside on the same chip. The payment application must be extremely secure, explains Benitez, so you can’t reduce its security when introducing additional applications.
Transit or student ID apps such as laundry, copying and building access can be as secure or as insecure as the owner of the application desires. The application can be open with data freely available to everyone … or it can be locked down like the Department of Defense’s Common Access Card, says Benitez.
It’s up to the application developer to decide how much security should be applied, but adding security to individual apps can add complexity. Multiple PINs for different applications can be cumbersome for end users.
When the application sits alongside a Visa or MasterCard EMV or other payment application, it must be certified by the payment brands, says Benitez.
Because EMV is still a few years from being fully rolled out in the U.S., there are still great opportunities for additional applications to be developed. Perhaps these programs from other parts of the world will serve as catalysts to U.S. issuers encouraging the addition of other services to these new payment cards.