Sometimes I am amazed at how different countries can be in their perception of what is acceptable to minimise risk. Let us take credit cards, a subject which is sadly in my mind due to recent events.
Very simply different countries have different standards and they all boil down to a single issue: perception of risk. If a particular bank or inter-bank body believes that the risk is of a certain entity then the corresponding budget will be increased or decreased depending on the required level (e.g. VISA's 5% limit on fraud). But how do you measure the percieved risk? Or more to the point, how do you assign a budget to it? Very simple: you base it on how much it costs in hard, solid cash.
If all you can come up with is some sort of wishy-washy number then you are never going to gain the attention of the management, and rightly so. Why should they assign a bugdet to a completely unsubstantiated exercise which might well skyrocket out of control? The hard facts are very simple drivers in the plastic card world.
Let us assume that to decrease the level of fraud you will equip all the VISA transaction terminals in the UK with chip readers (for those reading from across the pond: in the USA most of your cards don't yet have a chip on them, you only have the magnetic strip. The chip looks identical to a mobile phone SIM. Ah, but you don't really have GSM either... never mind). This will cost a certain amount, say GBP m. Pilot installs have shown that the introduction of chip readers reduces the amount of fraud by, say, x% overall. Furthermore sending off new cards to customers (ie. accelerating the normal rate of change for cards) costs GBP n. Finally let us say that the current level of fraud is GBP f. We are now set to pose the question.
The answer to "should I install chip readers?" is simply the answer to the question: m + n < (1-x)f? If that is not the case then no, you shouldn't install them and should simply pay up the cost of fraud.
Given the premises it becomes interesting to read about the newest advances in credit card technology in the UK. For example BarclayCard is now moving to what they call "chip & PIN" where the chip on the card is used to validate the transaction and you have to type in your PIN number to authorise it.
Is that a step in the dark for a credit card company in the UK? Of course not, it has been this way in Switzerland for ages. Did you ever read the small print on your credit card contract? Ever notice that it says that it is your responsability to ensure that the credit card is never out of your sight? Have you recently stalked your waiter at a restaurant to guard your card? No, I didn't think you had. So, technically you are in breach of your credit card agreement! Where does it come from? It comes from the old days of the "clack-clack" machines which were brought to your table. But then restaurants had their electronic terminals and they couldn't carry them to the table nor indeed ask the customer to go and swipe in front of their eyes. That is when they clone the credit card (other means are straight guessing and then validating the number, shoulder surfing, etc.).
In Switzerland (and in Italy for that matter, where it started with ATM cards) you are brought a terminal or, if a checkout of the supermarket, the terminal is facing you already. You swipe your card, type your PIN and authorise the transaction. This works quite well: it would have defeated at least two of my clones since they were taken from the printed receipt copy which held my complete card details (in the UK supermarkets didn't obscure some of the digits on the receipt, unlike other countries. Apparently they now do). Because they are swiss they go one step beyond: you can now have your photo on the back of the credit card, beneath the signature strip. This is an interesting twist. Of course if you can print cloned cards you can add a photo to it but it raises the bar on the cost of technology. There again, to understand the mentality just think about the fact that swiss online banking uses one-time-pads for authentication.
So why doesn't the whole world move to "chip & PIN"? Go back to the formula. In the UK you can probably do a good job on reducing fraud by moving all of Greater London to "chip & PIN" and migrating the rest of the country more slowly. But what about a place like the USA? The economies of scale are such that a roll-out of these proportions is not trivial and you should also remember that they were "first movers" with credit cards. This means that they have legacy systems in place. In Switzerland, with a total population of barely a large american city, it is comparably trivial to roll-out such high-tech systems.
The moral of the story is that in the UK Barclaycard is experiencing fraud above the magical trigger number to go and upgrade the systems.
Posted by arrigo at December 11, 2002 11:49 AM