Smart Card LaggardsBy Adrian Lane
The US is playing ‘catchup’ in contactless security. The US lags in smart identity card technology adoption. We lag in payment card security. It’s frustrating for Americans to travel in Europe. We have rudimentary ePassport technology, and it has been almost a decade since the first draft of the HSPD-12 PIV standards. We’re behind. We are laggards.
And I say “So what?”
When it comes to smart card adoption, the US is not even in the race. Citizen ID, government employee ID, ePassports, first responder cards, Chip and PIN payment cards, whatever – we are in no hurry. And I am not at all convinced we should be in many cases. Credit card fraud rates in the US are not much higher than Europe’s. Sure, it’s still pretty easy to ‘skim’ credit cards – but not enough to rework the entire payment infrastructure to accommodate Chip & PIN systems. Are people breaching the security of federal buildings due to the lack of advanced PIV cards? How many terrorist attacks on RFID systems have you seen? Many of the efforts are technology for the sake of technology. You’re getting new technology, at 10 times the cost, for only slightly better security. Like those motorized paper towel dispensers or automated Japanese toilets – sometimes technology was not a necessary solution.
I am amused that smart card, ePassport, National ID, and PIV vendors market their products as benefits to the consumer. Do you know anyone who thinks their life would be better if they had a smart national ID card? Me either. And the only time I have even heard about problems around the lack of EMV (Europay-Mastercard-Visa alliance) smart cards is in the last few months for US travelers in Europe. Even then there are plenty of solutions if you plan ahead. The noise on this subject seems to be coming from the SmartCard alliance and associated organizations – not from consumers, merchants, or even the payment card industry.
It’s not that we lack the technology, it’s that we lag in deployment of the security technologies. So why is that? Because there is not enough financial justification for the expense. It would cost billions to swap merchant payment terminals, and possibly billions to issue new cards, given the investment in back-end personalization and issuance systems to produce the cards. The fact that many of the security problems have been mitigated with fraud detection and other forms of authentication offsets the need for these smart token systems. It’s a classic security vs. business tradeoff. Do we really really need Chip and PIN in the US? Will it keep us more secure? Will it drop credit card fraud enough to offset the cost of replacing the infrastructure? Does it reduce merchant liability? Are RFID systems really being hacked for fun and profit? Not enough to warrant adoption today, at least.
Ultimately we’ll see smart cards with increasing frequency as things like multi-app EMV cards offer more business opportunities, but the motivator will not be security.