Does Card Present Make Sense Any More? What Should It Look Like In A Year?

When a payments vendor last week touted a Webcam-based E-Commerce method that would be considered card present, it raised questions over whether the very concept of card present in a late-2011 retail world needs to be updated.

The vendor itself, Jumio, seems to be back-peddling on its claims, saying that its reference to card present ("Netswipe is the first and only solution that enables online card-present transactions") had nothing to do with interchange rates and was never intended to suggest that.

"We call it card-present transaction because you need the actual card to make a transaction. Not just a piece of paper with some written details," Jumio's Markus Rumler said in an E-mail. "We never stated that we support card-present interchange rates, at no point." For the record, the same news release that spoke of card present also said the technology was Patented, when it isn't. The patent claim "was our fault in wording, but it was fixed immediately after it was recognized. We apologize for that."

It's hard to envision a retail meaning of "card present" other than interchange, but that's beside the point. With mobile-payment trials in the wings from Google, PayPal, ISIS and Visa, among others, what should card present mean? Does it have to mean the actual card? Can it mean all the data—including Track 1 and 2—from such a card? As payment form factors evolve, does the interchange definition need to grow with them?

Let's start with what card present means today. As a practical matter, it's quite far removed from what a merchant pays when a customer presents a card in-person. First off, it excludes hotels, airlines and car-rental agencies. It then excludes reward cards and some business cards, among other things. MasterCard defines it as face-to-face, with the card in hand. A more specific definition is that the retailer needs to be able to access full Track 1 or 2 data.

One of the industry's largest processors, ChasePaymentech, says it's a "true face-to-face transaction, not a self-service terminal, where the consumer is standing in front of the merchant," said Robert Nadeau, the processor's group executive for enterprise products.

But do these definitions adequately address the retail realities of today and, much more critically, next year? What about Square Card Case? Its approach has consumers walking up to a POS associate with their phones, but the phones contain no payment-card data. They merely reflect a number, which the Square retailer uses to tell Square to place the charge. That's a face-to-face transaction, but it's clearly not what the card brands ever envisioned.

Come to think of it, what's the point of an in-person transaction? (PCI Columnist Walt Conway gives his QSA take on card present this week.) This is all about risk limitation.This is all about risk limitation. But associates don't typically inspect the payment cards. All they do is see the consumer swipe a card and then note that a verification code is displayed. What if we took Jumio's Webcam and reversed its application? What if the consumer has a card swipe in his home and the Webcam enables someone from, let's say, Amazon to witness the consumer swiping something? How is that any different from the consumer seeing the card swipe in the store?

The answer might involve the integrity of the card swipe. But when that integrity is violated today—consider Michaels Stores' recent card-swipe-swap headache—card present is not violated. Problems certainly happen. But in the context of card present, if the card swipe is not the issue, what is?

A lot of vendors are experimenting with non-traditional ways for retailers—and their associates—to interact with card data. Jumio wouldn't detail its approach, but 403 Labs QSA Randy Will speculated that the magic sauce involves the differences between a flat photograph and video. This is all about trying to determine if the card is really there—as opposed to being a simple photograph. Given how easy it is to create a bogus card if the thief has the correct card data, I'm not so sure what the point would be.

Still, Will has a theory as to how they are trying. "Based on the subtle movements when you hold a card up to a Webcam, shadows will change on the edges of the card and embossed characters. On a photocopy, all edges will remain constant," he said. "Also, holograms and metallic ink will have very different properties than a photocopy that can only be made out in video."

That raises the question of whether frequent E-Commerce shoppers would want to keep holding the card up in the air. Wouldn't they be more likely to angle the camera downward and shoot the card while it's lying flat on the desk or tabletop? "One thing I would be interested in trying is having a camera mounted in a steady tripod already pointed at a stationary card, which would basically reduce the video stream to a still image" and thereby negate almost all the security benefits.

What about EMV efforts? If the data on the chip can be transmitted, what is the anti-fraud benefit of in-person?

The brands and processors need to work out their own definitions, but this is yet another aspect of payment that may be virtually unrecognizable in a couple of years.