Fish and chips (and PINs)
Still, PCI and EMV have many practical limitations that often defeat their very sophistication. For one thing, they depend on retailer compliance and specialized hardware that is expensive to acquire and deploy; while widely used in Europe and Canada, for example, chip-and-PIN isn't due to be broadly rolled out in the U.S. until 2015 at the earliest. Even then, the infrastructure change will be at a significant cost to merchants, who are unlikely to welcome the investment in the current economic climate. And, until chips become mandatory everywhere, cards will continue to support old magnetic-track technology, which still leaves customers and merchants open to massive fraud.
Most importantly, cards must rely on the merchant to communicate with issuer networks; this makes them little more than passive participants in the process—and, if a flaw is found in the chip-and-PIN technology, it makes the merchants ideal targets through which criminals can continue to collect millions of cards that can be resold on the black market.
Enter smartphones: Unlike a credit or debit card, they are autonomously powered and can independently connect to card issuers over the Internet. Combined with their increasing ubiquity, their capabilities have the potential to change the way we pay for everything from groceries to online purchases in just a short few years.
Can you charge me now?
Because a smartphone does not need to depend on the merchant for communication and power, it can turn the payment process on its head: Instead of asking merchants to connect to card issuers on your behalf, the merchants themselves could ask your phone to connect directly to Visa and MasterCard, and authorize the transfer of money from your account to theirs.
Because the merchant never gets to see any information about your card, the opportunity for them to inadvertently become conduits for fraud is greatly diminished—as is their effective liability and your possible exposure to theft: It's relatively easy and cost-effective for a criminal organization to "bug" each store of a retail chain with modified hardware and collect large numbers of card data, but they'd have to compromise each user's device individually in order to achieve the same effect if we relied on them to process our transactions.The process could work like this: The cashier scans your products, and your total appears on the cash register's screen alongside a barcode that you can scan with your phone's camera. A dedicated app asks you to confirm the purchase with your PIN, then contacts your card issuer over the Internet and authorizes the transactions. The authorization is relayed to your merchant's cash register, and the entire process is completed in essentially the same amount of time taken by a traditional swipe transaction.
Sign up for CIO Asia eNewsletters.