Computer Reseller News

Chips with everything

August 22, 2004

By Ken Young

The retail industry's switch to chip-and-PIN technology and the increasing use of biometrics in finance and government presents new opportunities for resellers

Credit-card fraud is generally bad news for everyone involved except the fraudster, but for resellers with skills in either security, retailing or authentication technology it can have a positive side. New technology is being marshalled to improve identity management to stamp out fraud.

Something of a retailing revolution is seeing signatures being replaced with technology that will mean credit-card users keying four-digit personal identity numbers (PINs) into keypad devices rather than writing their signatures.

This chip-and-PIN technology brings a range of opportunities to sell hardware, software and services. Meanwhile, further down the road, the climate of high security is creating interest in biometrics for authentication techniques.

Although the initial target date for the big switch-over is January 2005, the shift to chip and PIN is about halfway to completion. Banks are issuing customers with Europay Mastercard Visa (EMV) cards with PINs; retailers are installing new software, hardware and systems; and the first major trial has taken place.

For resellers the immediate opportunity is supplying new devices and network systems. There is a wide range of card readers and entry devices on the market, and increasingly retailers want to connect these devices to their networks, as opposed to telephone lines to increase connection speeds.

There is also something of an opportunity for consultancy and training. A quarter of UK retailers are still confused about the benefits of migrating to chip and PIN, only six months before the deadline to embrace the next-generation credit-card standard comes into effect, according to a survey by software firm Retail Logic.

Most significantly, more than 20 per cent of retailers said they are putting off the upgrade to chip and PIN until the next upgrade of POS equipment. This would leave full conversion until about 2010.

Over 56 per cent of those polled said the complexity of accreditation or lack of clear guidance from the banks are major hurdles. Nevertheless, 53 per cent said they will hit the 1 January 2005 deadline for having new terminals up and running.

And they need to do it. The liability for fraudulent transactions will shift from banks to those retailers not yet chip-and-PIN-compliant on 1 January - something that is not forgotten when sales representatives pitch the new technology at the UK's retail laggards.

Meanwhile, the banks have their work cut out too. They are spending an estimated £300m to deploy cards and new POS infrastructure.

Card industry body the Association for Payment Clearing Services warns that it will take two to three years to take effect, and it is widely predicted that fraudsters will merely shift to cheque fraud - what banks call the new 'weakest link' - bringing renewed focus on online security.

No one is underplaying the task of conversion. With more than 850,000 shop terminals, 122 million cards and 40,000 cash machines being upgraded - and 2.7 million retail staff being trained - few doubt that deadlines will slip. The total cost to banks and retailers is estimated to be £1.1bn.

Not surprisingly, many resellers fight shy of the retail sector, with its long-established suppliers, niche resellers, and the direct involvement of banks. Verifone, a leading device supplier, sells direct to larger retailers through a channel of electronic-point-of-sale (EPOS) resellers for lower-tier retailers.

But Richard Crookstone, marketing director at Verifone, says the complexity of the sector means firms such as Verifone have a web of alliances.

"We have 20 partners and work closely with a number of resellers and system integrators to deliver different kinds of solutions," he says.

For example, Commidea (a developer and provider of card payment processing systems) takes the hardware and software to offer an outsourced ASP solution.

But Crookstone foresees more involvement from integrators because of the flexibility of chip and PIN. "The beauty is that all sorts of connectivity is possible," he says.

While the cheapest solution for most retailers is to bolt on new chip-and-PIN devices to existing EPOS terminals, some see it as an opportunity to replace existing terminals and upgrade their networks.

Superdrug, for example, has announced that it has contracted Wincor Nixdorf to replace tills at its 700 UK stores in time for the January deadline. The tills will use Mosaic's EMV-compliant technology linked to 'intuitive' cashier software from Retalix.

Even greater opportunities exist where retailers are taking the opportunity to use the switch-over to better integrate their supply chains. Harvey Nichols and Waterstones are both converting to chip and PIN to integrate their supply chains and EPOS systems.

But it can also be a reason for centralising IT and implementing voice over IP (VoIP). Allders has outsourced the management of its chip-and-PIN conversion to CSC as part of a £30m deal to centralise IT. The firm is installing new terminals connected over a VoIP network linking 45 stores and 1,500 EPOS terminals.

Allders also expects the network to cut telephony costs significantly and centralise voice and data services, thus reducing store visits for the IT department.

Such outsourcing represents a growing opportunity for resellers. For example, St Helens-based Cybertill offers a complete outsourced service for chip and PIN, including creating a web site allowing retailers real-time access to sales data from any browser. Cybertill has just recruited a channel manager and is seeking resellers.

Reselling broadband services is also likely to be a key beneficiary of chip and PIN, according to Alex Bennett, product manager at Thus.

"We are seeing a growing uptake of PaDSL, essentially a private ADSL [Asymmetric Digital Subscriber Line] network that allows retailers to have a dedicated IP network or to share network links with up to four others," he says.

Bennett estimates that the saving over a leased-line connection can be up to 30 per cent, and that it can form the basis for migration to VoIP services, support instant authentication by prioritising chip-and-PIN transactions, and support in-store kiosks and online advertising boards.

Some also believe chip and PIN will herald a new age of 'unattended' vending. Nick McGarvey, managing director of Creditcall, a supplier of chip-and-PIN software, says foreign automated shopping vendors are champing at the bit.

"They have been waiting for this so that they can automate sales of alcohol, beer and other products. Because of theft vendors do not want vending machines to take cash any more, so it means a whole range of new applications are possible," he says.

At the very least a lot of chip-and-PIN technology will be sold over the next two years. Retailers need EMV level-one chip card readers, secure PIN entry devices, and EMV level-two certified application software. Newer devices combine all of this in one unit, making it a simpler sale.

Chip-and-PIN authentication is a relatively easy means of allowing a user to confirm they are the owner of a card, and is harder to defraud than the traditional signature system, although some fraud is expected as a result of PIN numbers being stolen.

Meanwhile, biometrics, which shifts the question of identity to a physical or behavioural aspect of the person that can be measured automatically, is seen as the future of authentication, if and when the technology is accurate and cheap enough. Few doubt it has the potential to transform current password and payment systems.

In retailing, biometrics may arrive sooner than some expect. For example, in the US a video rental retailer is using fingerprint scanning from a firm called Pay by Touch. Customers pre-register for use, then they need only to provide a PIN and fingerprint to authorise payment from their credit cards.

In the UK, three Co-op stores are also trialling a fingerprint system from Optimal Robotics for age authentication when customers are buying alcohol at a self-checkout. The Co-0p has also begun a trial of Pay by Touch technology.

Mark Boulding, a senior analyst at Quocirca, believes biometrics is a question of scale. "At the moment it's less practical than PIN technology because it is limited to a finite number of fingerprints. The other factor is there are a lot of privacy concerns for the public at large," he says.

Currently great interest surrounds the development of biometrics for passports and for the proposed national identity card. But there is concern about the problems of matching individuals with huge databases of information.

For example, iris scanning is currently being tested at some airports, but experts point out that even if it is 99.9 per cent accurate, with 60 million passengers a year, about 63,000 passengers would be falsely identified each year.

Critics also point out that a database is only effective if it holds data on all expected individuals, which is unlikely in the case of fraudsters and terrorists.

To make matters worse a government report of its recent biometric trial showed that a massive seven per cent of iris scans could fail due to watery eyes, eyelashes and hard contact lenses.

John Elliot, principal consultant at Consult Hyperion, claims database problems are being overcome.

"The computing industry is used to huge transaction-processing systems. The problem lies more with fingerprints, where it is likely that the system will return 10 possibles when trying to match an individual with the database, but that problem goes away when you are just matching a person with a range of other data in addition to their fingerprint," he says.

But for resellers the main opportunities are in commercial use in authentication for automatic teller machines, mobile phones, smart cards, desktop PCs, workstations and networks. Fingerprint scanning looks likely to grow fastest of all the biometric technologies, and according to the International Biometric Group (IBG), it already accounts for 60 per cent of all biometric technology in use.

In defiance of critics who say biometrics technology is embryonic at best, IBG predicts a worldwide market worth £2bn by 2008.

Meanwhile, speaking at the recent RSA Security Conference, Bill Gates, chief software architect at Microsoft, predicted the death knell of the traditional password, pointing out how many weaknesses there are in most people's use of such self-created ID.

While most IT managers see fingerprint systems as beyond budget or overkill, Aberdeen Research Group recently estimated that configuring and maintaining password systems costs about £230 per user per year, compared with about £130 for a desktop fingerprint reader. Fingerprint systems also make the Holy Grail of single sign-on more attainable.

Nevertheless, the press release stating Microsoft staff have switched over to fingerprint passwords has yet to emerge.

Panasonic, which is supplying iris recognition technology for the UK government ID card trials, believes the technology is ready for commercial settings.

Sean Taylor, business development manager for iris recognition products at Panasonic, says resellers should start to identify solutions in finance and server-room settings. He also believes biometrics has a place in reducing attendance fraud.

"Iris recognition can also reduce authentication time and reduce fraud significantly when used on time and attendance systems by eliminating 'buddy' sign-ins [staff clocking in for workmates]."

Biometrics also has a place in reducing signature fraud. Working with Cybern Consulting, the London Borough of Hillingdon has installed a biometric signature system in its housing department to reduce fraud in relation to housing homeless families.

When clients sign a new tenancy agreement the speed, pressure and size of their signature is stored so that it can be matched with previous samples. The council says the system is helping to reduce bed-and-breakfast scams where clients have forged signatures or signed in advance for days in rooms that have not been taken up.

John Elliot agrees that biometrics is filtering through to commercial IT contracts. "Initially banks said they were not interested and clearly they want to bed chip and PIN down first, but I am now seeing it on their 10-year roadmaps. They are starting to believe that biometrics is part of what is next," he says.

Elliot claims the key problem with biometrics is that all sorts of figures on reliability get published in the media, often giving the wrong impression. "It's application-specific, so error rates are misleading," he says.

Elliot adds that those who claim new systems don't work are oblivious to current activity. "Most countries already share vast fingerprint databases for crime prevention. It's only a matter of time before such databases grow in reach," he says.

But critics recently gained a significant victory, thanks to the work of Maria Sandstrom of Linkoping University in Sweden, who used jelly applied to fingertips to see if it was possible to fool current fingerprint technology. She found that nine out of nine devices tested were fooled.

Experts in the field are sanguine about the future.

Biometrics expert Michelle Shen, founder of ePolymath Consulting, says: "If biometric technologies fail to deliver, which is very likely in the next five years, most of the biometric vendors will be stuck in the chasm unless proper strategies are chosen to help cross the chasm - and fast."