EMV in the USA: A Mobile Commerce Jump Start. Who is Impacted and How?

by Allen Weinberg on August 22, 2011

in Uncategorized

Post image for EMV in the USA: A Mobile Commerce Jump Start. Who is Impacted and How?

Visa’s recent announcement that essentially paved the way for wide-scale implementation of both EMV and contactless acceptance in the US was expected in some respects (based upon its earlier announcement in February), and surprising in others. Depending on where you sit in the electronic payments ecosystem, it could be a real positive, negative, or neutral.

Here’s what Visa said and our take on what it means. First, Visa announced that effective October 1, 2012, merchants that have at least 75% of their transactions originating from EMV contact and contactless chip-enabled terminals will no longer have to “validate [to Visa] their compliance with the PCI Data Security Standard for any year in which at least 75 percent of the merchant’s Visa transactions originate from chip-enabled terminals.” Note that merchants may need to continue to do so for the other card networks unless those networks follow Visa’s lead. Of course the merchant must still be PCI compliant, but that’s not the big story. This part of the announcement is consistent with their announcement a few months ago that applied to merchants outside the U.S. (Visa held off extending it to U.S. merchants pending announcement of the Fed’s final Durbin rules).

The bigger picture news, and unique to the U.S., is that to qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, a bit of a higher hurdle. If all Visa cared about was security, it wouldn’t have required the merchants to support both contact EMV and contactless (Visa Pay Wave) technologies. A good part of the rest of the world has implemented contact EMV only (with PIN) and pretty much eliminated both counterfeit and card present (CP) lost/stolen fraud in-market. But this announcement was about more than just security – it’s also about speeding up the adoption in the US of mobile payments.

What’s really a big impact here is that Visa is fundamentally compelling all card present merchants in the US to upgrade their card acceptance infrastructure to also support contactless payments. While Visa Pay Wave, MasterCard PayPass, Amex ExpressPay and other ‘tap/wave and go” technologies have been in the market for years, it’s probably fair to say that adoption could have been much better. The big story is that Visa’s move will accelerate the way for mobile payments with unprecedented scale. Think about it – within a few years, essentially every merchant in the US will have the basic infrastructure in place for mobile payments – and, perhaps more. Sure, there’s a lot more to be done, but what has probably been the biggest obstacle (POS systems) is soon to be removed.

If the merchant does not implement both EMV contact and contactless POS devices, they will be on the hook for counterfeit card losses, currently borne by the issuer, beginning in late 2015 – or late 2017 for fuel merchants. It’s interesting to note that there was no mention of interchange differentials, which were one of the carrots/ sticks used in other markets. Also, it implies that issuers will still be liable for lost/ stolen card fraud, which should be pretty negligible anyway as long as the merchant obtains a PIN/”no signature required tap”. We’re assuming Visa will flesh that out in more detail in the months to come.

Assuming the merchant implements the new terminals and gets a PIN/appropriate tap/wave, the fraud loss aspect shouldn’t be a big deal. Unless you are a card not present (CNP) merchant. As the numbers clearly demonstrated after EMV was implemented in the UK, card present fraud soon migrated to card-not-present merchants, which bore the liability for “I didn’t do it” chargebacks. While merchants can protect themselves with Verified by Visa, which many of them did, not all chargebacks are covered and merchant losses overall went up as a result. It’ll be interesting to see if US ecommerce/CNP merchants are prepared for this likely shift, particularly the smaller merchants. Net/net, it’ll probably be a “neutral” for larger CNP merchants with sophisticated fraud systems, and a boon for fraud tool providers and acquirers that figure out how to cost-effectively protect smaller merchants that don’t have the resources and know-how to implement and manage fraud tools with lots of dials and knobs.

It will be interesting to see if, at some point in the future, retail banks find it cost effective to issue some sort of device that generates a dynamic one time code from the chip card to better secure online banking sessions. There are a number of such offerings in the market today that I believe cost well under $10 in quantity, but retail banks would still have to bite the bullet and shoulder those one time hardware, distribution, education, and customer service costs to get them out to their customers. If they do, it is feasible that CNP merchants will be able to easily accommodate them (think dynamic 3 digit code that goes in the CVV2/CVC2 field) and significantly reduce their fraud prevention costs and fraud losses – if issuers support their use.

All in all for merchants, it’s a medium to long term win from a mobile marketing/ commerce perspective, and the cost benefits of the PCI scope reduction derived from the more secure EMV processing for larger merchants could be huge – if all of the card networks adopt a consistent approach.

For card issuers, it’s another story. Issuers in EMV countries have had a ton of heartburn over the fact that they’ve made big investments in EMV, only to see their cards’ mag-stripes counterfeited and used in non-EMV countries (like the US), with them still on the hook for the losses.

So what about the US issuers? Well, net/net we think it’s good news from a number of perspectives. First, they got someone else (the merchants) to do the heavy lifting to get EMV and contactless mobile payments enabled terminals in place (i.e., they probably won’t have to make any explicit interchange concessions or compensate the merchants to solve their fraud problem).

In light of Durbin, this is especially significant since the Fed did not distinguish between PIN and signature debit transaction pricing. While the signature/PIN differential more than offset the higher signature-based losses in the past, that clearly isn’t the case going forward, not to mention the fact that most large issuers’ revenues got cut significantly enough to make current signature-based fraud losses much more important than they were before.

Some are opining that issuers will save money by not having to issue plastic cards anymore. I suppose the day will eventually come when everyone is carrying a phone/device capable consummating an NFC transaction, and when all ATMs (and every dry cleaner’s terminals) are also NFC enabled. I just wouldn’t go out buying bank stocks on that cost savings quite yet.

Other winners and losers here? While “end to end” (really “point to point”) encryption solutions have been becoming more popular, those products should be obsoleted assuming the industry implements the new requirements in such a way that the PAN and any other sensitive data is both encrypted from the get-go and is accompanied by dynamic CVV/CVC values. While most of those are offered by the terminal manufacturers, they should still be net winners as their entire installed base of terminals is upgraded.

For those of us that travel overseas, our lives will be made much convenient as our cards will work more uniformly once we get out of the big tourist cities, and it will be nice to finally be able to use automated transit ticket machines that today don’t take mag-stripe cards. Plan your next European vacation for 2015 and beyond?

What about acquirers and their processors? For them, I believe it’s going to be somewhat difficult to get a decent ROI from their EMV investments. To the extent chargebacks go down, it means a loss of fee revenue charged to merchants. Having said that, with the majority of small/medium sized merchants’ terminals are already rented or leased, they could in theory charge another $5 or $10 a month, but that could also be competed away in the market (the incremental cost of an EMV/ contactless terminal is not that significant when considered over the estimated 7 year/84 month life of a typical countertop device). Maybe they can come up with a new revenue stream somewhere for EMV authentication. Maybe.

In summary, my sense is that Visa’s push forward, coupled with the assumption that the other networks follow suit is an important inflection point for the industry. Lots of things to like, and even those parties with less immediate benefit, have new opportunities in front of them. And as a true payments geek, I am so excited to be in a market where our entire POS infrastructure will be contactless enabled in just a few years. Exciting times indeed!

As long as the US POS infrastructure is about to be upgraded, what else might we think about changing- while we’re at it? Isn’t this the time to “go green” and eliminate paper receipts by, perhaps, providing an easy and consistent way for me to indicate to the POS that I want an email receipt and that I want it sent to this particular email address? Shouldn’t all that just be automatically included as part of the “next generation” purchase transaction? Similarly, for coupon/rewards redemption, shouldn’t that be similarly automatic?

Perhaps the biggest questions remaining revolve around how the industry comes together to define standards-based approaches to these needs? We look for more industry leadership to emerge addressing these opportunities.

{ 9 comments… read them below or add one }

Dave Birch August 23, 2011 at 5:52 pm

Allen,

I’m surprised how few banks in EMV-issuing countries actually use any of the EMV capabilities (e.g., putting credit and debit on the same card, adding online authentication applications, doing dynamic risk management and so on) and I think this may be an area where the US banks can learn from practical experiences of others. The US goal shouldn’t be to emulate Europe’s deployment but to learn from it and build something better. One idea – put contactless prepaid on the same card as debit for fast touch-and-go transit, vending kind of transactions.

Regards,
Dave.

Reply

Allen Weinberg August 23, 2011 at 6:10 pm

Dave – agree completely re: how great it would be if we could leapfrog the less creative EMV incumbent countries. The terminal software would, of course, have to be capable of handling the new functionality (sorta like they have in Brazil, where customers can specify at the POS whether they want the sale to be paid back in installments).

But as I say at the end of the post, this is an unprecedented opportunity to think big since we’ll have the “hood open” on all the systems!

Best,

Allen

Reply

Tony Abruzzio August 24, 2011 at 4:22 am

Alan,

Well written article. Great job.

Best regards,

Tony

Reply

Ann Cunningham August 24, 2011 at 9:33 am

Alan, I agree with your insights! And, yes, it’s time to innovate if the payments infrastructure is under a major change. Enjoyed the article. Warmest regards, Ann

Reply

David Gudjonsson September 14, 2011 at 5:11 am

Great summary of the EMV impact and the affected players. The best I’ve seen so far!

Overall I agree with you that it’ll be a net win in the medium and long run for most players in the ecosystem. However, I think the processors and acquirers with legacy systems might struggle, as competition from EMV ready Europe/Canada might start to come in.

And then there is one set of players you missed out, the MNOs. They seem at least convinced themselves that they’ll benefit and some of them might even be tempted to take on an acquirer/processor role in order to secure their %.

Best regards,
David

Reply

Martin Gloor March 18, 2012 at 7:04 am

Allen, great blog. Thanks for sharing your insights.
I wonder how the lost and stolen card topic will work for the issuers, as I think the merchants will opt for non-PIN touch and go solutions. This is also backed by VISA itself wanting to have a non-PIN / always online model (http://blog.visa.com/2012/01/13/as-u-s-chip-adoption-advances-visa-provides-guidance/). As well very intresting are solutions like Square that still enable magstripe fraud. Eventhough the liabilty on that end is shifted to the merchants…
As for the think big in the future: I wonder if this is the first step to actually get rid of the card schemes. In the end of the day, any payment is just the move of money from one account to another. With nowadays technology, why would we need card shemes? What do you think about that?
My collegue Daniel wrote an interesting blog about that by the way (blog.abrantix.com).

Reply

Allen Weinberg March 18, 2012 at 11:02 am

Hi Martin,

My general feeling is that issuers will be no worse off than they are today with respect to lost/stolen cards. The upside is that they could, in theory, require PINs in higher risk situations (high dollar value, out of pattern, overseas txns) or if someone habitually loses their card.

That will, of course, be easier with debit cards since cardholders know their PINs because they use ATMs; it may or may not be a bit harder getting consumers to remember their PINs for their credit cards, unless they go to the trouble to change those PINs to be the same as their ATM PINs.

As far as disintermediating the networks, easy to do so for auths per se. Having said that, the networks do add some value by seeing the txns (Visa/MC fraud algorithms for issuers and merchants, CVC/CVV checking, etc.), but I get your point. I think it would be a bit more unwieldy on the settlement side unless the acquirers step in and replicate the network’s settlement functions such that a merchant only receives one deposit each day. Easier said than done, I think…

Reply

Guillermo Martínez April 26, 2012 at 10:36 am

Allen, nice and accurate approach to industry trends…

I kept asking myself what is about to happen with just out POS suppliers, as for ex; Square, Intuit… cause I´ve heard of some new players which are coming up with some interesting low cost solution for EMV, but only compatible with contact interface.

Now that Visa is persuading the industry to go strait to dual-interface (contact/contactless) you think merchants will adopt the trend rapidly or there is still time for revenue in suppliers of EMV contact only interface ?

Thanks for the post,
Guille

Reply

Allen Weinberg April 26, 2012 at 11:30 am

Hi Guille,

I think both are still a bit out there from a timing perspective.

My sense from talking to my contacts on the front lines (hardware manufacturers, big merchants, ISOs, etc.) is that the large/big box retailers will be right there with contact EMV. It will likely take much several more years to get to the “long tail” — the dry cleaners, corner stores, etc. that aren’t exactly getting flooded by counterfeit cards anyway. Remember that the liability shifts only apply to counterfeit, at least so far; since it looks like issuer’s will be allowed “Chip and Choice” vs. having PINs mandated, it’s hard to hold the merchants any more liable than they are today (having said that, the networks could in theory do all sorts of things, such as hold the merchants liable for lost stolen in the issuer has gone down the PIN path, but leave the the lost/stolen liability with the issuer if they don’t mandate PINs).

As far a contactless, the merchants that will be most attracted to it are those that believe they will benefit from the marketing benefits (single-tap offer redemption and payment and such). For merchants to install NFC-enabled terminals, they’ll have to feel the timing will be close enough re: NFC enabled devices from the US carriers/phone manufacturers.

Anyway, just my hypotheses. Happy to hear other opinions.

Reply

Leave a Comment

Previous post:

Next post:

Clicky Web Analytics