Visa’s recent announcement that essentially paved the way for wide-scale implementation of both EMV and contactless acceptance in the US was expected in some respects (based upon its earlier announcement in February), and surprising in others. Depending on where you sit in the electronic payments ecosystem, it could be a real positive, negative, or neutral.
Here’s what Visa said and our take on what it means. First, Visa announced that effective October 1, 2012, merchants that have at least 75% of their transactions originating from EMV contact and contactless chip-enabled terminals will no longer have to “validate [to Visa] their compliance with the PCI Data Security Standard for any year in which at least 75 percent of the merchant’s Visa transactions originate from chip-enabled terminals.” Note that merchants may need to continue to do so for the other card networks unless those networks follow Visa’s lead. Of course the merchant must still be PCI compliant, but that’s not the big story. This part of the announcement is consistent with their announcement a few months ago that applied to merchants outside the U.S. (Visa held off extending it to U.S. merchants pending announcement of the Fed’s final Durbin rules).
The bigger picture news, and unique to the U.S., is that to qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, a bit of a higher hurdle. If all Visa cared about was security, it wouldn’t have required the merchants to support both contact EMV and contactless (Visa Pay Wave) technologies. A good part of the rest of the world has implemented contact EMV only (with PIN) and pretty much eliminated both counterfeit and card present (CP) lost/stolen fraud in-market. But this announcement was about more than just security – it’s also about speeding up the adoption in the US of mobile payments.
What’s really a big impact here is that Visa is fundamentally compelling all card present merchants in the US to upgrade their card acceptance infrastructure to also support contactless payments. While Visa Pay Wave, MasterCard PayPass, Amex ExpressPay and other ‘tap/wave and go” technologies have been in the market for years, it’s probably fair to say that adoption could have been much better. The big story is that Visa’s move will accelerate the way for mobile payments with unprecedented scale. Think about it – within a few years, essentially every merchant in the US will have the basic infrastructure in place for mobile payments – and, perhaps more. Sure, there’s a lot more to be done, but what has probably been the biggest obstacle (POS systems) is soon to be removed.
If the merchant does not implement both EMV contact and contactless POS devices, they will be on the hook for counterfeit card losses, currently borne by the issuer, beginning in late 2015 – or late 2017 for fuel merchants. It’s interesting to note that there was no mention of interchange differentials, which were one of the carrots/ sticks used in other markets. Also, it implies that issuers will still be liable for lost/ stolen card fraud, which should be pretty negligible anyway as long as the merchant obtains a PIN/”no signature required tap”. We’re assuming Visa will flesh that out in more detail in the months to come.
Assuming the merchant implements the new terminals and gets a PIN/appropriate tap/wave, the fraud loss aspect shouldn’t be a big deal. Unless you are a card not present (CNP) merchant. As the numbers clearly demonstrated after EMV was implemented in the UK, card present fraud soon migrated to card-not-present merchants, which bore the liability for “I didn’t do it” chargebacks. While merchants can protect themselves with Verified by Visa, which many of them did, not all chargebacks are covered and merchant losses overall went up as a result. It’ll be interesting to see if US ecommerce/CNP merchants are prepared for this likely shift, particularly the smaller merchants. Net/net, it’ll probably be a “neutral” for larger CNP merchants with sophisticated fraud systems, and a boon for fraud tool providers and acquirers that figure out how to cost-effectively protect smaller merchants that don’t have the resources and know-how to implement and manage fraud tools with lots of dials and knobs.
It will be interesting to see if, at some point in the future, retail banks find it cost effective to issue some sort of device that generates a dynamic one time code from the chip card to better secure online banking sessions. There are a number of such offerings in the market today that I believe cost well under $10 in quantity, but retail banks would still have to bite the bullet and shoulder those one time hardware, distribution, education, and customer service costs to get them out to their customers. If they do, it is feasible that CNP merchants will be able to easily accommodate them (think dynamic 3 digit code that goes in the CVV2/CVC2 field) and significantly reduce their fraud prevention costs and fraud losses – if issuers support their use.
All in all for merchants, it’s a medium to long term win from a mobile marketing/ commerce perspective, and the cost benefits of the PCI scope reduction derived from the more secure EMV processing for larger merchants could be huge – if all of the card networks adopt a consistent approach.
For card issuers, it’s another story. Issuers in EMV countries have had a ton of heartburn over the fact that they’ve made big investments in EMV, only to see their cards’ mag-stripes counterfeited and used in non-EMV countries (like the US), with them still on the hook for the losses.
So what about the US issuers? Well, net/net we think it’s good news from a number of perspectives. First, they got someone else (the merchants) to do the heavy lifting to get EMV and contactless mobile payments enabled terminals in place (i.e., they probably won’t have to make any explicit interchange concessions or compensate the merchants to solve their fraud problem).
In light of Durbin, this is especially significant since the Fed did not distinguish between PIN and signature debit transaction pricing. While the signature/PIN differential more than offset the higher signature-based losses in the past, that clearly isn’t the case going forward, not to mention the fact that most large issuers’ revenues got cut significantly enough to make current signature-based fraud losses much more important than they were before.
Some are opining that issuers will save money by not having to issue plastic cards anymore. I suppose the day will eventually come when everyone is carrying a phone/device capable consummating an NFC transaction, and when all ATMs (and every dry cleaner’s terminals) are also NFC enabled. I just wouldn’t go out buying bank stocks on that cost savings quite yet.
Other winners and losers here? While “end to end” (really “point to point”) encryption solutions have been becoming more popular, those products should be obsoleted assuming the industry implements the new requirements in such a way that the PAN and any other sensitive data is both encrypted from the get-go and is accompanied by dynamic CVV/CVC values. While most of those are offered by the terminal manufacturers, they should still be net winners as their entire installed base of terminals is upgraded.
For those of us that travel overseas, our lives will be made much convenient as our cards will work more uniformly once we get out of the big tourist cities, and it will be nice to finally be able to use automated transit ticket machines that today don’t take mag-stripe cards. Plan your next European vacation for 2015 and beyond?
What about acquirers and their processors? For them, I believe it’s going to be somewhat difficult to get a decent ROI from their EMV investments. To the extent chargebacks go down, it means a loss of fee revenue charged to merchants. Having said that, with the majority of small/medium sized merchants’ terminals are already rented or leased, they could in theory charge another $5 or $10 a month, but that could also be competed away in the market (the incremental cost of an EMV/ contactless terminal is not that significant when considered over the estimated 7 year/84 month life of a typical countertop device). Maybe they can come up with a new revenue stream somewhere for EMV authentication. Maybe.
In summary, my sense is that Visa’s push forward, coupled with the assumption that the other networks follow suit is an important inflection point for the industry. Lots of things to like, and even those parties with less immediate benefit, have new opportunities in front of them. And as a true payments geek, I am so excited to be in a market where our entire POS infrastructure will be contactless enabled in just a few years. Exciting times indeed!
As long as the US POS infrastructure is about to be upgraded, what else might we think about changing- while we’re at it? Isn’t this the time to “go green” and eliminate paper receipts by, perhaps, providing an easy and consistent way for me to indicate to the POS that I want an email receipt and that I want it sent to this particular email address? Shouldn’t all that just be automatically included as part of the “next generation” purchase transaction? Similarly, for coupon/rewards redemption, shouldn’t that be similarly automatic?
Perhaps the biggest questions remaining revolve around how the industry comes together to define standards-based approaches to these needs? We look for more industry leadership to emerge addressing these opportunities.