EMV in the US, I Still Can’t Figure Out Why?

Way back in July 2013 I wrote the blog; “Why the US Will Not Adopt EMV (Chip & PIN)“, which, given the current state of EMV adoption in the US, was wayyyy off the mark.

My broken crystal ball aside, – hey, if I was any good at predictions I’d be blogging from my yacht anchored in the Med, not from my kitchen in Barnes – I still can’t figure out why the US would spend billions upon billions of dollars on EMV without demanding that those players with the greatest vested interest in ‘plastic’ build in a more permanent ROI.

Those player are:

  1. The Card Brands: This one is a given, any move away from plastic and towards mobile is one step closer to obsolescence (yes, I am ignoring EMV tokenisation, for many reasons).
    o
  2. Issuers: Also a given, what ELSE are they going to do?
    o
  3. Acquirers / PSPs: They have the best chance of segueing their current position into bringing their merchant-base future-proofed payment innovations and value-add services designed to improve the ‘consumer journey’.
    o
  4. Terminal/PED Manufacturers: Once the US has spent billions replacing their mag stripe PEDs with Chip / Contactless, what is left for PED makers to do? When the whole world finally works out that mobile phones and wearables only need something to read them (e.g another bloody phone), why buy crappy, massively expensive, devices that do next to nothing to improve the customer’s shopping experience?

These players have been around for so long that they are seen as the de facto standard, while all along they have been intermediaries designed only to make non-cash payments safe. To make them trusted. And they did a superb job, so superb in fact that it has taken technology almost SIXTY years to find something better! We went from the first production car to landing on the bloody MOON in the same time!

But it’s here now, and it’s been here since Apple created the iPhone. A device capable of so many modes of every factor of authentication, that we can really start calling it Identity Assurance, which is the foundation of only thing on which a payment is truly based; trust.

A credit card number, regardless of where it’s stored, how it’s stored, or even if it’s tokenised, will never be able to match what my phone can do.

For years now, the functionality of mobile devices has been perfectly placed to provide alternatives to plastic; e-wallets, direct debit, merchant-side tokens, even block chains, but here we are, in 2015, and we are still spending billions on the same technology our parents or even grandparents first used back in the 60’s.

Again, why?

Let me answer that with another question; How do YOU want to pay for things in a store? If whatever you wanted in payment technology could come true tomorrow, what would it look like?

The odds are that unless you’re in the payments innovation line of work, you really have no idea. You just want it to be painless, convenient, and if you’ve had issues in the past, safe. Payment cards are so much part of our lives that we cannot even imagine anything simpler. It’s only when you know what goes on in the background that the true cost of plastic comes to light.

From interchange fees, to PCI compliance, to fraud, to PEDs, to the plastic cards themselves, taking card payments is a massively expensive undertaking, and if you think those costs are not passed down to us, the consumers, then I have a bridge to sell you.

But you really can’t blame the consumer, we are not the ones who live and die at the whim of consumers in general …but retailers do. Would Walmart be as big if they only took cash? Of course not, they NEED non-cash payments, but what if the top TEN retailers in American had told the card brands that the first one to negate the need to EMV got ALL their business, can you imagine what would have happened?

Top 10 Retailer’s Revenue in 2013

Rank Retailer                   Rev. (USD Millions)
1 Wal-Mart $ 334,302.00
2 Kroger $ 93,598.00
3 Costco $ 74,740.00
4 Target $ 71,279.00
5 The Home Depot $ 69,951.00
6 Walgreen $ 68,068.00
7 CVS Caremark $ 65,618.00
8 Lowe’s $ 52,210.00
9 Amazon.com $ 43,962.00
10 Safeway $ 37,534.00
$ 911,262.00

That’s close to 1 TRILLION USD, the lion’s share of  which was accepted through plastic.

And what could Target have done with the $100M they spent on new PEDs, or the millions they are paying in fines and reparations for their 2013 breach? I point not to their ridiculous back-end processes as the cause of their woes, but their inability to focus on the true cause of their vulnerability; their inability to innovate collaboratively.

I guess, in retrospect, EMV in the US was inevitable, without consumer pressure for alternatives the retail industry just followed along like sheep, perhaps assuming payment cards were some kind of ‘official’ mandate. They are not, and the retail industry in the US missed an incredible opportunity for change. Now all they’ve done is set themselves up to not only pay for the ‘new’ infrastructure (at least up front), but to pay for the fraud as well.

While not entirely appropriate, it’s one of my favourite sayings, and applies to every level in payment food-chain, including the consumer.

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”

― Harlan Ellison

EMV Liability Shift, How Mobile Authentication Can Ease the Pain

In October of this year, any merchant in the US who does not demonstrate the ability to accept EMV transactions can be deemed liable for the fraud associated with counterfeit cards.

That’s only 5 months from now.

Most people in the EU can’t really understand the confusion this has generated – we’ve had chip & PIN for well over a decade – but for the population of the US, swipe & signature is as natural as handing over cash. Retailers are rightly concerned that adoption will be a slow and painful process, but that may not be their biggest concern.

Estimates of the cost of transition from magnetic stripe to chip range from 12 (mine) – 33 (the press) billion USD, and the lion’s share of this will fall to the retailers who must replace their existing payment entry devices (PEDs) with chip compatible ones. The chances are good that this expense was not in their long-term costings, and bringing forward the end-of-life of their PED infrastructure is simply not an option in an industry where profit margins are razor thin.

But the thing that few people realise is that while the chip alone is a positive factor in fraud reduction (anti-counterfeit), the greatest benefit of the roll-out of EMV is only achieved when in conjunction with the use of a 4 digit Personal Identification Number (PIN). This effectively adds a second factor of authentication (the card is something you have, your PIN is something you know) making card present transactions significantly more secure. PIN alone would have significant positive impact as well.

It follows therefore that while organisations scramble to comply with the letter of EMV, there already exists in almost everyone’s pocket the capability to provide not just a PIN, but multiple forms of authentication and value-add services that far exceed the benefits of the chip; the mobile phone.

Even the loss of the Primary Account Number (PAN), which is the largest cause of card related fraud, is meaningless if the thief can’t complete the transaction. Add to this the numerous benefits of instant coupons, loyalty programs and even ratings & reviews, and the retailer now has the capability to enhance the customer journey while meeting the intent of EMV.

Neither the card issuers or even the card schemes themselves are fixated on EMV itself, they are only truly interested in reducing fraud. Retailers share this goal, even if they do not entirely agree with the way to get there.

It is up to authentication vendors to provide alternatives, and get those alternatives tested, real-world proven, and on the table. This will not be authentication vendors alone, or mobile device manufacturers alone, and the result will not be a decision made by card schemes alone. This will be a collaboration between ALL players, and will only work if everyone comes away a winner.

Especially the consumer.

[Ed. Written in collaboration with www.myPINpad.com]

EMV in the US, a 12 BILLION Dollar Mistake

In continuation of my crusade against EMV in general, the card schemes have announced an end to issuer-only fraud liability for non-chip transaction starting in October 2015. The so called ‘liability shift’.

For those who don’t know, it’s the issuers of the credit card that accept the liability for fraud during a branded credit card transaction, which is why they receive the lion’s share of the fees associated with the transaction (interchange fees). But now, if the merchant does not upgrade their point-of-sale terminals to those capable of accepting chip cards, it’s the merchant who suffers the fraud loss. Same thing goes for a consumer who wants to continue using swipe  & signature cards.

While I assume that those with disabilities, and / or the elderly will be given the option to not change to chip & PIN, the fact remains that the enormous cost of the transition to this ‘new’ technology will not be born by those who have basically created the problem over the course of over 60 years; the card brands. It will be the consumer …eventually, because the merchants / retailers will have to re-coup their up front costs.

And all this just to keep taking credit cards!

Why do retailers and banks STILL see credit cards as the only form of non-cash payment? Why DO the card brands have so much power over end-user payments technology when there are ‘only’ ~6 billion credit cards in the world and >7 billion mobile phones? On top of that, mobile phones have a far wider distribution than an EMV infrastructure can EVER hope to duplicate, and you have what I would see as a very simple choice in how to transition away from plastic.

I’ve said it repeatedly; payments is NOT about the FORM of payment, it’s about authentication of the individual to the organisation holding the funds (usually a bank), and NO form of account-detail-up-front (read credit card number, even a token of one) can ever be as secure as one protected by proper identity management. Yes, even on a mobile device.

What the US retailers are going to do is spend an absolute fortune on a payment acceptance technology that will be impossible to upgrade to anything else, nor will it be anywhere near as flexible for those retailers wishing to innovate in new forms of value-add services and marketing drives.

I have no problem with the card brands making a ton of money, that’s business and they do have a lot to add in the payment arena, but to continue the push for EMV is as horrendously self-serving as it is pointless. If it’s not them pushing for it, and it’s actually the Fed, then THEY should do their homework and talk to the retailers.

However, if the retailers aren’t going to do anything about this, then it pretty much serves them right.

For example; What card brand or issuer is going to tell Walmart that they can’t use an EMV alternative that has been shown to have a similar security profile AND infinitely greater business benefits? Can you really see them giving up a multi-million dollar revenue stream just to enforce a patch on a 60+ year old technology?

No, neither can I.

Target: Yep, They Made The Worst Decision Imaginable

In the most ridiculous decision possible, Target have agree to ACCELERATE their ‘smart card rollout’ to the tune of about $100M;

Target to accelerate $100 million chip-enabled smart card program: CFO, Reuters, Feb 03, 2014

Let me say that again; ONE HUNDRED MILLION DOLLARS!

How exactly are these new smart cards (which is EMV / Chip & PIN obviously)  going to reduce “cyber theft” when they do absolutely nothing except prevent card present fraud? It’s not as though this amazing chip-enabled technology actually encrypts the cardholder data point-to-point (that’s a terminal function, if available), so it doesn’t stop Target saving the data post-auth. And because not ALL US retailers and merchants are going to accelerate THEIR programs, Target have done nothing to prevent the real menace; card NOT present fraud.

What are they going to do when their customers start demanding other forms of payment, like mobile? Or when they start losing market share because value-add services won’t integrate with their shiny new static-function payment terminals? Spend ANOTHER $100M?

I’ve said it a hundred times, payments is NOT about the payment functionality itself, it’s about the AUTHENTICATION of the individual trying to MAKE the payment. In that, Target are completely missing the point.

If this is pressure from the card brands shame on them, if it’s pressure from ‘Government regulators’, shame on THEM, but if this is just Target being short-sighted and throwing good money after bad, then I hope their share-holders wake up before it’s too late.

I for one would be really pissed if had a vested interest in this.

Why P2PE Is Pointless

Apparently an announcement was made at the PCI SSC ‘s Community Meeting in Nice that “European Payment Services (EPS), [is] the first company to have a solution listed…“, this according to Tenable’s Jeffrey Man in his new article ‘What’s Wrong with P2PE‘.

I’m not going to go into why P2PE is dead from a PCI perspective, Jeff covered that better than I can, instead I’ll cover it from an innovation and real-world perspective that the SSC simply cannot / will not include in their presentations.

Why P2PE is pointless, and dead before it reached the gate:

  1. If you have read the P2PE assessment procedures (which were about 2 years too late in being released), you’ll know that they make the PCI DSS look like a nursery rhyme. EXTREMELY complicated, and ENORMOUSLY expensive to achieve certification. I was, however, very surprised that PED / payment terminal companies with significant resources (like VeriFone and Ingenico) didn’t get into a race to corner the market early, but now it makes sense.
    o
  2. P2PE done the SSC’s way still requires PTS and SRED compliant payment terminals, which are massively expensive, and whose days are numbered. Mobile payments, and whatever comes next will, thankfully, kill retail’s reliance on payment terminals and bring secure, non-cash, payment capability to every merchant world-wide, no matter how small, or large and distributed.
    o
  3. Chip & PIN (EMV) technology is tied to the terminals and to the use of credit cards, which along with payment terminals, are  dying technologies. Credit cards are 60+ years old, and EMV was a very poor patch to fill a gaping hole in credit card security, so innovation will, and in some cases already has, replaced the need for both.
    o
  4. Retailers are simply not going to make the massive investment in replacing their payment terminal estates before they end of life (EoL) just because of a possible reduction in PCI scope. And why would they then spend a fortune in expensive devices, tie themselves into a single service provider, as well as limit themselves to credit card transactions? Answer; they wouldn’t, not unless they’re irretrievable stupid.
    o
  5. The entire payment space is finally recognising the fact that it’s bloated, inefficient, enormously outdated, and complex. Innovation will simplify it back to its basics, which it that it’s not ABOUT payments, it’s about authentication. I don’t care how I access my funds, whether they be debit or credit (both of which are provided by the bank anyway), I just want to do it whenever I want, wherever I want, and without risk.

Any protection the card brands provide related to fraud and consumer protection can be provided cheaper and probably better by the banks, and this, along with the demand for better customer service, will drive the banks to compete for our business as never before. Gone will be the days that they can act as though they are doing US a favour.

As for the SSC’s announcement, I can’t blame them for wanting to announce any kind of success, God knows the DSS v3.0 is nothing to write home about.