By Liz Garner, Vice President, Merchant Advisory Group
December 1, 2016
This Fall, the Federal Reserve Board made a very important clarification on legal routing requirements for EMV transactions. The Durbin amendment network routing competition provisions, which are carried out under Regulation II, require at least two unaffiliated networks be made available on a debit card or access device. This law is critical to ensuring merchants have choice and competition for network routing services – such choice and competition makes the payment system more efficient, lower cost, and more secure for businesses and consumers.
The Federal Reserve updated their Frequently Asked Questions (FAQ) on Regulation II to include the following the language, which prohibits a card network, directly or indirectly, from taking the EMV application selection out of the hands of merchants. Network rules and requirements resulting in the “Visa debit” vs. “US debit” EMV deployment screen are a clear violation of existing federal law. The FAQ also makes clear that a payment network cannot require a merchant to deploy a PIN bypass “credit/debit” checkout screen as an alternative to the other screen because forcing a merchant to deploy a customer-facing screen that has the potential to limit routing choice (in this example, the selection of “credit” only accesses the Global AID where only a single network is present) is a Regulation II violation.
Additionally, it is our interpretation that for digital wallets, any use of biometric CDCVM on the hardware that limits routing to only the Global AID is a Regulation II routing violation. As such, the Fed’s clarification has major positive implications for competition in the digital commerce space. Q4. After a debit card with an EMV chip is inserted into a point-of-sale terminal, some terminals prompt the cardholder to choose between applications, one that routes to at least two unaffiliated networks and another that routes to a single network. Does a payment card network comply with section 235.7 of Regulation II if it requires the merchant to allow the cardholder to make the choice of EMV chip application, one of which routes only to a single network?
A4. No. Section 235.7(b) of Regulation II implements the requirement in section 920(b)(1)(B) of the Electronic Fund Transfer Act that a "payment card network shall not, directly or through any agent, processor, or licensed member of the network, by contract, requirement, condition, penalty, or otherwise, inhibit the ability of any person that accepts or honors debit cards for payments to direct the routing of electronic debit transactions for processing over any payment card network that may process such transactions." A payment card network inhibits a merchant's ability to route electronic debit card transactions if it, by network rules, standards, specifications, contractual agreements, or otherwise, requires the merchant to allow the cardholder to make the choice of EMV chip application on a debit card, where one application routes only to a single network. Such a requirement is not compliant with section 235.7 of Regulation II because it prevents the merchant from directing the routing of electronic debit transactions. (Added November 2, 2016) http://www.federalreserve.gov/paymentsystems/regii-faqs.htm Next Steps:
The Federal Reserve has enforcement authority over financial institution compliance with Regulation II; meanwhile, the Federal Trade Commission (FTC) over payment card network compliance with the regulations. Now that the Federal Reserve has clarified what specific network rules and technology deployments are against the law, it is critical that the Federal Trade Commission take action to enforce a change. Just prior to the Thanksgiving holiday, the Federal Trade Commission announced it was closing an ongoing investigation into the matter pursuant to Visa rule changes related to EMV deployment in the United States. The Visa rule changes are available at https://www.visa.com/chip/personal/security/chip-technology/index.jsp
Now that Visa has announced rule changes, merchants will be monitoring how these changes come to market, and will also be looking to Visa to answer what chargeback liability relief and other protections will be guaranteed to merchants who undergo the process of removing previously deployed checkout screens that are not compliant.
One way currently deployed EMV solutions could become Regulation II compliant would involve the EMVCo brands opening up the Global AID on the EMV Chip Application to all US domestic debit networks. Such a move to open up the proprietary EMV technology would help foster innovation and global interoperability. The History:
The Durbin amendment debit reforms have greatly increased competitive network options on every debit card benefiting businesses and consumers. Prior to debit reforms, Visa and MasterCard were leveraging their signature network relationships with the largest issuers to gain a competitive advantage over domestic PIN debit networks. The result is that 40 to 50% of the debit card market had exclusive network arrangements1
and 79% of Visa’s volume from their top 10 issuers was derived from exclusive deals.2
These exclusivity arrangements created an unfair playing field for domestic US debit card networks, increased the cost of card acceptance3
for merchants due to less competition on each transaction, and decreased the volume of transactions that were running over more secure4
domestic PIN debit networks. While routing competition legal protections helped create a more competitive landscape for magnetic strip transactions, some major technology and rule hurdles emerged with the deployment of EMV in the U.S.
One feature of the U.S. EMV deployment that surprised several merchants was a default EMV equipment & software setting that resulted in an extremely confusing customer-facing prompt screen that requires debit cardholders to select the EMV Application over which to send the transaction. For example, on many Visa debit cards, the checkout terminal displays a screen that has the customer select either “Visa Debit” or “US Debit.” Many merchants were told they could not alter or remove the screen, or that doing so would further delay implementation leaving their business vulnerable to EMV chargeback fraud losses. These unnecessary and confusing screens would not have been an issue if EMV was based upon open, standards-based magnetic stripe technology. Under such an approach, all networks with which the card-issuing financial institution participates, would have been available on the EMV Application Global AID as explained below. Instead, the owners of EMVCo demanded that US domestic debit networks be segregated onto different technology and required them to license an AID on the EMV Chip Application ID under restrictive terms; this segregated technology is referred to as the Common AID. This resulted in two separate AIDs being available on EMV Chip Application IDs; they are referred to as the Global and Common AIDs.
This set-up 1) resulted in superfluous point-of-sale (POS) and ATM terminal customizations; 2) to our knowedge is different from any other deployment in the world; and 3) creates major concerns about whether or not domestic debit card networks will be able to compete fairly on both physical cards and digital EMV transactions. Furthermore, domestic debit networks are forced to license from the EMVCo brands that control the EMV Chip Application the right to be a routing option for physical and digital transactions. This licensing dynamic gives the EMVCo brands discretion over whether to extend availability of additional authentication methods like biometrics to the Common AID.
On the below screen, when a customer selects “Visa debit” the only way the transaction can be routed is through the Global AID where the only routing option available is Visa. The majority of the time this transaction will lead the customer to sign for the sale. When this happens it eliminates the customer’s choice to get cash back at the POS, and it leads to a less secure signature transaction authentication instead of a much more secure PIN. If the customer selects “US debit” the transaction can be routed to any network available on the Common AID, which includes all available domestic debit networks and Visa. While the Common AID can be accessed through a customer signature, the majority of the time, the customer will enter a more secure PIN for the sale.
These screens are problematic for several reasons. First, any time only the Global AID is read by the point-of-sale machine, there is only one network option or “pipe” for sending the transaction. In the above example, that only option is Visa. Setting up point-of-sale equipment in such a manner diminishes the value of having routing alternatives on a debit card as a back-up way to route the transaction if a particular network is down or compromised. Furthermore, these screens add an unnecessary and confusing step for the consumer, as well as many checkout clerks, at the point-of-sale.
“Fed Plan Raises Debit Issues Galore.” American Banker. December 2010.http://www.americanbanker.com/bulletins/debit-issues-galore-1030247-1.html?zkPrintable=true 2 “Rewriting the Transaction Routing Rules.” Digital Transactions. January 2011.http://www.digitaltransactions.net/news/story/Rewriting-the-Transaction-Routing-Rules 3 Per 2015 Federal Reserve Interchange Survey Data, Signature (dual-message) interchange rates are higher for all transactions (exempt and covered) https://www.federalreserve.gov/paymentsystems/regii-average-interchange-fee.htm 4 http://www.federalreserve.gov/paymentsystems/files/debitfees_costs_2013.pdf