MAG Insights

Announcements from the MAG & Featured Articles

MAG Sponsor Spotlight

Denial is not a river in Egypt……..
By Peter Forbes

The recent exposure of card data, following security breaches at a number of retailers is just the latest in an unfortunately long line of such events.  Not restricted to small owner-operated stores, some of the most sophisticated and well run retailers on the planet find themselves in the press for all the wrong reasons.  For any who have been even tangentially involved in a data breach either as retailer, acquirer or technology vendor, the pressure is acute and unforgettable and this says nothing to the impact on our cardholder customers.

Despite the pain and anguish that everyone who has firsthand experience of a breach will share, the US remains as a ‘hesitant laggard’ in the adoption of the technology we all know can materially resolve the consequences of a breach.  The nation that created the card payment model, finds itself as the focus of organized and concerted attacks.  Now, nearly a decade after much of the rest of the card world made their defenses stronger and materially secured face to face card acceptance, we here in America are still pointing fingers at each other about what’s to be done.

But why, with such particularly clear evidence of the brand, reputational and financial consequences of a breach, do many retailers and those associations who speak for them, continue to suggest that US deployment of EMV should be delayed, postponed or abandoned?  This, of course, is a rhetorical question….we know that EMV is not perfect;  without a robust CVM (Cardholder Verification Method) at POS, like PIN, it only addresses part of the issue, of course, the debit routing opportunity for retailers is problematic and then there is the cost!  We in the US already pay high interchange costs and fees (for maybe the weakest infrastructure in first world countries) and retailers are close or beyond breaking point on their willingness to pay more.  We know EMV doesn’t stop or prevent breaches and it doesn’t replace the need for strong data security, but it does remove much of the value in card numbers and if done properly can reinforce confidence that cardholders need in the payments infrastructure

But – the truth is, the public have for a long time now believed that their card numbers are valuable, and they are voting with their pocketbooks against those who have a breach, almost regardless of the circumstances.  Whatever retailers might think or wish for, the press is not pointing the finger at the Card Associations or the banks but at the retailers.

It is becoming increasingly difficult for us as an industry to justify why we haven’t done what Nigeria (2010), Canada (2010), Brazil (2008) and Belgium (2005) have already done.

The questions of who pays, how much, lack of complete certainty over debit routing, number of cards in circulation or if it’s all the card scheme’s fault, are all very real – if you know someone who can successfully win all, or any of these arguments with a single cardholder, on the sales floor of any retailer in the US, please let’s find them!

We, as a retailer focused community, have to find a way to engage with the card schemes to make EMV work and we need to start real engagement now.

The retail community needs real leadership, for without it our cardholder customers will hold us responsible with ever increasing consequences.

My challenge is a call to action, for the retail community to organize and engage to make EMV come to life in the US.  It’s not the perfect solution, for sure, but the consequence of delay is severe.

There are many technical and operational issues that need to be discussed and whilst difficult, we must find a way to understand and mitigate the costs—none of these discussions are easy but today’s progress is modest and faltering at best.

We have to ground a decision about PIN – not just for debit cards.  We seem to have forgotten that a transaction should have 2 things as a minimum — evidence you have the card, and evidence you have the cardholder.  If security and trust of our cardholders is important, then I don’t see how today’s muddle of signature, no signature and sometimes PIN will ever be good enough.  Without a strong CVM, I think we risk missing this chance to secure the confidence of cardholders that we are looking out for them as they deserve.

The card associations have reaffirmed their commitment to the liability shift dates; they have made no mandate on retailers.  The ball is being put at the feet of retailers.  Are we being led like lambs to the slaughter……?

How retailers engage – now – can make all the difference – Time for leadership is now.

Peter Forbes was, for 17 years, a retailer at one of Europe’s largest chains.  He was responsible for EMV deployment at the retailer and sat on the Retailers’ Trade Association in the UK and on the UK National Steering Group for EMV, formed of retailers, banks and card associations.  He helped draft the anti-competition case against VISA/MasterCard in UK/EU.