MAG Insights

Announcements from the MAG & Featured Articles

What’s Up in Washington – Why we shouldn’t be politicizing EMV (MAG Quarterly- Volume Three, Issue Two)


By Liz Garner, Vice President, Merchant Advisory Group

June 4, 2015

There has been a fair amount of finger pointing between industry stakeholders as to whose fault it is that EMV is not likely to become a widespread reality in the US this year. Regardless of where the blame falls, we cannot afford to shy away from reality. The truth is that several market stakeholders have fallen short of providing the infrastructure necessary for the US to be fully EMV implemented by the October liability shift timelines. 

At the MAG February 2015 conference, we took an informal poll of the merchant membership. There will be some merchants who fully implement EMV acceptance by the October 2015 liability shift, but many will not – and not for lack of trying. For those merchants who are actively looking to implement EMV in the short-term, there are three major shortfalls: 1) Limited perceived return on investment since two-factor authentication (i.e. PINs) will not be available on all issuer products; 2) missing debit card specifications; and 3) inadequate timelines (which also relates to item #2).  Missing debit card specifications also has major implications for preservation of merchant routing rights under the law as required by the Durbin amendment to the Dodd-Frank Wall Street Reform and Consumer Protection Act.

As we look at these barriers to October implementation, it is important to note that the initial timeline of four years to EMV implementation was completely unrealistic – a view many merchants have conveyed all along.  Case in point, EMV implementation has taken countries like Canada – whose financial system is one-tenth the size of the United States – at least twice as long.  And now, the US is faced with a new reality of not having the necessary specifications to move forward with programming for full EMV implementation; whereas, in countries such as Australia, retailers were given the specifications to upgrade and program their point-of-sale hardware and software for EMV at least 24 months prior to the implementation deadlines.

“Full” implementation is the operative word when looking at merchant EMV readiness. Over 95% of MAG members surveyed said EMV was a much more expensive and complex project than other point-of-sale or technology initiatives. Couple that with a perceived limited ROI, especially where merchants are more focused on other fraud prevention tools, such as tokenization and end-to-end encryption, and it is extremely difficult for many businesses to prioritize EMV implementation in the technology queue – much less for multiple different phases. It is highly likely that some merchants will choose to wait until full debit specifications and contactless EMV specifications are at market before testing and certifying to take EMV live in their stores. 

There has been a fair amount of finger pointing between industry stakeholders as to whose fault it is that EMV is not likely to become a widespread reality in the US this year.  Some on the card network and issuing side blame the complexity of adding a common chip application to debit cards, but many merchants and acquirers will note that the necessity of enabling such options on EMV was raised as early as 2012 just shortly after the card brand EMV roadmaps were released. While a roll out of debit EMV certainly may have been easier without legal US requirements to enable competition on EMV debit card, it would have been detrimental to many of the lower cost, more secure PIN debit networks in the US. Prior to the Durbin amendment routing requirements, which state that two unaffiliated networks must be available on each debit card issued in the US, Digital Transactions notes Visa and MasterCard had PIN-debit exclusivity deals with Bank of America, Wells Fargo, US Bank, TD Bank, Regions Bank, Citibank, KeyBank, H&R Block, Comerica, and Capitol One.  The article also notes the percentage of top ten issuers’ volume from exclusive contracts was 79% for Visa and 35% for MasterCard.[1] One can only imagine a US EMV landscape where PIN debit network availability is not required by law.

So what role should the government play in this debate?
First and foremost, payment system stakeholders should not feel that the issue will be politicized if they seek to have an open and honest dialogue to educate the public, including lawmakers, on recent market developments, and some of the challenges of EMV migration. It is in every system stakeholder’s best interest to contemplate the deployment of several of fraud prevention technologies in an effort to remove excess fraud from the US payments system. However, we cannot afford to shy away from reality. The truth is that several market stakeholders have fallen short of providing the infrastructure necessary for the US to be fully EMV implemented by the October liability shift timelines. That said, EMV implementation is not mandated for issuers or merchants by state or federal law, and I think most stakeholders agree that a technology mandate may not make sense in this space at this time. There is, however, growing customer expectation that these cards will be widely distributed to the US population and widely accepted in stores. There has been state legislation introduced, namely in California in 2014, that contemplated such a mandate, but it failed to garner consensus support.

Additionally, several data breach notification bills have been introduced in the U.S. Congress, and one has even passed out of Committee in the House, while others continue to gain momentum in the Senate; however, none of those bills are focused on fraud prevention. Rather, they look to mitigate harm and ensure adequate consumer notification after a breach has occurred instead of focusing on how we take fraud out of the U.S. payments system, which is currently the leader in total global card fraud at just under 50%. No federal or state legislation is imminent, but payments system stakeholders should use the lessons from EMV migration to help move the US toward open standards development for other fraud prevention technologies, such as tokenization and end-to-end encryption so that the needs of all stakeholders are met, timelines are realistic, and the platforms on which these technologies are integrated are open to competition from multiple supplier platforms.

The Federal Reserve Board and Federal Trade Commission do have existing authority to ensure network routing options remain available to merchants, as required by law. As such, strict oversight of routing options on EMV and other new US market products should be expected and action should be taken where any violations occur, especially if there is a cost shift/incentive (i.e. shifting counterfeit fraud liability to merchants) resulting from the utilization or lack of utilization of these technologies and transaction types.

Should the Federal Reserve want to one step further, they do have existing authority to help determine what specific fraud prevention technologies should be contemplated by the issuing community in order for covered issuers to qualify for the one-cent fraud prevention adjustment interchange revenue under the Durbin amendment. In the legislative text, the Federal Reserve is charged to take into account, amongst other items,

the extent to which the occurrence of fraud depends on whether authorization in an electronic debit transaction is based on signature, PIN, or other means.”[2]  

Chart 1 below, from the Federal Reserve’s own data collection survey, demonstrates how much more secure a single-message transaction (PIN debit) is compared to a dual message (signature debit) transaction. To put this into perspective, according to earlier Fed data, “of the approximately $1.34 billion estimated industry-wide fraud losses, about $1.11 billion of these losses arose from signature debit card transactions and about $181 million arose from PIN debit card transactions.”[3] This fraud landscape is one of the biggest reasons many merchants are so bullish on wanting EMV products to be PIN-enabled.  Read more about the MAG perspective on multi-factor authentication in our recent Washington Examiner opinion piece available at http://www.washingtonexaminer.com/how-the-u.s.-can-stop-credit-card-fraud/article/2563765.

The Federal Reserve Board of Governors survey (chart 2) also shows that the three parties who bear the majority of US payment card fraud losses are merchants (38%), cardholders (2%), and card issuers (60%). Nowhere are any fraud losses by the payment card networks themselves accounted for.  This dynamic truly demonstrates a need for US issuers and merchants – the primary owners for system fraud losses – to work together to move toward better and more secure technologies instead of pointing fingers and politicizing the issue about who is or isn’t ready to deploy EMV.  Hopefully, strides can be made through open, free market collaboration in this space, and lessons will be learned as we contemplate the path forward for tokenization standards in the US; whereby, those stakeholder most directly impacted by fraud have equal representation in determining operating rules and standards for the baseline of these newer fraud prevention technologies.

Chart 1: Level and composition of fraud losses as a share of transaction value in 2013, by transaction category[4]


Chart 2: Composition of fraud losses in 2013, by transaction category and fraud type[5]

 

 


 

[1] Daly, Jim. Re’-writing the Transaction Routing Rules.” Digital Transactions. January 2011.

 

[2] 124 STAT. 2070. PUBLIC LAW 111–203—JULY 21, 2010

 

[4] 2013 Interchange Fee Revenue, Covered Issuer Costs, and Covered Issuer and Merchant Fraud Losses Related to Debit Card Transactions.  Federal Reserve Board of Governors. September 2014.

[5] 2013 Interchange Fee Revenue, Covered Issuer Costs, and Covered Issuer and Merchant Fraud Losses Related to Debit Card Transactions.  Federal Reserve Board of Governors. September 2014.