MAG Insights

Announcements from the MAG & Featured Articles

What’s Up in Washington: Merchant Truths About EMV & Data Security (MAG Quarterly- Volume Three, Issue Three)


By Liz Garner, Vice President, Merchant Advisory Group


September 3, 2015

With the October 1 EMV liability shift dates looming for most merchant point-of-sale environments, there has been an increasing amount of rhetoric surrounding EMV and data security in Washington. In early August, the MAG agreed to serve on a data security focused panel along with representatives from the White House, Consumer Groups, and the American Bankers Association. In front of a full room of legislative and regulatory staff, we took the opportunity to proactively address where the merchant community is today on EMV. We will continue to engage with these groups, and the media over the next several months as EMV is rolled out in the U.S. Click here to view the CSPAN coverage.

With all the back and forth about EMV in DC, we felt like it would be a timely article to put together a few Merchant Truths about EMV and data security:

Merchants care deeply about data security, especially payment card security.  Security is a brand and customer experience issue for us. The average person will be hard-pressed to tell you how many Visa or MasterCard cards were breached last year, but most can tell you the name of a retailer, bank, or technology company that was breached. We want to do everything we can to foster a better, more secure system. The US is the eyesore of global payment card fraud, and that MUST change for continued US business growth and consumer confidence.

Merchants support a multi-pronged data security strategy. While some merchants will be focused primarily on supporting EMV smart card transactions in the coming months, some will be more focused on other security strategies, such as rolling out their own tokenization and encryption solutions. Different merchants will prioritize these technologies in different ways based on what makes the most sense for their industry vertical. For example, Internet merchants will focus more on tokenization efforts than EMV because EMV only helps mitigate brick-and mortar counterfeit card fraud. 

Merchants support holistic approaches to all of these security technologies. For example, the card network version of tokenization lacks some of the most efficient and security-enhancing features that both merchants and acquirers have built into their own tokenization solutions, such as the ability to support tokenization of all payment products being used at the merchant instead of just a select few, network-branded products. The same is true for EMV transactions where the card brands fail to include the added security of masking or tokenizing the physical card number where it’s stored on the chip.

Merchants want to solve payment card security just as bad as financial institutions, if not more. Merchants do not get a payment guarantee on credit and debit card sales. For in-person or card-present transactions, issuers bear about 60% of fraud losses while merchants bear about 40% according to the July 2015 Nilson Report.  There is a chargeback process whereby the issuer can ask the merchant for signature proof of the card present sale. Merchants don’t have the ability to capture signatures in environments with unattended terminals, such as fuel pumps, or for Internet and mobile commerce sales where the transaction is treated as a card-not-present sale. On these transactions merchants bear almost the entirety of fraud losses.  Even in an EMV environment, we have significant concerns that it will be possible for thieves to use counterfeit chip cards to do a magnetic stripe transaction; thus, resulting in the same fraud landscape we face today. In addition to brand and customer protection, merchants have a strong financial incentive to protect against fraud.

Merchants believe EMV is one step toward protecting US businesses and consumers against payment card fraud, but the US version of EMV is not the best platform available and not the true international standard. One of the primary drivers of fraud reduction in the international deployments of EMV is the coupling of multi-factor authentication (or a PIN) with the Chip on both credit and debit cards. Failing to deploy the model that has been so successful in Europe, the UK, and other countries makes no sense. EMV deployment in the US is only a partial solution that will not do anything to address lost & stolen card fraud or card-not-present Internet and mobile transaction fraud for U.S. cardholders. Not only will this create customer use issues for international visitors to the U.S. and U.S. citizens traveling abroad, but it’s also shortsighted from a global fraud reduction standpoint.  According to the July 2015 Nilson Report, ”the US accounted for 48.2% of gross card fraud losses worldwide while generating only 21.4% of total global purchase and cash volume.” US fraud reached 12.75 cents per $100, while fraud losses in all other regions combined were 3.73 cents. Meanwhile, domestic-only PIN-based debit networks worldwide had the lowest fraud as cents per total volume at 1.30 cents per $100. With such low fraud rates on PIN, it simply doesn’t make sense for US issuers not to PIN-protect EMV credit and debit cards.

Merchants strongly prefer PIN-enabled products because they provide enhanced security options for businesses and consumers. As noted above, retailers prefer PIN-protected products because there are lower fraud losses on PIN transaction since PINs add a second layer of security to authenticate that a cardholder actually owns the card they are presenting for payment.  Also, since the US is one of the last countries in the industrialized world to move to EMV, we have platforms here that support PIN acceptance on the Internet. In the US marketplace, we have a tremendous opportunity to solve the problem of fraud migrating to the Internet with the deployment of EMV, and we’re unfortunately not doing it. Additionally, the most recent Pulse Debit Issuer Study from August 2015 continues to support what previous studies, including Federal Reserve issuer data, show, which is that fraud losses are 7 to 8 times higher on signature debit than PIN.  It’s baffling that issuers aren’t more bullish on PIN when the Pulse Debit Issuer study reinforces that “regulated issuers [those with $10Billion in assets or greater who are covered by Reg II] continue to see higher margins on PIN transactions than on signature transactions, driven by the lower cost structure and comparable interchange revenue.”

Merchants believe issuer decisions to not PIN-enable EMV are driven by business rationale, not security. With several sources showing that fraud losses on PIN transaction are significantly lower than signature, it’s difficult to understand why issuers aren’t more supportive of PIN-protecting products from a consumer protection standpoint. If PINs are the standard for accessing money at the ATM, why aren’t issuers more inclined to add the same increased layer of security on all payment cards so that the option to ask for it is there if the merchant believes there’s a high risk of fraud on the transaction? One answer we’ve heard several times is that PIN has the potential to create consumer friction, which could result in other payment products being more favored by consumers. It’s hard to imagine this will be the case in an environment where most users manage their ATM PINs without any problem, and lock their smartphones with a four-digit PIN. That said, we are certainly sensitive to the bank argument in that if they think adding a PIN to EMV products could negatively impact their business, it’s a difficult business decision to make to issue PIN-protected cards, but we would maintain that it’s just that – a business decision – and not a decision based on consumer security. Additionally, very few of the credit card issuers have the current capacity to support PINs on credit, and the technology upgrades to do so by the banking industry, while necessary for innovation, will likely be expensive.

Merchants believe the network decision not to require issuers to enable PINs on EMV in the US is driven by efforts to maintain current market share.  EMV is a network-driven initiative. EMV literally stands for EuroPay, MasterCard, and Visa. EMVCo, which creates the specifications around EMV chip card acceptance is governed by six global signature card brands, the majority of which have a vested interested in preserving the signature card model because of the more limited competition in the signature transaction space. For example, two global brands – Visa and MasterCard – control roughly 99% of all signature debit transaction volume in the United States. Many merchants feel the network plans for EMV in the US are driven more by their desire to maintain market share than provide better products with stronger security and consumer protections.

Most merchants will have terminals installed for EMV. While some merchants were having difficulty getting EMV equipment a few months ago, it sounds like much of the bottleneck demand for hardware is finally being met. Meanwhile, a recent survey found that only 1 in 10 Americans have a chip card in their wallet today. Globally, the EMV card issuance rate is between 40 and 50% while the merchant terminal adoption rate is between 80 and 90%, and we’re likely to see similar trends over time in the U.S. market. All of this EMV hardware should have the capacity for a merchant to program PIN acceptance.

Merchants may not all be able to turn on EMV acceptance by October 1st. If you’re a consumer with a chip card in your wallet, you may have already used it at a US merchant. It’s true that some US merchants have begun testing EMV acceptance, and that a few large merchants are on track to be fully EMV-ready by October; however, merchants and other stakeholders have faced several challenges in trying to activate their EMV point-of-sale terminals.  One challenge is that some major equipment providers haven’t certified their machines yet for EMV acceptance so merchants with certain hardware may not be able to turn them on for EMV acceptance. The delay is not the fault of the equipment providers, but rather a hesitancy by the global card networks that govern EMV to create an application whereby domestic PIN debit networks would become accessible on EMV transactions, which is important to competition and the viability domestic US debit companies, and is also required by US law.  After several months of deliberations on how the market would support this requirement, the global brands only began to open up the product in early 2014, but it took another several months for the PIN debit networks to sync their programs and processes with the technology. These delays have had a major impact on the ability of merchant acquirers and processors to bring a full product to market. Before any product goes live, acquirers generally do product field-testing and certifications with their merchant clients, and the timing of these have been severely impacted due to the delay by the global card brands.  Opening up the technology 18 months out from the liability shift may seem like a long time, but that 12 to 18 months roll out time is the average come-to-market timeframe for any large retail technology project, and that’s after the technology specifications and hardware & software programming needs are fully known to the retailer & their acquirer. In the case of EMV, several of the specifications were only released over the summer, and we’re still awaiting a full contactless (tap or wave technology) specification. There may still be some small merchants accepting EMV, but they are likely set-up to only accept the global card brands, and as a result, are only seeing limited reductions in fraud, while paying some of the highest fees for card acceptance.

Merchants from certain industry verticals may not adopt EMV in the short-term which may make more sense if other security technology deployments are more cost effective for their business.  As noted before, not every merchant in the U.S. will focus on deployment of EMV this October. Several verticals that are more focused on mobile and e-commerce as part of their overarching payments strategy will be looking at alternative security technologies, such as encryption and tokenization.  EMV deployment is an extremely expensive proposition for merchants. Javelin Research estimates that merchant deployment costs are upward of $6 billion compared to just under $2 billion for issuers so with the partial solution being rolled out in the US that doesn’t help alleviate lost & stolen fraud, Internet fraud, or mobile payments fraud, there is a limited perceived return on investment for merchants who operate in low-risk environments with low levels of card present fraud.

Merchants have significant concerns about the consumer impact of EMV. Since US networks and issuers are not implementing a single type of EMV card like most of the rest of the world, EMV has the potential to create significant customer confusion at the checkout. The different versions of EMV in the US coupled with longer transaction times associated with the technology will increase the time in lane for US consumers. Additionally, the US failure to implement the international default standard of Chip & PIN will result in confusion for tourists traveling to the US who may have to use their cards differently here. Most importantly, however, is that the media has largely portrayed EMV as a silver bullet against payment card fraud, and that is absolutely not the case. EMV is an improved technology over the disco-era magnetic stripe cards we have today, but the US implementation will only primarily address in-person counterfeit fraud. True payment card security demands a multi-pronged strategy.

Conclusion:
The bottom line is US payment system stakeholders need to start PIN-protecting EMV cards and other financial products and devices as a fraud deterrent. If a thief knows a merchant is going to ask for a second layer of security that they don’t know that data point they are less likely to try to commit fraud in the first place. Even just the possibility of the merchant asking for PIN can serve as a strong deterrent to theft. Take for example the way Australia has recently rolled out PINs on credit cards. The PIN is required on most in-person card transactions other than those that are under a $35 threshold. So for a low risk transaction, such as a customer going through a fast food drive thru around noon, the merchant isn’t forced to ask the cardholder for a PIN, but if that same transaction happens at midnight and is a much higher fraud risk, the merchant has the flexibility if a PIN is on a product to ask the customer for it.

The Administration, through the Executive Order issued last October, has taken tremendous strides to try to get the US market to embrace PIN-protected EMV products. As a result, the State Department and some other federal agencies have begun to issue Chip and PIN credit cards to employees. It’s time for the private sector banks to catch up and realize the need to follow in their footsteps to issue the most secure financial products available to US consumers.