CCCA: 5% chance that 5% of Network EBIT could be affected (in 2+ years)

Posted on by

Update to my 2023 blog on CCCA Complex Politics and Consequences. I’ve spent the last few weeks digging into the latest bill and I see an overstatement of potential impact that most analysts seem to have missed:

  • Bi-lateral pricing with top retailers (ie Costco, WMT, AMZN, …etc)
  • eCom dependency on DPAN and Auth (no one wants detokenization in eCom) 
  • Contactless volume is off the table

Here is the bottom line for my fellow payments nerds: politically, this is a shot across the bow to the banks. But technically? It’s a mess that will likely result in a 5% chance that 5% of EBIT is affected in two-plus years.

In my view, Trump’s support for the bill is essentially a warning to banks to help consumers with rising costs. No elected representative wants to be the one who “killed credit card rewards” in an election year. Or for spending political capital on something that won’t impact the market for 2+ yrs. Swipe fees equal card rewards; that’s a fact, and the lobbyists are primed with that message.

The Durbin Amendment was a “failure” (see this Fed Paper). With massive impact to the cost of retail banking. Lack of debit revenue for banks meant banking fees went up (while merchant savings weren’t passed down). Congress knows this, and republicans are wary of anything aligned with Senators Warren and Durbin.

Let’s discuss 3 key areas that drive a significant reduction in volume at risk

  • Merchant owned liability  (no more card present)
  • Tech/Tokenization (NFC and eCom will stay network dependent)
  • Large Merchant Bi-laterals 

Merchant Liability – No More Card Present

While CCCA provides the legal right to route transactions elsewhere, it does not provide a legal shield for the fraud liability that typically follows a raw PAN transaction. Thus, if a merchant chooses to route away from the primary network to a “no-name” alternative, they’re essentially dealing with a raw PAN, for which they will assume liability for (no more card present rates). As discussed in my previous blog, detokenization means stripping out the vital information merchants need for fraud management and declines (see Tokens and Binding for more detail).

For the “long-tail” merchants (the 95% who lack in-house fraud operations), this bill is a non-starter. They won’t take advantage of it because they can’t afford to lose the liability shift provided by network tokenization (DPANs). If they route over a “cheap” alternative network and a transaction goes sideways, they own the fraud. Most small-to-medium businesses would rather pay the premium for peace of mind and higher authorization rates.

The real action will be at the top. The largest merchants (the Walmarts and Amazons of the world) who already have massive investments in fraud and risk controls will likely move toward Selective Routing. Here’s the play: they’ll route repeat, low-risk customers through low-cost alternative networks, stripping the proprietary tech because they already know the customer. For new, high-risk customers, they’ll stick to the existing DPAN rails to leverage the network’s fraud protection and liability shift. It’s a sophisticated “risk-based routing” strategy that the vast majority of merchants simply cannot execute.

Note that the hedge in enterprise merchant action on CCCA is bilateral pricing. Thats our last section.

Why eCom and Contactless are “Out of Scope”

Even if the CCCA passes (5%), the impact on Visa and Mastercard is being overstated by the street. The bill says issuers and networks can’t mandate specific security or tokenization tech. This means detokenization (at no cost). Fine. But merchants depend on DPAN (Token) technology for lower fraud and higher authorization rates.

A bit more of a recap on the tech (experts should skip this). 

Routing Complexity

Routing a standard EMV card-present transaction is relatively straightforward because the physical chip can support multiple “Applications” (AIDs) for different networks. However, contactless (mobile wallets) and eCommerce are vastly more complex.

Network Provisioning in Wallets: In mobile wallets like Apple Pay or Google Pay, the card is not just a digital image; it is “provisioned” as a DPAN (Device Primary Account Number) directly into the device’s secure element, This provisioning is a three-way handshake between the Wallet Provider, the Issuing Bank, and the specific Network (e.g., Visa or Mastercard). This best in class credential issuance leads to best in class fraud rates and authorization rates. Merchants could detokenize this DPAN, but all that magic goes away, auth rates go down, merchants own the fraud, and it will likely take longer to get the auth (if it happens).

DPANS are sticky. While US banks forced MA and V to provide a separate token vault, the security keys that go along with the token are the domain of the network. After all, what is a network if it can’t control the authentication of participants, instruments, and messages? Thus, if a merchant receives an MA DPAN, only the MA network (in coordination with the issuer) can “detokenize” it to verify the transaction. 

CCCA does not mandate that a competing network (like a smaller PIN debit network) validate a MA cryptogram, rather is says that the network/issuer can’t mandate security (ie must provide detokenization). See (Debit, Routing, Tokens and Liability Shift and Tokens and the Trojan Horse)

Detokenization Equals Merchant Liability

“Detokenization” would strip the network’s authentication in exchange for the raw PAN, and route it over a cheaper network.  However, this creates a major dilemma for merchants:

  • Loss of Authorization Rates: Transactions processed with network tokens (DPANs) typically see significantly higher authorization rates. This is because issuers trust the cryptogram and the “assurance data” that comes with a network token
  • Loss of Liability Shift: For any transaction (CP or CNP) routed to an alternative network. The best way to summarize this is that Networks own the authentication of participants, instruments, and messages. There is no interoperability, nor does CCCA require it. Thus, detokenization means stripping off all the auth, with the merchant assuming all the fraud risk
  • Degradation of Authorization Response Times. Detokenization and alternate routing take time. This could impact both card present and CNP. 

This detokenization, particularly in eCom is a proven loser for new customers (see Understanding Merchants – Card on File). For example, all of ApplePay’s customer experience, elimination of fraud, and liability shift to Issuers exchanged for 5bps? Thus merchants find that the reduction in fraud and improved conversion rates provided by DPANs and network tokens far outweigh the marginal savings they might gain from least-cost routing. The small exception could be loyal customers, at large merchants where merchants maintain both card on file and substantial fraud/routing infrastructure. In this model, someone like Target really would use the card at the POS as a customer identifier for their existing card on file, and process in a similar fashion to their RedCard decoupled debit.

Bi-lateral Deals: “Costco Defense”

While I don’t know the terms of the bilateral deals, it is my view that Top 6 merchants covered by bi-lateral pricing arrangements (45bps-55bps) would be excluded from dual routing (per their agreement). See my blog When Merchants Get Leverage, and RIP MCX how JPM negotiated away interchange to 45bps at Target and Walmart to get a foothold in MCX). These bilateral deals likely cover over 30% of total volume, making that volume LIKELY immune to the CCCA’s “competition”.

Take Away

When you strip away the political theater, you’re left with a massive implementation nightmare. We’re talking about an 8-year timeline to normalize infrastructure across all networks and potentially re-issue every EMV chip in the country.

For the banks, this is a headache. For V/MA, it’s a slight headwind. But for the industry? It’s a reminder that in payments, the “Unicorn” networks are the ones holding the keys to the identity and authentication infrastructure of the internet.

The technology hurdles surrounding the Credit Card Competition Act (CCCA) center on the conflict between least-cost routing and the proprietary security infrastructure that merchants rely on for modern commerce. While the CCCA attempts to mandate network choice, it faces significant friction due to the benefits networks provide,

Please Login to Comment.