Perfect Authentication… A Nightmare?

This question is very similar to the story above on EMV. The engineer in me recoils at the thought that a sophisticated technology (which decreases risk), would not be welcomed within a market. To understand WHY, you must answer the question: WHO benefits from the risk reduction? If your business is risk management, and someone takes risk away, what is your business?

You need to login to view this content. Please . Not a Member? Join Us

CEO View – Battle of the Cloud Part 5

There is a payment cluster war going on right now and it is the subject in the C Suite in Banks and the Payment industry. The battle is happening at every level. I’ll be leading a panel at Money 2020 which addresses several of these items, with participation from V/MA… should be interesting. Here are a few updates.

You need to login to view this content. Please . Not a Member? Join Us

EMV Battle Impacts Mobile Payments

20 September

Most of everyone knows of the EMV efforts in the US, with Visa implementing a liability shift on October 1, 2015. In this model, any merchant that is presented with a chip and pin card, but is not capable of processing it (as an EMV), will bear fraud loss.  There have been very BIG swings in strategy over the last 6-8 months. The big issuers were all dead set against EMV.. saying they could not afford the cost to re-issue. Now all are on board… why? This is what I’m thinking about today….

Merchants have always loved PIN Debit (see blog). PIN was the cheapest transaction type prior to Durbin, and post Durbin PIN still has the unique advantage of allowing the merchant to route without going to Visa at all. Remember PIN Debit leniage was from ATM networks. Merchants also like the fact that 96% of PIN Debit fraud losses are assumed by issuers..

Visa/MA hate PIN Debit.. the countries where it has taken off like Canada-Interac, Australia EFTPOS, China Union Pay… have domestic clearing networks. This means that transactions are no longer routed through Visa/MA. In the US we have 8 debit networks (see blog). It makes little sense to continue all of these separate PIN debit networks if merchants can route directly to banks… The banks were thus looking at consolidation similar to what was done in countires above. In other words, banks were planning to take Debit back from Visa/MA in a bank owned network. After all, Bank margin improves in the PIN model (post Durbin) when payments are routed directly to them (they don’t pay a network fee ~10 bps).

Visa read the tea leaves… So how can Visa/MA stop the bank and merchant love affair w/ PIN? Force EMV…

The Merchant Stick? How will Visa “force” merchant’s to accept contactless? (See Visa Document)

Domestic and cross-border counterfeit liability shift. Merchants that cannot accept an EMV or contactless card when presented one by a customer will bear the liability of a fraudulent transaction instead of the issuer after October 1, 2015.

The Merchant “Carrot”?  Visa TIP program

TIP program allows merchants to be excused from validating their PCI DSS compliance for any year that at least 75 percent of their Visa transactions come from chip-enabled point-of-sale terminals. There are also subsidies for terminal upgrades … To qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program

Visa’s effort to include contactless in the TIP program is very strategic. To gain the benefits of TIP, merchants must reterminalize with both contact and contactless EMV capability. Why? Well for one reason there are no contactless debit cards out there… yes everything is a credit card. These of course carry much higher fees… The other advantage of TIP is that the PCI-DSS wavier is like a “get out of jail free” card. Merchants can’t get the card without contactless… If this weren’t enough… not only does VISA want contactless.. they also want signature.

Visa says PIN not necessary – Green Sheet

“There’s a lot of confusion around the myth that EMV means ‘chip-and-PIN,'” Stephanie Ericksen, Visa Head of Authentication Product Integration, said in a blog published Jan. 13, 2012. “It doesn’t in many countries, including the U.S. That’s because, in the U.S., we can rely on online processing where transactions are transmitted in real time to the issuer for approval. With that in place, there’s no need for the offline authentication that was the genesis of chip-and-PIN.

From Chip and PIN to Chip and Choose? Visa wants  encourage signature as these transactions must be routed through them.. my position (and that of most non network people) is that AUTHORIZATION and AUTHENTICATION are completely different problem sets. The availability of real time approval means nothing if you don’t know WHO you are approving for WHICH CARD.  PIN answers the “who” question and the chip is the account number or “how” you are going to pay. I just can’t believe that Visa has come up with this story.. but they must in order to support “contactless”. Most consumers don’t know that today contactless transactions have limits. These limits are set by the issuer, in Europe they are typically around $25. However the issuer can choose to increase the limit (no PIN required), or require a PIN with a contactless payment.  All of this is a little absurd for Visa as PIN is always viewed as key to authentication, AND Visa just waved the signature requirement for mobile payments. So no signature required for Square.. but Visa wants it optional at the merchant POS so it can retain the volume?….  Expect some Regulatory involvement here.

Large Merchants are very, very aware of this strategy to improve the credit transaction mix and make mobile/contactless payments a “premium” service. The top 20 retailers have put their foot down and said “no way” will we be putting contactless readers in our store (MCX members particularly). The terminals that they are ordering DO NOT have contactless capabilities.. only EMV chip and PIN. Most retailers agree that signature is a worthless authentication mechanism. Visa clings to signature in order to ensure transactions are routed through them. Expect MCX to look toward a PIN model..

So this EMV “battle” has many sides to it.. it impacts mobile payment adoption, EMV rollout, plastic re-issuer, consumer behavior, consolidation of national PIN debit networks, …

Comments appreciated.

MasterCard follows Visa’s lead on EMV Push

Yesterday MA followed lead and announced plans to support US rollout of EMV. Many of you are probably wondering what this all means in light of mandates and deadlines. The politics and business drivers behind this push are quite complex, but the most important to note that neither large US issuers or retailers are enthused about this push as there is no business case for the change on either side.

31 January 2012

http://www.mastercard.us/mchip-emv.html

Yesterday MA followed lead and announced plans to support US rollout of EMV. Many of you are probably wondering what this all means in light of mandates and deadlines. The politics and business drivers behind this push are quite complex, but it is important to note that neither large US issuers nor retailers are enthused about this push for one primary reason: there is no business case for the change (on either side). Historically, networks do not change without sound financial incentives ( or there is some sort of regulatory mandate).

A Bank makes money by managing risk. Within the payments space large banks have invested billions of dollars in custom fraud infrastructure. The effect (if not the goal) of bank investment in custom fraud infrastructure is to push fraud into the weakest link (or bank) in the network. Smaller banks must seek partners like FIS, FirstData and the Networks to help them keep up. The EMV standard is used by card issuers in just about every market globally, except the US. EMV is effective in addressing certain kinds of fraud such as counterfeit and skimming. Within an EMV environment, international issuers and acquires thus could relax in maintaining related fraud controls IF cards existing in an EMV only environment.  However international travelers to the US and US travelers abroad lead to fraud “leakage”. US issuers did not suffer, due to their fraud infrastructure, but the other banks have.

Thus the “true” benefits of EMV cannot occur until there is 100% adoption at POS (10M in US), complete elimination of the mag stripe in the plastic that we all carry (approximately 1.5 billion in US). This is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout, nor is there a business case for either issuer or retailer to implement. Take this on top of the fact the EMV is 20 year old technology and we have a very challenging environment.

What are the benefits in retail? Both Visa and MA have established a carrot and stick approach. Given only the issuer can reduce interchange, the carrot is reduced PCI compliance costs and some terminal subsidy. The stick is a liability shift for to the merchant  if a consumer presents an EMV capable card and the merchant terminal does not accept it.  Given that the big issuers have no plans to reissue cards, the merchant risk is fraudulent EMV cards (starting in Oct 2015 for Visa). Perhaps if retailers see an EMV card, they should request an ID.  For issuers, the compliance dates are longer and the stick which Visa and MA have constructed is weaker given that US issuers already bear costs of card present fraud.

So what are Visa and Mastercard trying to accomplish? From a political standpoint they must address the international issuer concerns and be viewed as supportive of the EMV standard. But more importantly Visa and MA want to cement their control of the network, particularly in two areas: mobile and US debit cards. In mobile, Visa and Mastercard are aggressively trying to make mobile POS payments a “premium” service used exclusively by credit cards. A key to success in mobile is POS readiness to support contactless payment. The EMV mandate certainly helps provide another incentive to merchants. With respect to the Debit, the Durbin Amendment has impacted the incentives for US banks to continue support of Signature Debit. In the US, PIN Debit enjoys a slightly higher growth rate (15.6% vs 14.3%), consumer preference (48% vs 34%), lower fraud rate (2009: Signature $1.12B, $181M PIN debit card),  and obvious merchant preferences (96% of PIN fraud losses assumed by issuers, vs 56% in Signature). PIN debit transactions do not need to be routed through Visa and MA, and PIN only cards do not require their logo. EMV debit cards may be a tool for Visa to maintain a US debit business (MA US debit penetration is low).

What to expect?

Note that in virtually every geography, EMV was a regulatory driven initiative. In the US this is not the case, as the large banks have proven capable of managing fraud. Large issuers are thus reluctant to undertake any mass reissuance of cards, and US regulators are reluctant to have US Banks pay for a system that will primarily benefit issuers outside of the US. My guess is that we will start to see a trickle of new cards being issued on EMV starting in 2014 or so.

Retailers will have a similar adoption dynamic as they assess cards being used at their stores, and what future payment networks may offer not only in terms of compliance and interchange, but also in delivering customers through incentives and advertising.  I’m certain that the retail “first movers” in NFC must be pulling their hair out as they discover that their new NFC payment terminals are not equipped to accept the mandated EMV card. These retail CEOs will discover that the “stutter” in reterminalization was intentional and it will be a cost they will bear twice in 2 years.

In this dynamic environment, there will be high demand for companies that can help retailers develop a plan and navigate this chaotic environment. Oddly enough, start ups like Square and Payfone may have a tremendous advantage in simplifying the checkout process. In other words, EMV could actually provide the impetus for new payment networks to gain a foothold.

EMV in US? No Way

Update Sept 2014

Did EMV in the US happen? Well to the surprise of issuers, Visa announced a scheme change in the US in August 2011 (see PR). The big issuers were not consulted about this program prior to rollout, as the dynamics described below in my previous article were occurring. Additionally banks were working on a new scheme that would leapfrog EMV: Tokenization.  The large banks were working on this scheme without the involvement of Visa and MA. If successful, this new token scheme would have bypassed V/MA altogether. I believe one of the reasons for this EMV push by Visa was to reassert its control of the network. Today we see quite a bit of friction remaining here between issuers and networks. See my blog on Chip and Signature for a view on some of the remaining chaos.

The new EMVCo token scheme announced in October 2013, formalized in March 2014 and rolled out first with ApplePay in Sept 2014 is the new “best” scheme on the planet. In this scheme, the networks have taken over the original bank token model. Of course banks can also serve as TSPs, but none of them are currently prepared (as of Sept 2014).


 

Original Oct 2009 A

As I was reading an article concerning “why US Card issuers should move to EMV”, I was struck by the amount of “disconnectedness” on this topic in the industry.

A quick background for those unfamiliar:

  • EMV is a “Chip” that replaces the mag stripe on a credit card http://en.wikipedia.org/wiki/EMV
  • Rolled out in Europe in 2004 w/ hope that fraud would go down (it actually just shifted to Card not present “CNP” transactions)
  • European issuers are also acquirers. In US these functions have been separated w/ exception of AMEX
  • Europeans banks are complaining that US cards in EMEA markets and EMEA cards in US markets are the weaknesses in their beautiful vision of a “Chip world”. EMEA acquirers are also threatening to stop accepting US (mag stripe) cards.
  • US Adoption of EMV would take 10+ yrs for banks to re-issue cards and for all merchants to replace all terminals that use the mag strip.
  • Issuers in the US don’t collaborate very often because of anti-trust concerns. Rules are set by networks… in which banks are Board members. Big banks like competing through “best practice” in fraud management. Small issuers have trouble in the arms race.

US Issuers are exercising sound judgment in not jumping on the EMV bandwagon, yet many industry pundits (without access to the data) continue to push a POV that we in the US are somehow backward. Just take a look at the UK fraud data, the card losses have grown from 122M GBP in 1997 to 531M GBP in 2007, and 610GBP in 2008. What did the EMV investment “buy” the UK issuers? A detailed look at this fraud data (APACs confidential) shows that fraud adapted to the next weakest point in the card chain: CNP.

The US banks are highly motivated to do the right thing here, but the solution requires coordinated movement by 4+ highly fragmented groups (Issuers, Acquirers, Networks, Merchants).  The US banks do get together to discuss these topics, primarily at the Philadelphia Fed.  The top request from the banks (to their regulators) was to free their hands in working together on fraud and standards without fear of anti-trust reprisals.. A request that took on no owner, as the number of agencies involved were challenged to work between themselves (FTC, OCC, Fed, …)

http://www.philadelphiafed.org/payment-cards-center/publications/update-newsletter/2009/spring/spring09_06.cfm

Independent of the political challenges that the issuers face in the US, EMV is not the initiative to bring them together.

  • Old technology (will not last the 10yrs it will take to roll out in US)
  • Expensive (POS, Card). Costs are not borne equally in network
  • No proof point, fraud did not go down in UK, CNP was not addressed. http://www.computeractive.co.uk/computeractive/news/2238913/apacs-releases-fraud-figures
  • Fraud Shifts to the next weakest point, it is not static
  • Big issuers like to compete on risk management
  • No benefit from “incremental” rollout of any technology (below)
  • “Health” of issuers (below)

The “true” benefits of EMV will not occur until there is 100% adoption at POS (complete elimination of the mag stripe), and all other weaknesses are addressed (primarily CNP). That is the conundrum facing any new technology here:  New Plastic must completely replace the old. In other words there is no “Incremental” fraud savings to an incremental rollout.

Where there is chaos there is opportunity…

With respect to card use at the POS in the US, prospects for NFC in mobile handsets is very exciting. NFC enabled handsets provide great customer convenience and the cost(s) are not borne by the banks. I highly recommend the business whitepaper below for those interested in the subject.

http://www.gsmworld.com/documents/gsma_pbm_wp.pdf

Other Data

NCL losses of Top Issuers for 3Q09

Top 5 issuers have seen their businesses deteriorate substantially, as NCLs moved from ~3% in 2007 to 10-12% currently. 3Q09 Examples (Data is for QUARTER)

  • – Citi.  NCL of $4.2B,
  • – JPMC. NCL 9.41% (ex WaMu) Card Net Income ($700M) for quarter
  • – BAC. NCL $5.47B, 12.9%
  • – CapOne. NCL $2.3B, 10%

 

http://www.javelinstrategy.com/2009/08/06/emv-us-magnetic-stripe-credit-cards-on-brink-of-extinction/