Why Are We Adopting the Stupidest Possible Payment System in the US? asks Kevin Drum in Mother Jones, he cites last year’s big breach of credit card data at Target as being one of the catalysts for a revived interest in more secure credit card and debit card payment transactions.
An approach that is globally widespread except in US is EMV, also known as “chip-and-PIN” technology.
EMV stands for Europay, MasterCard and Visa – the three large credit card networks that founded the standard. Collectively they developed a global standard for the inter-operation of integrated circuit cards (IC cards or “chip cards”) and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions.
US banks in particular are lagging on adoption of the standard and as US Senator Al Franken discovered, the answers are not straightforward.
Jaikumar Vijayan wrote of some of the hurdles in Computerworld earlier this month and among them he suggested some pretty significant ones, namely the impact that the technology would have on forecourt petrol gasoline and diesel service stations and their retail operations.
He quoted Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS), a trade group representing convenience store and petroleum retailers, saying that the industry will have to spend up to $4 billion to swap out an estimated 800,000 POS systems the cost of which would be passed on to consumers.
Just like all things, while the individual cost of the enhanced POS units may not be that significant, in aggregate they amount to significant costs that have to be borne by retail or passed on to consumers without any immediate benefits.
Bastian Knoppers of SVP Card Personalization was interviewed by FIS and cites a number of interesting aspects to the topic but this was all before the Target stores drama. The WSJ states that the Consumer Bankers Association, a retail-banking trade group, estimates the cost of card replacements for its members associated with the breach has reached $172 million, up from an initial finding of $153 million. The association says its member banks have replaced about 17.2 million cards at a cost per card of $10. That includes the cost of the card, the mailing and distribution costs as well as the cost of hiring extra customer-service employees.
Per Hilary Stout John J. Mulligan of Target stores told the US Senate committee that Target too is accelerating plans to adopt EMV to reduce the potential for credit card fraud.
The session, a Senate Judiciary Committee hearing on privacy in the digital age, was the first time that executives from Target and Neiman Marcus had been subject to detailed public questioning about the detection and handling of the recent data security breaches that exposed the data of millions of customers.
Mulligan is Target Stores’ chief financial officer and confirmed that the data thieves gained entry to the company’s computer system by stealing an outside vendor’s credentials. He disclosed for the first time that Target found malware on 25 registers three days after the company thought it had expunged it from its system.
Michael R. Kingston, chief information officer of the Neiman Marcus Group, spent much of his testimony going over the time frame that led to public disclosure of his company’s breach on January 10, some six months after it began last July.
Kingston said the malware that infiltrated the company’s system was “exceedingly sophisticated,” that it had a “zero percent detection rate” by antivirus software, and that Neiman Marcus Group had first learned of a possible breach when MasterCard contacted it on Dec. 17 to say that 122 of its cards that had been used fraudulently had also been used at one Neiman Marcus store.
The breaches unsettled consumers, and left many angry and uncertain about the safety of their personal information. The incidents also reignited calls for federal legislation setting database security standards and consumer notification requirements. (Currently federal law requires banks to notify customers of data breaches but retailers have no such requirement and are subject to a patchwork of state laws instead.). For US travelers abroad inconvenience has been prevalent for a number of years.
Especially when European and other retailers refuse to accept swipe and signature cards when chip-and-pin became widespread, some hoped that the Durbin Amendment would mandate EMV fraud protection in the U.S. which would see the introduction of the cards, but that requirement was missing from the final ruling and while a few merchants − most notably Walmart − start the roll-out of EMV terminals at POS to prepare to accept chip-and-PIN cards, most retailers remain reluctant to adopt the new technology because they don’t see the payback. Confusion seems to reign supreme in the wake of the final decision.
Nick Collin writes in the Banking Automation Bulletin that the interim decision to deploy chip and signature is an unwise one but has become even more contentious in the consideration of whether the authentication method should be online or offline PIN verification when that eventually rolls around.
Though none of the card associations have come out with full statements Visa at least has announced a plan that includes a liability shift to acquirers.
Once a sufficient number of financial institutions begin issuing smart cards en masse it is felt that merchants will need to decide whether to process the cards using EMV technology or to accept the financial liability for fraud losses that they will ultimately be responsible for.
When the liability shifts, the industry will too probably.
Losses from card-related fraud are increasing and the smart chip enables more robust cardholder verification to protect against consumer-level fraud, such as counterfeiting or
lost/stolen cards, for EMV transactions.
Firstdata’s thought leadership report on EMV in perspective stated that “globally the absolute losses from card fraud are steadily increasing, even though the ongoing battle against fraud is driving the rates downward. As regions such as Europe,
Canada and Asia/Pacific continue to mark positive results in the battle against card fraud, the pressure on the U.S. to migrate to the chip-based standard becomes stronger. Aite
Group says that card fraud costs the U.S. card payments industry an estimated $8.6 billion per year. According to The Nilson Report, the figure is expected to reach $10 billion by 2015. Experts predict U.S. card-not-present (CNP) fraud will rise dramatically as neighboring regions complete their EMV deployments.”
That same report described the highest adoption rates ub Europe Zone 1 (SEPA), Canada, LATAM and the Caribbean as all above 76% and as high as 89%.
The fact is that the longer it takes for EMV to become implemented in the US, the more likely it is that more nimble, cheaper and advanced forms of authentication at the POS could leapfrog the technology said Nick Holland of Javelin Strategy in mid 2013.
“Given the momentum behind contactless and, by association, NFC, this seems to be the way the industry will go before EMV even gets a proper look in in the |US, but nothing is for certain and the growth of cloud based wallets certainly seems to be plugging the void between the rapidly evolving personal technology market and the glacial evolution of legacy payment hardware, as Starbucks can attest.”
Target and Nieman Marcus may change all that.
In concluding, one cannot help but feel that there are some more insidious reasons behind the lag in adoption in the US, not least of those being the signaling of intent around how liability on transactions would be handled in an era of chip and pin but perhaps even a mortal fear of the violation of civil liberties is at play here though Wayne Rash would have you know that traditional credit cards actually constitute much greater risks to your privacy and the real sticking point here is the banks, some of which apparently don’t want to offer the increased security of the EMV card to their customers because it would raise their costs slightly.
It is all about money at the end of the day and who is going to foot the bill.
