Dispatch from the Smart Card Alliance Payments Conference
For those companies and individuals most committed to building the EMV and NFC ecosystems, the place to be February 3rd through 7th was Salt Lake City where the Smart Card Alliance hosted both an EMV Migration Forum meeting and its annual Payments Summit. Over 525 people attended, representing the chip industry, payment processors, card brands, payment service providers, consultants, media, and even some merchants.
I’ve attended the conference for the last four years and its related antecedent CardTech/SecureTech before that. Many of the same folks attend this conference and the same issues are often repeated. As a result, there’s been a Groundhog Day quality to the experience. This year, for EMV in the USA, that groundhog must not have seen his shadow because the card standard’s long winter in the US looks to be ending and, while hardly early, this may be springtime for EMV in the USA.
Here are a few of the takeaways:
US EMV Underway, No, Really This Time
While unfortunate, the Target breach appears to be the catalyst for getting on with the US EMV deployment. That and the resulting high levels of attention it, and payment card security in general, has received in the national media as well as Washington. While there were rumors circulating this fall that EMV liability shift dates would slip badly or that EMV might be skipped altogether, the Target and Nieman Marcus data breaches have given everyone the intestinal fortitude to recommit to the 2015 and 2017 liability shift dates for merchants and ATMs. For a countdown clock to those dates, displaying both the business and calendar dates left to go, click here.
Up until Q4 of 2013, issuers appeared to be holding back on updating their portfolios to EMV. No longer. I was told that chip orders are now running in excess of 10 million a month. Even giving that number the Skeptic’s Haircut of 50% off the top means at least 60 million EMV cards will be in the US market by the end of 2014. Visa’s Stephanie Ericksen, head of Authentication Product Integration, reported that as of September 2013 6.6M EMV cards had been issued in the US. Between those numbers and the fact that my daughter’s first credit card was a Chase chip card tells me that even the standard portfolios and not just the premium cards are getting chip treatment.
Canadians Chipper over Chips
Every vendor at the conference has to secretly wish that the US market looked a lot more like Canada. With its highly concentrated banking industry, direct to merchant acquiring by those banks, a similarly concentrated mobile operator environment, and that Canadian urge to find a satisfactory detente despite conflicting business interests, selling chips to Canadians is duck soup compared to the fractious and factionalized US.
Canadian payment innovation is being brought to market largely by the established payment industry and the mobile network operators. The Canadian payments ecosystem has gotten behind EMV and contactless in a big way with nearly 100% of MasterCard plastic supporting both contact EMV and contactless.
Given the effort to get to this happy state, and the high cost, I’m thinking even Canadian merchants are glad to have this wave of payment innovation nearly over.
Cautious Chip Deployment in the US
While it appears contact EMV cards are entering the US market, they are unlikely to be dual interface, supporting both contact and contactless. We won’t be replicating the Canadian experience any time soon. Contactless cards have had a rough ride in the US. Even Visa’s Ericksen suggested that contactless and transit make a great pairing but for many other markets the dual interface investment wasn’t a compelling proposition. An EMV contact card costs an issuer just under one dollar. A dual interface card is in the $2.50 range.
To PIN or Not to PIN, It’s Still the Question
EMV is a toolkit with multiple deployment options. Cardholder verification methods include PIN, signature, and no signature. And there’s no uniform approach to CVM. Visa is adamant that the cost of “PIN credit” in the US isn’t justifiable from a cost perspective (a mechanism that does provide that function exists as credit card PINs are already required for ATM cash advance). Visa cites the certification costs of all of the device and acquirer combinations, never mind the simple and frequent issue of consumers forgetting their PINs, as unnecessary expenses when the real concern is counterfeit cards.
MasterCard is more amenable to “chip and PIN.” Discover’s stance leans toward “chip and PIN” as well.
The card brands do all agree that offline authentication is not worthwhile in our online, all-the-time authentication and authorization environment.
Debit Stalemate Continues
The most unfortunate business barrier to broad EMV uptake is the remaining uncertainty over how to handle debit transactions on EMV cards under Durbin amendment rules. While technical solutions exist, agreement among the card brands and the independent EFT networks over which Application ID (AID) to employ has not been reached.
Among the unfortunate consequences is the fact that debit, the consumer’s preferred way to pay, may not enjoy EMV protection as soon as credit will. That places a big target on the back of the debit card. As the experience in every other EMV transition shows, fraudsters will shift their attention to the weakest point. The CNP channel, of course, will get its share of increased attention from fraudsters. But unprotected debit portfolios will be tempting, next-in-line targets. In limbo because of the wait for the federal appeals process to conclude and the detente-free zone that is the debit network operators, this important method of payment could be under pressure. Debit issuers will stay on the sidelines until these issues get resolved.
This is Going to Take Awhile
According to Visa, the global experience shows it takes an average of six years after the liability shift date for chip-to-chip transactions to reach the 90% point. That puts us into 2021. Just getting ready for the 2015 merchant liability shift date will be impossible for all retailers. While the top tier merchants are already well along the path, the long tail of mom and pops is very long indeed.
For all but the largest issuers, getting ready will also be challenging. In card production facilities, programming even tens of thousands of chips is a just matter of a few minutes. That’s not the problem or what takes the time. The setup for each issuer’s card program, however, can take two to four hours. With 14,000 financial institutions in the US, that’s over 3 years of 24/7 card production at two hour intervals. Many issuers simply won’t make the October 2015 date that the merchants must meet.
Unfortunate as it is, the Target breach, touching upwards of 1 in 3 US consumers, has obviously given the EMV transition forward momentum and stiffened the resolve around the liability shift dates. But time is an inelastic thing. With so many merchants and issuers, the vast majority of them of the small variety, the brands will no doubt slip the schedule by six months or more. It’s happened in other markets. Canada needed one. Mexico needed three. A slip will have to happen in the US.
No Mandate, Just the Liability Shift
The US market is relying on the merchant liability shift to move the entire US payment industry to EMV. In other words, only the card acceptance side has been confronted by an incentive to deploy EMV infrastructure. Unlike other national EMV rollouts, no such issuer mandate –from either card brands or a government entity—is at play in the US. While we are seeing US financial institutions increase their rate of EMV issuance, there’s no incentive other than customer demand, media pressure, and lowered counterfeit card fraud rates. Hopefully, those are enough to move this enormous market.
We’ve been talking with clients a lot about EMV lately because, well, time is short. Reach out via email or give me a call on 978-393-1737 if you’d like to discuss your plans or to share how you see EMV in the USA.