EMV, Data Breaches, HCE and the Pace of Change in Payments
One of the pleasures of joining Glenbrook has been getting to know what and how the other Glebrookers think about what’s happening in the payments industry. We talk a lot at Glenbrook. Over iChat, email, mobile phones, Skype, Google Hangout with voice and video, through Google Docs, and whenever we meet up for client work and bootcamps. It’s how we work our way through the news and the issues facing our clients.
Scott Loftesness has a particularly thoughtful view on payment technology. In this email conversation, Scott and I work through some hot issues as he reminds me about the sometimes unfortunate pace, and instigation, of payments industry change.
George: The payments industry as a whole has really struggled as it tries to move from cards to mobile. But as I look around recently, I’m seeing signs that suggest an acceleration in that process. Visa and MasterCard have endorse host card emulation (HCE) and cloud-based payment credentials. PayPal’s just announced that it’s working with Samsung and its new Galaxy S5 device to use its fingerprint reader to strengthen security via the FIDO Alliance. Tokenization is a hot topic.
Do you see a thaw going on and, if so, what should we be looking for to keep it going? (Or am I just someone in the frozen part of the country wishing for spring?)
Scott: We’ve got a mature – and extensive – card payments system in place in this country. Any changes to it will, necessarily, involve lots of end points – be they consumers, merchants, the banks and their processors – and, of course, the networks and the rules they set.
When new technologies are involved and driving changes into the payments system, things can get complicated quickly – especially if the new technologies are intended to be the basis for competition between the players. When that’s the case, there’s not much incentive to work together – the motivations are to get out in front. Much of the mobile payments work over the last few years has felt like it’s had that characteristic. When that’s the mode, things can take a long time – and ultimately may not reach enough of a critical mass to matter.
The recent Target data breach has served as a lightning rod for action to do “something” (EMV and more) to reduce the potential for any loss of trust in the card-based payment system. The breach has become a forcing function – bringing competitors back together to work on addressing what can accurately be thought of as a “burning platform” issue for the industry.
Unlike the card, that provides both the payment credential and proof of the cardholder’s present, the cloud-based wallet opens up all kinds of options to demonstrate cardholder presence. Doesn’t the endorsement of cloud-based wallets by the card brands represent a major shift?
It might represent that kind of a shift – but it seems that questions remain regarding the operating rules for cloud-based wallets and whether (or how) they might be adjusted.
Many observers, including many of us at Glenbrook, have considered NFC and contactless payments to be on shaky ground. But with Google’s Android 4.4 KitKat release and the announcement for its support of host card emulation (HCE), NFC suddenly looks reinvigorated. HCE’s endorsement by Visa and MasterCard has to help, too. What’s your take? Do you think Apple will ever support NFC?
It’s funny – back when I was an executive at Visa, our CEO at the time would give speeches to the member banks suggesting that there was new competition on the horizon – namely, the mobile network operators. So it was somewhat curious to me when the networks embraced the mobile payments framework that had been set forth by the GSMA based on hardware secure elements for storage of payment card credentials on the mobile handset.
The move by Google to include HCE support in Android at the platform level provides an important new option for issuers and merchants to develop applications that can be triggered by NFC without requiring the involvement of either the mobile operator or requiring a secure element. We look forward to seeing how some of these applications come to market later this year – and from whom.
Scott, you were there at the birth of EMV. Deployed in most other global markets, I’m finally convinced this Nineties era is coming to the US to address the counterfeit card concern. But it’s going to take five and more years for near ubiquity. What should we do to accelerate that?
It strikes me that several important issues linger that need to get sorted out to accelerate EMV adoption in the US. Perhaps the current lack of a consensus between the card networks regarding the use of PINs as a second factor for cardholder verification is the place to begin. In other countries that have migrated successfully to EMV, there’s been consensus – developed by the banks and retailers in that national market – behind a unified approach – mostly PIN-based but not exclusively. That unanimity is currently missing and that adds some confusion.
Then we have the debit card network routing requirements that were imposed on all debit cards as a result of the Durbin amendment’s passage and the subsequent issuance of Reg II by the Fed. Another area where consensus has been elusive – yet has to be resolved.
My experience observing other countries is that the involvement of the government and the banking regulators has played a role – sometimes a key role – in accelerating progress towards EMV. As an example, in several of those countries financial regulators or industry councils collect and report fraud statistics on a quarterly basis – unlike in the US where those statistics aren’t visible. If they were visible – with an ability to see trends in fraud over time – we might see greater interest on the issue of fraud as a matter of public policy than presently seems to be the case.
Run the EMV Numbers
One final thought – the current EMV “mandate” in the US speaks only to the acceptance side of the payment system. There is no “mandate” for EMV on card issuers. Merchants, if they fail to upgrade, will begin bearing the cost of fraud – currently borne by issuers – on EMV transactions.
Any merchant considering the implications of this might want to “run the numbers” – “Hmm, let me estimate the business case for making the investment to upgrade to EMV POS terminals versus deferring that investment until a more natural point in the merchant’s POS upgrade cycle.” Running the numbers requires estimates of how many EMV cards the merchant can expect to see at their POS locations – but the lack of any issuer mandate for EMV leaves this number ill-defined presently. That said, momentum seems to be building toward issuance of EMV accelerating – witness Chase’s comments at their Investor Day last week and Amex’s introduction this week of its new EveryDay credit card with EMV included.
So, in summary, if we want acceleration it seems to me we need at least: 1) agreement on the CVM (PIN or signature), 2) a consensus industry solution to EMV debit routing, and 3) an issuer mandate to issue EMV cards in parallel with the merchant EMV “mandate”. Any public policy involvement would be over and above these steps – and might even be provoked if the industry’s progress remains slow.
I’m optimistic, like you are George, that things are moving and accelerating. It’s unfortunate that it took such a major data breach to bring it all back into focus – but that’s the way of the world sometimes!