EMV In The U.S.: A Duck and Cover Strategy?
American consumers started receiving new credit cards in the mail a couple of months ago from issuing banks, and those new cards featured something very familiar to consumers in every other part of the World: a computer chip. Retailers are well aware of these new EMV ( “Europay, Mastercard, and VISA “) cards – or “chip and pin “, as they are commonly called, because in 2012 payment network giant VISA published a roadmap for compliance to the new card format by October 2015.
Since that announcement, there have been a number of well publicized and ugly data breaches in retail establishments (and even more recently, there have been big breaches at Hilton Hotels and even Dow Jones). Retail breaches have led to increased pressure to comply with the new and presumably less breach-prone technology. But almost from the start, many have questioned whether American payment processors were just offering a placebo – the equivalent of telling schoolkids to “duck and cover ” by getting under their desks in the event of a nuclear attack. Why? Well, the U.S. EMV implementation is NOT chip-and-pin technology, but Chip-and-signature. While the EMV chip updates the card technology from the old mag-stripe to the new chip – it doesn’t eliminate problems associated with hacks to credit card readers or POS terminals.
RSR has been pretty vocal in its criticism of the decision to move to chip-and-signature. Most recently (in October 2014), my partner Nikki Baird opined:
“So what is going on with banks? I’ve heard rumors that mag-stripe cards cost about 30 cents, and chip-enabled cards cost about $3.00 – an issuing cost that will have banks dragging their feet as long as possible. I just can’t make that compute, though… if it is the card that is the cost, then why bother with chip and signature? A chip and signature card costs just as much to make as a chip and PIN card. They both have a chip… Chip and signature is less secure than chip and PIN. In fact, we just had a case in Denver where a woman’s purse was stolen, and in the hour it took to get through the police report, the thief had racked up $30,000 in purchases on the stolen American Express at the local high-end mall. This thief was flat-out brazen. She flashed the victim’s own ID…Chip and signature will not solve that kind of theft. And it doesn’t do anything to lay any groundwork to make online transactions more secure – which is where fraud will move next, once chip and PIN actually makes its debut. “
Nonsense
So, what is it with the banks? The reasoning that the U.S. payment industry gives for choosing chip-and-signature is that consumers can’t be trusted to remember their own PIN codes. That’s nonsense on the face of it, because it assumes that American consumers are somehow dumber than their European and Asian counterparts, and that 20 years of ATM debit card experience is irrelevant to the new situation.
Retail trade associations like RILA (The Retail Industry Leaders Association) and the NRF (The National Retail Federation) think it’s nonsense too. Recently, the NRF brought its concerns to the attention of the U.S. Congress in a letter to the House of Representatives Small Business Committee, dated October 7, 2015. In the letter, VP of Government Relations David French stated:
“Secure, PIN-protected cards (computer chips were primarily added for other purposes) were long ago introduced in Europe and elsewhere to combat fraud; however, the card issuing collective rejected both measures in the U.S. for two decades. So long as fraud was effectively being absorbed by small businesses and others, it apparently was not a serious concern of the card issuing consortium… (but) Fraud has increased. The type of fraud for which banks are initially responsible has also increased. Consequently, they and the card companies have belatedly sought to introduce into the U.S. cards that would reduce fraud, much as they did in Europe and Canada years ago. But they have ignored the lessons of those countries. Rather than introduce U.S. cards with PINs (which reduce all types of fraud), abetted by Chips (which help reduce just in-store, counterfeit fraud), they are introducing Chip without PIN cards; i.e. partially protective cards… While the new cards make it somewhat more difficult for criminals to us, they do not actually prevent numbers from being stolen in the first in the first place, and stolen numbers can still be used for online and other types of fraud. The new EMV equipment does not stop breaches. Indeed, in many cases it provides no significant benefits either to the business or to the business’ regular customers. “
So what this amounts to, according to industry observers, many retailers, and the trade associations, is that the PIN-and-signature doesn’t solve the fundamental problem, makes retailers incur costs that offer no demonstrable benefit to either them or consumers, is nothing more than a bold risk-shifting play by the payment industry, and will in all likelihood have to be redone when the US market finally decides to get into compliance with the entire remainder of the World.
Back In The Store, Faint Praise
Aside from all those weighty issues, initial reports from consumers are not good. To get the best perspective on this, I reached out to my good friend and industry colleague Richard Mader, Director Emeritus of the NRF’s ARTS standards organization. No one knows the issues surrounding EMV better than Richard, who has been ringing warning bells for years about data security and fraud.
Richard went shopping, and here’s his trip report:
“I just got back from a shopping trip to Home Depot and Sam’s Club where I had to use my chip card. Here is my take. Given the different opinions about how much additional security EMV really provides and the time delay for approval at checkout, I understand why there would be a reluctance to initially implement PIN; I would have to wait 10 seconds for approval, then spend another 5 to 10 seconds to enter my PIN -assuming I do it correctly the first time” (Editor note: in many retail POS systems, mag-stripe authorization could be taking place during the ring-out. However, early implementations of the EMV often only start the authorization process at the end of the transaction, adding time).
“I just got back from a shopping trip to Home Depot and Sam’s Club where I had to use my chip card. Here is my take. Given the different opinions about how much additional security EMV really provides and the time delay for approval at checkout, I understand why there would be a reluctance to initially implement PIN; I would have to wait 10 seconds for approval, then spend another 5 to 10 seconds to enter my PIN -assuming I do it correctly the first time” (Editor note: in many retail POS systems, mag-stripe authorization could be taking place during the ring-out. However, early implementations of the EMV often only start the authorization process at the end of the transaction, adding time).
A retailer implementing EMV should do it in two steps, first with signature then add the PIN if statistics prove value. Right now the public is largely unaware that they have a PIN card, so they first swipe, which they have been doing with the same card for months, only to be told ‘oh sorry! you must now insert the card’ That adds more time to the process. Can you say ‘long lines at Christmas’?
Today half the cards in my wallet have chips, so are only 50% of the banks and card brands ready? Only about 33% of retailers are ready. As a consumer I don’t sense an urgent need to enter a PIN with each transaction. After all, if it were so important, wouldn’t everyone be ready? As a consumer, fraud charges don’t affect me, except for the inconvenience of posting a new account numbers to all places I have stored them for reuse.
As I have always said, focus on the consumer, give them time to adjust and continue to market to them. “
Focus On The Consumer
The problem with the EMV implementation in America is that the parties involved are not focusing on the consumer, as Richard suggests they do. At the very least, the payment networks are more focused on shifting risk than in eliminating it. Added to that, they are forcing customer inconvenience onto the retailer, and retailers know that consumers will blame them, not the payment networks. Winning and keeping customer loyalty is harder than ever, but clearly U.S. payments processors don’t care about that, because, as the NRF’s French stated, they are “a consortium of card companies and banks who have, for many years, collectively exerted near monopoly power over the business community. “
Worst of all, when (not if) the U.S. electronics payment system does finally conform to the international standards, retailers and consumers will have to go through the learning curve again. How many more breaches will happen before we get to that place as an industry?
In the meantime, Apple’s tokenized payment system is looking pretty good by comparison. ‘Talk about walking backwards into the future!