The Candid Voice in Retail Technology: Objective Insights, Pragmatic Advice

EMV In The U.S.: Should We Go Directly To Mobile?

						Username: 
Name:  
Membership: Unknown
Status: Unknown
Private: FALSE
					

Last week in RSR-land, we had a brief go-round about what exactly has been the benefit of the EMV rollout in the United States? What triggered this was an article that my partner Paula had seen about the relative hackability of EMV payment transactions. A revelation was made by a data security expert at a recent conference that NCR researchers had figured out how to spoof the payment networks to believe that an apparently chip-enabled card didn’t have a chip on it (thus proving that it’s possible for a fraudster to use a fake chip-enabled card at the register).

This in turn led to an exchange between Paula and our friend and colleague at IHL Group, Greg Buzek. Greg is one of the very best when it comes to understanding the technical ins-&-outs of instore point-of-sale systems, and so was the best possible source for clarity regarding Paula’s essential question: “What is in the data going to the processor that needs to be encrypted in an EMV world? ” Greg’s answer: “The card number and expiration. It’s the same basic stuff. Everything but the 3 digit code. From terminal to processor traffic is essentially the same. The only thing EMV did was authenticate the card as a legit card. Nothing for real security. ”

And there you have it, people. The Emperor has no clothes.

What, you might ask, was the purpose of putting the entire U.S. retail industry through an expensive rollout of EMV, and putting American consumers (to say nothing of sales clerks in stores) through the confusion and hassle of changing long-practiced behaviors in the checkout line? Good questions! They are the very same ones that caused the National Retail Federation to express concerns to the U.S. Congress in a letter to the House of Representatives Small Business Committee on October 7, 2015.

That’s also why Home Depot sued VISA and Mastercard in June, causing none other than Consumer Reports to weigh in on this legal challenge:

“Wasn’t the whole point of the new chip-embedded cards to make payments safer? Given the delays the chip scanners are causing at checkout counters, you’d certainly hope so. The answer is yes, the new cards were supposed to improve security. However, the Home Depot suit and a similar one recently filed by Walmart against Visa claim that the system was executed poorly, leaving credit card transactions vulnerable to fraud… some security experts advise consumers to keep the cards in their wallet and pay with their phones whenever possible. Mobile-payment apps such as Apple Pay, Android Pay and Samsung Pay boost security by generating one-time credit-card numbers for each transaction. That “tokenization ” of the card number leaves nothing for a fraudster to use online, even if the store’s payment system is as hopelessly compromised as, say, Home Depot’s was in the data breach discovered in 2014. “

The Definition of Insanity, Applied?

You’ve heard the famous Albert Einstein quote: “the definition of insanity is doing the same thing over and over and expecting different results. ” That logic seems to have been applied to compliance to the VISA “mandate ” for card based payments in the U.S. That is, just like earlier PCI compliance efforts, the payment networks imposed unyielding demands, while neither the card issuing banks nor accepting merchants took them particularly seriously until they had no choice in the matter. And in this instance, consumers basically were left to “hack ” the user interface at the checkout lane, much to the chagrin of the unlucky 13 people standing in line behind them.

And so, Consumer Reports suggests something even more radical! Let’s just all go straight to mobile payments. Then we can enjoy the outcomes of our collective insanity all over again, as consumers fumble about downloading mobile apps, trying to enter in all their credit card data, and having problems presenting the mobile device at the POS. If you don’t think this will be even worse than waiting for the customer in front of you in the line fumbling with the EVC “chip & signature ” protocol, just go to an airport and watch people try to present their online boarding passes at kiosks.

It’s Time To ‘Do the Necessary’

Houston, we have a problem. Consumers are confused and irritated. Merchants are angry about the risk shift that non-compliance to EMV represents, and big merchants are suing the payment networks over fees while trade associations are begging Congress to act (I would actually advise against that, since no one knows what wrong-headed solution Congress might come up with).

Payments Industry expert Karen Webster published a piece this week that gives the industry some guidance on how to navigate through this mess (http://www.pymnts.com/news/emv/2016/emv-in-the-us-and-move-to-mobile/). Essentially it’s this: it’s time for merchants, payment networks, and issuing banks to stop all the finger pointing and sue-me-sue-you stuff, and actually collaborate on a plan to methodically move the whole payment ecosystem into the 21st Century. Webster concludes:

The merchants and networks should stop fighting last century’s interchange fee wars, sack all the lawyers and get them out of the way, and work together to win this century’s war: having mobile move plastic and cash digital. “

Sound advice – do the necessary. Let’s get focused on consumers for a change, and then let’s get going!

Newsletter Articles August 9, 2016
Related Research