By Richard Mader, Guest Contributor 

For 10 years retailers and card brands have been engaged in a bitter war that has resulted in less than adequate payment data security and delayed the creation of a totally new payment ecosystem utilizing the latest technology including mobile devices.

Thus I was delighted to see that the National Retail Federation (NRF) on January 13, 2014 endorsed the implementation of chip and pin and said, “When it comes to sensitive bank card data, our partners in the financial industries also have a critical role to play in making sure their cards are secure. The retail industry is eager to work with them to fight cyber-attacks “. The financial industry has issued a similar call; “All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade, “ James Dimon, CEO of J.P. Morgan Chase & Co., said last week on an earnings call. Wonderful! It sounds like the financial industry and retailers want to work together – because if the war continues there will be limited cooperation and data security will not be maximized.

Similar to installing a traffic light after a fatal accident at an intersection, the Target, Niemen Marcus and Michaels Stores data breeches have retailers wanting to work with the card brands and banks. Previously retailers have been reluctant to move to Chip and Pin because of the expense to do so and many felt their data was sufficiently secure. But before the Target breech it was “business as usual ” between the retail and financial industries, with suits and court appeals over interchange fees both debit and credit. Retailers argue that the objective of these suits is to save the consumer these huge dollars, but let me ask, when you went to a store, purchase an item and have the retailer offer you a reduced price because of lower interchange fees.

The loser in the interchange wars is clearly the consumer. That is because while card brands, retailers and other stakeholders have refused to work together for the last 10 years, payment security has not been optimized and convenient mobile wallets are not widely available.

Who started the war doesn’t really matter, what matters is it must end because until it does consumers are at risk. To place the current situation in context, the first suit was filed in 2005 by retailers claiming that VISA, MasterCard and other major card brands engaged in a conspiracy to fix interchange fees, which are charged to merchants for the privilege of accepting payment cards at artificially high levels. In their complaint, retailers also alleged that the card brands “unfairly interfere with merchants encouraging customers to use less expensive forms of payment such as lower-cost cards, cash, and checks. ” Really? In my judgment consumers have favorite credit cards they regularly use to earn air miles, discounts or simply because they have “open to spend ” on a specific card. The suit was finally settled in 2013, but retailers rejected the settlement and appealed.

So while the principal stakeholders in the payment world were locked in this bitter lawsuit, significant actions to improve security and increase consumer convenience were happening but without cooperation which further intensified the war.

In the Meantime, EMV

EMV ( “European MasterCard and VISA “) began large scale implementation in Europe in the early 2000’s as mandated by the card brands, and today is implemented in most of the world, with the notable exception of the USA. EMV replaces the magnetic striped card with one containing an electronic chip, thereby supporting both online and off-line authorization, making it very difficult (if not impossible) to create counterfeit cards. EMV is often referred to as “chip and pin ” because with each use, the consumer must enter their pin number. Processing rules and technology for EMV were created by the banks and card brands without cooperation with retailers.

Despite EMV being a bankcard standard, there was little or no effort in the U.S. to adopt.

In part because the U.S was not moving to EMV, VISA and MasterCard announced PCI-DSS in 2005, establishing security provisions that had to be followed by retailers accepting their cards. Unfortunately, due to the then-pending law sui over interchange rates, the PCI-DSS regulations were created without consultation with retailers, causing great additional implementation time and cost. I remember for 2 years sitting in the NRF CIO council when the hot topic was PCI. Often a VISA representative would attend by invitation and leave virtually tarred and feathered.

PCI was not the end all for security. Many data breeches have happened to PCI compliant retailers. Indeed, Target Corp. said on February 4, 2014 that it passed its latest Payment Card Industry data-security standard (PCI-DSS) inspection a mere three months before confirming in December that a data breach compromised 40 million customers’ payment card numbers. PCI-DSS did improve data security, but was not the “silver bullet “.

What about the Mobile Wallet?

In 2009 I read an article saying that a new payment infrastructure was needed and should be developed using smart mobile phones as wallets, but to do so efficiently and effectively would require that the major stakeholders work cooperatively; retailers, banks, card brands, payment hardware and software providers and mobile network operators (Verizon, AT&T, T-Mobile, etc.). Thinking this was the “right ” thing to do, working within the NRF we organized the Mobile Retail Initiative (MRI) and recruited the stakeholders to participate. We were never able to get involvement from banks and card brands because they would not cross the battle lines.

The objective of the MRI was to provide guidance for retailers to successfully utilize mobile phone for marketing, payment processing and internal operations. The Association for Retail Technology (ARTS, a division of the NRF) published two whitepapers, but could never make a real impact towards a new payment direction because the leadership of most stakeholders clung to their individual interests. Retailers seemed to only care about lower interchange charges and banks and card brands took the position that retailers were trying to steal from them via the Durbin amendment and lawsuit. Mobile network operators could not understand why the other stakeholders were not adopting the NFC secure elements and Trusted Service Manager network they had developed. Hardware and software providers pushed for more secure solutions by offering for sale new devices and applications for end-to -end encryption, tokenization, and EVM card readers.

Strangely most forgot that the mobile revolution is consumer driven, particularly payment. It is consumers who hold the cards. How do they want to pay, what is most convenient for them? In my judgment consumers certainly don’t give a darn about interchange charges, since the price they pay for merchandise is the same, whether paid for via cash or credit. Do they want to insert a card or tap a mobile and go? Would they be happy to enter a pin number for additional security, or would biometrics be easier? What benefits and conveniences would encourage them to throwaway their leather wallets, and use a more secure mobile payment method? VISA and MasterCard have offered consumers a choice; the EMV mandate issued in 2012 (calling for implementation over a 4-year period) has provisions for both a chip card or chip-imbedded mobile phone.

Consumers Should Demand a New System

The war clearly continues. It is not surprising that after the Target breach, the NRF pointed the finger at banks for their role in the recent data breaches at Target, Neiman Marcus and other retailers. An NRF statement said: “For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation “PIN and Chip ” card technology for customers in Europe and dozens of other markets “. But U.S. retailers are not without blame. Why should banks issue when only a very few retailers such as Wal-Mart have purchased and installed the equipment to accept them?

But with the Target breach, consumers have finally awakened to the issue. 100 million people have been inconvenienced by a major hack. Is this enough to create the formation of the new payment initiative? It is not just about security, although we applaud Target saying on Friday January 17, 2014 it will invest $5 million and work with the National Cyber-Forensics and Training Alliance, National Cyber Security Alliance and Better Business Bureaus to launch a campaign aimed at educating the public on cyber-security issues. It is about a totally new payment system, secure, convenient, that rewards consumers based on type of payment, provides all parties a fair fee for processing payments that centers on mobiles but continues to accept cash and checks. Yes, interchange charges should be adjusted to provide a fair fee for service and risk.

Steps necessary to stop the war:

1. Settle the lawsuits.
2. MCX (The Merchant Card Exchange headed by Walmart), needs to disclose its plans. The Smartcard Alliance, Merchant Advisory Group (MAG), or some independent association should step up to the plate and organize a meeting of the stakeholders. Failing to do so risks the government/legislative action.
3. Focus group with consumers should be conducted to determine their wants and needs. Remember retail payments are all about consumers.
4. Cooperatively, retailers, issuing banks, payment networks, and technology providers should develop a time and action plan to create the new systems after gathering consumer wishes and needs.
5. Together build and deploy.

Editor’s Note: Richard Mader is Director Emeritus at ARTS and the President of Mader Inernational Consulting. He can be reached at Richard@maderic.net