DT, November 2016
November 1, 2016
By John Stewart, Jim Daly, and Kevin Woodward
EMV after effects dominate our list of headaches this year. Still, from regulation to faster payments to interchange uncertainty, there are plenty of other issues to contend with.
In the 10 years we have compiled our annual list of pressing issues facing the payments industry, no single theme has dominated the roster of problems as has EMV. Last year, the U.S. chip card rollout generated four of the 10 industry issues. In the list that follows, fully five are related in one way or another to EMV.
It’s been a rocky rollout, to say the least, and the ripple effects are still being felt. And these issues are just the problems stemming from the transition to EMV at the point of sale. Last month, ATM deployers had to meet a chip deadline set by MasterCard, and next October it’ll be the turn of petroleum marketers, which will have to have their fuel pumps ready for chip cards or take on the risk of counterfeit card fraud. Expect yet more ripple effects.
Beyond EMV, the industry is contending with a general movement toward faster payments. The nation’s automated clearing house network introduced same-day clearing for credit transactions in September, with debits to follow next September. At the same time, the Federal Reserve is marshaling an industrywide task force to design a faster-payments system, and The Clearing House Payments Co. LLC, which is controlled by most of the nation’s biggest banks, is putting together a real-time payments architecture that will run on wholly new rails.
That will make for much-improved payments efficiency, but some observers fret faster processing will leave less time to spot fraud.
Meanwhile, the specter of regulation continues to haunt the payments business. Last month, the powerful Consumer Financial Protection Bureau weighed in—literally—with its long-awaited final rule on prepaid accounts. At nearly 1,700 pages, the rule is nearly twice the size of the preliminary rule released two years ago. While much of the rule is concerned with extending existing checking-account protections to the prepaid business, critics point to the rule’s inclusion of mobile wallets as an example of how it could stifle emerging products.
Then there’s the whole matter of credit card interchange. That contentious price acquirers pay issuers, and then pass on to merchants, has been a sore point for decades, spawning litigation and hard feelings. And now it’s back in a federal court with an appellate court’s decision this summer to overturn a 4-year-old settlement that everybody had thought put the matter to bed once and for all. Everybody, that is, except merchants, who had other ideas.
Still, the payments business enjoyed brisk growth in 2015, posting 131.2 billion consumer-based ATM, ACH, and card transactions, up 6.3% from 2014, according to Digital Transactions estimates. That, at least, is cause for celebration, even if much of the report that follows makes for somewhat lugubrious reading.
1. The Chargeback Avalanche
The transition to EMV has taught many merchants just how serious an issue chargebacks are. Indeed, many smaller retailers freely admit they had no idea chargebacks could mount so fast, since their processors had never told them.
The reason merchants are now facing a tide of chargebacks has to do with EMV’s so-called liability shift—a fancy way of saying who holds the bag when it comes to financial responsibility for counterfeit card transactions. Fraud generates chargebacks, and card issuers traditionally absorbed most such liability.
But under EMV protocols, if the cardholder presents a chip card and the merchant’s terminal can’t read it, the merchant will absorb any resulting costs from counterfeit fraud. Some networks also are transferring liability for lost-and-stolen card fraud to non-EMV-accepting merchants.
As soon as the networks’ point-of-sale liability shifts took effect on Oct. 1, 2015, merchants and merchant acquirers began reporting, anecdotally, that more chargebacks were coming their way.
Some merchants claimed issuers were using EMV as a cover to submit chargebacks for non-EMV-related reasons. A small Miami-area grocery-store chain and liquor-store affiliate claimed they were hit so hard that they took the networks and eight big issuers to court in March.
As of early October, the networks had not disclosed any chargeback totals publicly. But research firm Aite Group LLC, which closely follows payment-security issues, in August estimated that some 14.7 million chargebacks worth $5.8 billion would hit merchants this year, up 17% in transactions and 21% in dollar value from 2015 (“EMV’s Chargeback Toll: $5.8 Billion in 2016,” September).
Payments executives and researchers say criminals are rushing to get as many fraudulent transactions as possible through while mag-stripe-only terminals still remain in wide use. There are still plenty of old terminals around—recent reports from the networks say 2 million merchants accept chip cards, which means at least the same number still do not.
There is some good news. MasterCard Inc. in September said counterfeit fraud costs at U.S. merchants that had completed or were nearing completion of their EMV adoption fell 54% from April 2015 to April 2016. Visa Inc. reported a 28% drop in counterfeit fraud for the same period.
Card issuers, which face less complex issues with EMV than merchants, have been converting their credit and debit card portfolios to chips faster than merchants have been bringing chip-reading terminals online. But once the vast majority of terminals can process chip transactions, counterfeit fraud liability would be expected to revert to its pre-EMV patterns. At least, that’s what merchants hope.
2. The Rising Threat of Online Fraud
Online fraud is an incessant problem not only for merchants and consumers. Payments companies, too, continue to deal with the apparently increasing attempts to commit this crime. Card-not-present fraud will account for 38% of all U.S. card fraud this year, according to estimates by Aite Group, a Boston-based researcher. That comes to about $3 billion in online fraud losses.
With predictions more than year ago of increasing online fraud in the wake of the U.S. payment card industry’s monumental move to EMV chip cards, the payments system is finding some truth in those forecasts. As criminals find it more difficult to commit fraud at the point of sale, they turn to easier targets, such as online commerce.
To counter this trend, EMVCo, the organization that sets EMV standards, has been working on 3-D Secure 2.0, an authentication measure that is akin to EMV online (“Securing the Future of 3-D Secure,” July). The final specification was expected to be released in the fourth quarter.
In its original form, 3-D Secure sought to thwart online fraud by requiring consumers to enter a PIN or password while in the process of checking out on merchants’ sites. But merchants complained that the process took too long and put off consumers by redirecting them to a separate page or pop-up screen. The integration work merchants had to perform was also an early impediment. After years of resistance by merchants, many issuers gave up on the technology.
Visa Inc. announced that its Verified by Visa service, which is built on 3-D Secure, will not use static passwords beginning in 2018. Discover Financial Services said at the Western States Acquirers Association conference in September that 3-D Secure will be available for e-commerce, mobile commerce, and in-app transactions beginning in 2017.
Discover, because it is the issuer and processor for Discover card transactions, automatically enrolls its cards in the service, which it calls ProtectBuy. ProtectBuy 2.0 will launch in 2017. It will use a secure connection, risk-based authentication, and enable the issuer to challenge the cardholder if necessary, such as by requesting a password.
Will the revamped 3-D Secure do the trick? A lot of money is riding on the answer.
3. Retailers Riled Over Routing
Never has an issue so obscure raised such a ruckus. The Dodd-Frank Act’s Durbin Amendment supposedly guaranteed merchants access to at least two unaffiliated networks with each debit card transaction, but some of the nation’s biggest retailers are accusing Visa Inc. and MasterCard Inc. of subverting their routing choices as EMV chip card payments take hold in the U.S.
Retailers want unfettered access to PIN-debit networks, which they say are more secure and economical than using Visa and MasterCard, whose networks are accessed when the customer signs for a purchase. At stake are millions of dollars in interchange and network fees.
Wal-Mart Stores Inc., the world’s largest retailer and a company that’s frequently at odds with the card networks, fired the opening shot in this latest conflict when it sued Visa in a New York state court in May. Wal-Mart claimed Visa was trying to force it to route some chip transactions onto Visa’s network by having customers sign for EMV debit card purchases rather than enter a PIN.
Then home-improvement behemoth The Home Depot Inc. got into the act by suing Visa and MasterCard in federal court in Atlanta over much the same issue (“Routing Wars,” September). Home Depot’s lawsuit is notable for asking the court to enjoin Visa’s controversial Fixed Acquirer Network Fee (FANF), which Visa says gives merchants price breaks for sending transactions its way, but which some merchants claim is simply a toll for access to the Visa network.
Shortly afterward, The Kroger Co., the biggest standalone supermarket chain, filed a federal lawsuit in Cincinnati laying out in detail what Kroger says was Visa’s effort to get more EMV debit transactions onto Visa’s network rather than the PIN-debit networks Kroger wanted to use. Kroger said it finally gave in to Visa, then went to court.
Visa and MasterCard say they’ve done nothing to thwart merchants’ lawful routing choices, but they also want to assure that a customer’s option to sign for a transaction is respected. Now it looks like judges will be getting into the routing act, too.
4. EMV Certification Backlogs
EMV chip cards, by their very definition, are a lot smarter than the old-school magnetic-stripe-only credit and debit cards that once made up the overwhelming majority of cards held by U.S. consumers. Whereas mag-stripe cards needed only a simple reader that lacked two-way communication and electronic security measures, chip cards require a point-of-sale terminal that can electronically communicate with them and vice versa.
To do that securely, POS terminals must be certified as EMV-compliant. And that’s the rub.
EMV certification turned out to be an issue among retailers as many found after buying and installing the necessary hardware that the software to accept and process EMV transactions had yet to be certified for use. And each terminal had to be certified to each processor and network it would communicate with.
As processors and acquirers worked with testing labs, demand increased after the 2015 liability shift and banks began to issue EMV cards in earnest, sparking further merchant demand for EMV terminals and creating a logjam in the certification queues.
Earlier this year, Visa Inc. and MasterCard Inc., announced changes to speed up the EMV certification process. Under Visa’s program, the testing procedures enable acquirers and their merchants to certify more quickly by dispensing with routines that may occur only rarely in the U.S. market. To reflect this change, Visa has reduced its roster of recommended test scripts from about 35 to 14. Visa is also allowing acquirers more discretion in certifying merchants.
MasterCard said the changes to its testing protocols would cut the test time to a few hours from as much as a couple of weeks. It reduced by 58% the number of required tests to which acquirers must subject POS terminals to certify them as EMV-ready.
That may help, but a lingering challenge is EMV certification for mid-size merchants that use POS software. Legions of software developers are tasked with individually updating their applications to be EMV-compliant, but find it difficult and time-consuming.
Many have turned to semi-integrated POS products that offload the payment processing to the POS terminal, sending only necessary non-sensitive data to the application (“Why Semi-Integrated Solutions Are the Future of Payments,” this issue).
5. The CFBP Leads the Regulatory Charge
The specter of increasing government regulation has many executives in the payments industry on edge in late 2016. Not so retailers, who are lobbying fervently to preserve the debit card interchange price controls and transaction-routing regulations in the Durbin Amendment, which is part of the controversial Dodd-Frank Act that is under attack in the U.S. House of Representatives.
The biggest new regulatory development in payments is the Consumer Financial Protection Bureau’s highly anticipated final rule governing prepaid cards. The CFPB, which like the Durbin Amendment is a creation of Dodd-Frank, on Oct. 5 issued the forest-consuming 1,689-page rule four years after declaring it intended to regulate prepaid cards and two years after issuing a relatively slim 870-page draft rule.
The final rule, most of which takes effect next year, contains few surprises. It extends to prepaid cards the checking-account protections afforded by the Electronic Fund Transfer Act, and for those prepaid cards that offer overdrafts, various credit card protections from two other federal laws.
But the new rule also brings under its wing mobile wallets that hold stored funds. That leaves observers wondering how the rule might affect everything from PayPal Holdings Inc.’s popular Venmo person-to-person payment service to similar services consumers get from their banks. The full implications may not be known for months.
Elsewhere, federal regulators continue to pressure merchant acquirers and independent sales organizations to improve their underwriting so that fraud-minded businesses don’t get merchant accounts. And in some state capitols, regulators have become stricter about demanding money-transmitter licenses.
Regarding virtual currencies, New York now has in place its famous BitLicense regulatory framework, but North Carolina this past summer updated its money-transmitter act to address virtual currencies, and the plan garnered payments-industry praise. Meanwhile, a virtual-currency regulation bill in California died for lack of support.
Back in Washington, two anti-Dodd Frank and Durbin bills in the House stand almost no chance of being signed by President Obama should they even pass in his final months in office. But the bills are setting an agenda that could generate fervent debate about financial and payments regulation when a new president and Congress take over in January.
6. Mobile Wallets’ Tepid Reception
What is wrong with consumers? The mobile wallet—the technological innovation that launched a thousand news stories, actually, many thousands—so far has failed to capture the public’s imagination.
It could be that, as nifty as Apple Pay, Android Pay, and Samsung Pay are, most consumers correctly perceive that the wallets are not that much better or faster than paying with old-fashioned plastic. Recent research shows that the wallets have a core of frequent users who are satisfied customers, but getting adoption beyond that core has been difficult.
A June study of 1,528 consumers by Annapolis, Md.-based First Annapolis Consulting Inc. found that 74% of mobile-phone-using consumers reported they had made a mobile payment in the preceding 12 months versus only 40% who said they had done so in First Annapolis’s equivalent May 2015 survey.
But while mobile wallets are gaining users, only 25% of mobile-phone users with compatible devices had adopted a ‘Pay’ service such as Apple Pay (42% of iPhone 6 users), or Android Pay and Samsung Pay (14% and 18% of compatible devices, respectively). And only 23% of June’s respondents had used their smart phones to make an in-store purchase, though that was up from 16% a year earlier.
Nearly half the respondents said they wanted a mobile wallet from their bank, but only 7% had one. The early bank leaders in mobile wallets are JPMorgan Chase & Co. and Capital One Financial Corp.
A powerful driver of greater wallet adoption, say the experts, would be seamless loyalty-point accruals and redemptions. That’s something the providers say they are working on. They’re also addressing consumer fears about security. Apple, meanwhile, is hoping to broaden Apple Pay’s adoption by retrofitting it for online service on the Safari browser.
7. Credit Card Interchange in the Crosshairs
Since time immemorial—or so it may seem at times—merchants have contested the price they pay to accept credit cards. In addition to abundant vocal and written protests, merchants continue to pursue legal actions aimed at cutting their card-acceptance costs.
Now, it appears even big interchange cases that everyone had thought were settled can come back into contention. In July, a 4-year-old settlement between the bank card networks and banks on the one hand and merchants on the other was overturned, putting credit card interchange back in play. Besides voiding the settlement, a federal appeals court vacated the original merchant class certification and sent the matter back to the district court in Brooklyn, N.Y.
The deal had capped a bitterly contested legal fight that had started more than 10 years ago with a string of antitrust cases brought by merchants against Visa Inc., MasterCard Inc., and a handful of major banks alleging price-fixing in the setting of credit card interchange. Those cases were ultimately consolidated in federal district court in Brooklyn, and a merchant class certified.
In July 2012, lawyers for both sides announced the settlement, which included an original award to merchants of $7.5 billion in damages, at the time the biggest such award in the annals of antitrust. In December 2013, the district court judge approved the deal, though a number of dissatisfied merchants and retail trade groups vowed an appeal.
Almost immediately, merchants began opting out of the monetary award to preserve their rights to bring cases of their own. Some 8,000 merchants, including some of the largest chains in the country, dropped out, reducing the settlement total to $5.7 billion by 2014. “Scores” of merchants are now suing the defendants in their own, independent actions, according to Mallory Duncan, senior vice president and general counsel at the Washington, D.C.-based National Retail Federation trade group.
Now that the appeals court has thrown the whole deal and its tortured history into a cocked hat, the crucial matter of interchange looms large once again, albeit with a question mark that leaves merchants, banks, and networks with fresh uncertainty about a critical cost of card acceptance (networks set the interchange rates merchants pay, but card-issuing banks collect the interchange income).
8. Risk Management With Faster Payments
When payments speed up, there’s less time to check for fraud. Seems pretty elementary, but plenty of payments experts are concerned now that the faster-payments train has gotten under way. In September, credit transactions, which include payroll deposits and person-to-person payments, went to same-day clearing on the automated clearing house network, and several initiatives are under way elsewhere to introduce real-time settlement.
But just moving up the process by roughly a day, which is what the ACH has done, can be problematic. Almost all financial institutions in a spring survey said same-day ACH would present new fraud threats, while 54% said they didn’t have the right fraud tools to handle same-day ACH. The survey covered 60 banks and was conducted by fraud-control firm NICE Actimize.
Granted, the biggest concern is with debits, which won’t go same-day until next September. By then, it’s possible most banks will have worked out routines for dealing with fraud on those transactions, which include most bill payments. And same-day transactions are capped at $25,000.
But the potential for fraud with faster payments remains an unsettling unknown for now. And as transactions begin to verge on real-time, that unknown will loom even larger.
9. Can Anyone Make Any Money on P2P?
Person-to-person payments are one of the hottest commodities in consumer financial services. Venmo, a service offered by PayPal Holdings Inc., has gained such popularity with Millennials that they use the name as if it were a verb: “I’ll Venmo you the money for my share of dinner.” By July, Venmo transactions had ballooned 141% year-over-year to nearly 4 billion.
Little wonder banks and processors are scrambling to burnish their P2P payments offerings. In August, for example, Early Warning Services LLC, which runs the bank-owned clearXchange P2P network, announced it will change the service’s name to Zelle early next year in an effort at consumer branding.
But one thing few of these services have figured out is how to make money on this increasingly popular offering. Consumers like P2P, but not so much they’re willing to pay for it. PayPal isn’t even trying to get fees from individual users. Instead, it’s positioning Venmo as a payments service for merchants. That way, the company can earn merchant fees on each transaction. Another tack is to charge for real-time effect. Square Inc., for example, this summer began offering its Instant Deposit service to users of its Square Cash P2P service. For a 1% fee, Square will immediately deposit funds into a user’s bank account.
Time will tell how well these gambits will work. For now, it remains a frustration in the industry that a service that’s wildly popular—and growing more so—is so resistant to being monetized.
10. The Vexing Pokiness of EMV Payments
No sooner did merchants finally switch on their EMV terminals than consumers and cashiers alike began complaining about how slow the transactions are. After sticking their newly minted chip cards into the point-of-sale readers, consumers soon found themselves twiddling their thumbs while the device interrogated the chip and merchants began fretting about the upcoming holiday rush.
While it all seems so much slower than a simple swipe, the card networks insist total transaction time isn’t much extended with EMV. Nevertheless, merchant processor Cayan LLC in September figured each chip transaction takes 16 seconds—13 seconds longer than a swipe transaction—and estimated EMV adds about 116 million hours at the cash register annually.
That adds up to a pretty big headache at the cash register any time of the year, but especially so in the weeks leading up to Christmas. The major card networks have introduced software that shaves some seconds off of chip transactions by bypassing EMV routines used overseas but not needed in the States. That should help, but questions remain regarding just how many merchants have been able to install the software, and how soon more can do so.
SPECIAL FEATURERead Digital Transactions Online