DT, February 2017
February 1, 2017
By Steve Mott
The payments business has had more than a year of chip card struggles. Now, a long-time observer of the payments industry argues there is a better solution for the threat of rising fraud.
As 2016 wound to a close, nothing short of a massive business hangover loomed over the U.S. payments system. The reason? EMV—which has been a source of hope for some, but agony for others—is producing far more problems than it’s solving.
So let’s review what happened with the U.S. migration to EMV. Specifically, we’ll look at why its adoption created so much acrimony in the industry and what might be done to pick up the pieces. Spoiler alert: It’s not a feel-good forecast for the rest of 2017.
The analysis begins with what we’ve learned since October 2015, when the card brands imposed their ill-advised liability shift. Despite widespread appeals to delay the shift because the industry would not be ready (and clearly wasn’t), Visa Inc. and Mastercard Inc. went ahead anyway.
The biggest reason for this, which the network brands asserted at several industry conferences, was to “preserve the issuers’ business case” for making the change. Prior to the shift, the brands told numerous issuers that EMV would be a “revenue opportunity” for them, in that it would open the way for them for the first time to flow certain chargebacks to point-of-sale merchants.
Immediately after the shift, a deluge of chargebacks did hit merchants, including those that had invested in EMV and were ready (certified and live). Of the chargebacks, which ran to hundreds of millions (if not billions) of dollars, more than 40% were under $25 with some brands.
Historically, issuers didn’t charge back such transactions, for a couple of reasons. Fraudsters didn’t waste their stolen credentials on coffee and donuts, and the fees and costs for doing chargebacks in the payment card system were more than what might be recovered with a successful contest.
Still, some issuers, with a glint in their eyes, swore hackers were stealing $8 to $10 fast-food orders from them all along, and now merchants had to pay!
Abuse by some issuers of the change in chargeback rules was so pronounced (and irrational) that some of the network brands were forced to prohibit chargebacks under $25. And some brands also told issuers that, after 10 chargebacks on a single compromised account, they could no longer push more transactions back on merchants, and had to close the account or eat any subsequent chargebacks.
With lawsuits pending, an accounting for the apparently vast amount of bogus chargebacks is still likely to come. What’s more worrisome is that the brands—particularly Mastercard—are claiming up to 50% or more reduction in counterfeit fraud, when industry experience from many merchants belies any such benefit from the $10 billion to $15 billion invested in the two-decade-old EMV protocol.
The problem in the coming year is that accurate EMV data capture and flows, while improving, are still a mess. To wit, as one top-five issuer reported after plumbing a new chargeback system to EMV specs from Visa, it had to shut it down the second day of the liability shift because the number of inaccurate chargebacks was exploding.
Pining for PIN
A more tangible benefit of EMV deployment around the world has historically been the use of PINs to reduce lost-and-stolen card fraud. Not here. Although many countries used chip-plus-PIN to reduce this source of fraud, Visa’s wide-eyed antipathy to PIN (its only source of competition from national networks) and Mastercard’s insouciance (official term: neutrality) on the matter meant little support for PIN was available—even to issuers that believe it is safer and cleaner for transacting.
Mastercard did offer a liability shift on lost-and-stolen fraud for those issuers and merchants that implemented PIN for EMV. But the host of problems that have developed with implementing the U.S. Common AID made it difficult if not impossible to get the same proportion of PIN debit with chip that exists with mag-stripe. Indeed, some merchants are seeing 20% to 30% of what would have been PIN transactions process instead as fraud-prone signature-based debit.
(For those who came in late: The Common AID, or application identifier, was the late-emerging industry compromise on EMV debit to enable lawful deployment of the mandate in the Dodd-Frank Act’s Durbin Amendment for merchant choice of networks for routing).
Moreover, when The Kroger Co. decided not to honor any EMV transactions (including credit card purchases) without a PIN, Visa fined it $7 million before the country’s largest grocer took the brand to court. Wal-Mart Stores Inc. and Home Depot Inc. filed their own suits, claiming abuses by Visa of their right to encourage PIN transactions.
Late in the year, the Federal Trade Commission intervened in still other complaints about Visa co-opting and restraining PIN-debit use, forcing the brand to “clarify” the legality of its rules. The confusing display of the “Visa Debit” and “US Common Debit” prompts on many POS terminal checkout screens also must be made intelligible to consumers (and merchants) who prefer the more secure and efficient choice of PIN debit.
This situation is not likely to improve any time soon. Though some 800 million EMV cards were distributed to issuers last year, the companies that produce the cards report that up to half were still in bank vaults as of late last year. That inventory of last year’s cards—the vast majority of which do not support PIN—is taking a long time to burn off, given the largely frustrating and disappointing introduction of EMV so far.
Moreover, at year-end Visa reported that only 22% of debit transactions and 46% of credit were chip-on-chip—far below original forecasts. And that was mostly the top 200 merchants that had committed early and got to the head of the lengthy certification queue.
Over the Top
Merchants and their card-acceptance systems live at the tail end of the industry processing flows, so every upstream provider—issuers, issuing processors, networks, acquirers, third-party processors, terminal manufacturers, and so on—has to have its data act together before merchants can produce a reliable and accurate set of transaction inputs.
Yet the incomplete and apparently erroneous specifications for the U.S. card market—by far the world’s largest and most complex—were clearly perceived to be a problem early on. In mid-2014, the brands’ hand-picked collection of payment-industry participants, the Payment Security Taskforce (PST), identified the complicated, voluminous, and obscure EMV certification processes as a showstopper for October 2015.
Uncharacteristically, Visa and Mastercard reportedly agreed on streamlining the specs and cross-certifying to expedite the already-bulging queues to get live with EMV, but claimed the processors weren’t ready to change their systems. Two years later, with merchants screaming about chargeback abuses when they were hopelessly mired in certification queues and validation delays, the brands produced those improvements.
What also became apparent to everyone—even the issuers—was that the next bomb to explode was fuel and convenience stores. Though their liability shift was originally put off to October 2017, the woeful state of EMV-processing readiness at retail at year-end, coupled with a screaming paucity of technical support for pump deployment, made this sector’s compliance with EMV in the coming year a pipe dream.
Faced with both rational appeals from the sector (as well as the thinly veiled specter of still more lawsuits), Visa and Mastercard relented, delaying the fuel-pump liability shift three years to 2020.
Hard-bitten payments industry skeptics noted that, with the torrent of near-universal criticism of EMV deployment, the consensus was that the debacle had put merchants over the top in terms of resistance to the brands. Retailers of all shades and stripes are ready to work together to expand legal challenges to the brands and big issuers. So the outlook for 2017 is still grim, even as the industry’s EMV hangover appears to be waning.
With EMV, there is a multitude of exigencies and “gotchas” that often require perplexing and complicated fixes or accommodations. All this extra work takes time, effort, and precious programming resources, at least for merchants and maybe a growing number of issuers.
The U.K. Experience
And that begs the question of how to proceed from here. EMV deployment will likely continue—albeit with a long tail of adoption. But the real question is whether the benefits will be worth the continuing investment and effort that could be better applied to more effective solutions such as tokenization and encryption.
Let’s start with a look overseas. While the objectives of EMV are well-intended, and in some instances quite worthy, the post-adoption experience of the most comparable card market to the U.S. is concerning.
The United Kingdom is about as signature-credit-based and debit-card-centric as the U.S., and enjoys, as does the U.S., a mature but fraud-prone e-commerce marketplace. It also has the huge advantage of a real representative payments ecosystem—the U.K. Payments Council—to mandate universal collection and assessment of fraud data. And it has enlightened, unified national policies of fraud mitigation measures. Its experience is instructive—and yet worrisome.
With card fraud growing steadily, the U.K. in 2004 committed to a forced march to chip-plus-PIN. Bingo, counterfeit and lost/stolen card fraud began to drop.
But the fraudsters simply shifted their activities to a more tolerant venue—online transacting. Total fraud dropped for a couple of years, but began to grow again overall in 2008.
That’s when the U.K. doubled down on aggressive implementation of the brands’ 3-Domain Secure (3DS) protocol, and it worked for a while. By 2011 (the year Visa announced its EMV migration plan for the U.S.), total card fraud in the U.K. looked like it was under control, and brand fraud-mitigation programs had been responsible for meaningful reductions in fraud losses.
In fact, between 2006 and 2015, non-remote sources of fraud as a proportion of total fraud had all been pared—especially counterfeit fraud (owing to the difficulties of counterfeiting a chip or fooling a working chip-based system into thinking a dual-mode mag-stripe counterfeited card was not a chip card).
But by 2013, all types of fraud had begun to grow again. Indeed, total card fraud in 2013 surpassed that of 2003. By 2015, total fraud was growing smartly again, and nearing the record level of 2008.
The brands argue that absolute transactional volumes are up, and so is fraud. In fact, by some relative measures, fraud rates per monetary value increments is at least under control, if not declining in some instances. However, the absolute level of losses worries everyone (even the brands).
A Better Way
The inescapable conclusion from this experience is that, as long as the brands support transactions (including EMV) with all (or in EMV’s case, nearly all) account credentials in the clear, brand programs to reduce fraud are simply dogs chasing their tails. Even the brands have conceded ground, turning to the goal of getting rid of the mag-stripe at some point with tokenization.
Tokenization offers some short-term promise. That’s why Visa and Mastercard recently agreed to interoperate their tokens to keep control of and augment their card-transaction operations. They also started emphasizing somewhat more secure, and tokenized, contactless options versus contact cards.
But it looks to be a while before EMV card transactions get tokenized offline or online, and longer still before the brands or their big issuers give up completely on mag-stripe transactions. And some security experts advise that tokenization is just an interim solution, when the long-term solution is solid encryption of card credentials and transaction data end-to-end.
Such a solution—given how difficult the U.S. EMV deployment has been—would seem unrealistically daunting by comparison. Even other-worldly, some might assert.
It’s that kind of thinking that keeps the industry in its current funk. The players (other than the brands and big issuers) keep scurrying to keep up with brand programs that merely tweak the existing environment. Each program creates even more complexity and unrequited returns on the investment in deployments. And the fraud hole, as the U.K. experience seems to portend, just keeps getting deeper.
The actual solution, to be clear, is open standards-based encryption for all participants. To address the harrowing threats of cyberattacks going forward, even the payment networks and issuers will have to bite the bullet to encrypt end-to-end. That’s a big change, for the issuers in particular. They managed to put off EMV for a decade until bogus-chargeback profits gave some of them a business case to justify this change. How can they justify encryption?
End-to-end encryption is indeed a paradigm shift. But it’s a new foundation that can be crafted without abject surrender to the growing complications of an antiquated processing infrastructure that weighs like an anchor on the efficiency and safety of the U.S. payments system as it exists today.
In that sense, every dollar invested in tweaking today’s infrastructure to accommodate EMV is beginning to look like a road to nowhere.
SPECIAL FEATURERead Digital Transactions Online