Tuesday , April 13, 2021

COMMENTARY: PCI And EMVCo Have No Business Setting Standards

Standards are the prerogative of the International Organization for Standardization (ISO) for most industries around the world. According to ISO, “ISO standards are internationally agreed by experts” and “should be thought of as a formula that describes the best way of doing something.” 

Unfortunately, the roles of ISO and its U.S. agent, the American National Standards Institute (ANSI), have largely been supplanted by the PCI Security Standards Council (the organization behind the Payment Card Industry data-security standard) and EMVCo when it comes to setting payments standards in the U.S. The result is that most important stakeholder groups are essentially locked out of the democratic process espoused by ISO for ensuring stakeholder consensus on standards throughout the world. 

Instead, U.S. payments standards are set by six global networks, including American Express, Discover, JCB, Mastercard, UnionPay, and Visa (all six collectively own EMVCo, while UnionPay is not a founding member of PCI). Consumer advocates, merchants, regulators, and other stakeholder groups are not allowed to vote in a closed process that ensures only one stakeholder group, the global networks, always get their way. 

Horwedel: “Merchants, consumer groups, and others left out of the voting process at PCI and EMVCo need to participate.”

As a result, U.S. consumers and merchants are burdened with de facto payments standards that reflect many of the worst ways of doing things. PCI’s de facto standards embrace rather than condemn single-factor authentication of payments, while Europe and other markets insist on safer, two-factor payments. Mimi Hart, chairman of MagTek, a leading provider of secure POS technology, states: “The brands could change the way the cards are issued and remove 99% of fraud, but the rules are not designed to eliminate fraud.” 

EMVCo’s standards set the stage for their six global network owners to dominate digital payments by concentrating the market power of the big six and by excluding competitors from access to proprietary technologies like secure remote commerce (SRC), tokenization, and 3DSecure (3DS). They discourage competition and prevent innovation. And, they increase the costs of payment card acceptance for merchants, resulting in higher prices for consumers. 

According to Albert Einstein, “You cannot solve the problem with the same consciousness that created it. You must stand on a higher ground.”  In the case of PCI and EMVCo, the networks that created the problem have no interest in solving it. They clearly recognize the problem, which has led to the United States becoming the most fraud-prone card-payments market in the world. However, their solution is to impose a barrage of rules, requirements, fines, and sanctions on merchants. This essentially shifts the blame and responsibility for their creation to merchants and merchants’ customers.

So long as de facto payments standards in the United States are set by the big six global networks, consumers will pay more for goods and services than in most other industrialized nations, and fraud will continue to run rampant. Cardholders will continue to have their lives disrupted by too-frequent instances of having to replace compromised payment credentials and too many unauthorized charges to their accounts. 

Rather than simply bow to PCI, EMVCo, and the six global networks, ISO and ANSI need to insist that the United States adopt payments standards that reflect the best ways of doing things. And regulators need to examine how PCI’s and EMVCo’s efforts have consolidated market power and led to the gradual demise of competition and innovation. 

We stand on the precipice of an international economy that demands frictionless payments without borders. U.S. policymakers and regulators need to require adherence to international payments standards in the interests of American citizens, even when their insistence runs counter to the desires of the big networks and the big banks. Merchants, consumer groups, and others left out of the voting process at PCI and EMVCo need to participate, ensuring governance representing all significant stakeholders and precluding the big networks from exercising absolute control.

Check Also

Account Takeover Is Still A Major—And Underestimated— Problem, Says Arkose Labs

While account takeover is a major concern for financial institutions and merchants, many underestimate the …

Digital Transactions