By Jim Daly and John Stewart
The U.S. conversion to EMV is close to two years old now, and in its wake have come unquestioned benefits. But this cure for widespread counterfeit card fraud also has ushered in excruciating side effects.
It’s easy to forget that the Europay-Mastercard-Visa chip card standard is more than 20 years old and has been operating in markets overseas, including much of Europe, for a decade or more. That’s because only in October 2015 did the U.S. rollout of EMV begin in earnest with the major card networks’ widely publicized liability shift—the transfer of responsibility for counterfeit card fraud from issuers to merchants if the merchants weren’t prepared to accept EMV.
Losses from counterfeit cards had grown into a monstrous problem, accounting for fully 44% of all payment card fraud in 2015, according to the Federal Reserve’s Payments Study.
The shift has had its intended effect. By March, 2.02 million U.S. merchants were chip-ready, nearly doubling in one year, according to Visa Inc. At that point, chip-ready merchants represented almost half of Visa’s in-store payment volume. Meanwhile, for merchants that had upgraded to chip, counterfeit fraud dollars were down 58% by December compared to a year earlier.
But the EMV standard was developed in a different time for a different kind of payment market. It was a time that was largely analog rather than digital, and a market, in Europe, at least, that was mostly offline rather than online. In the U.S., the EMV rollout has been plagued by problems that stem from the unique complexity of the market: many more networks, many more financial institutions, many more processors, many more merchants, online rather than offline authorization, and federal law respecting how debit transactions can be routed.
It has all added up to a messy rollout. Below, we catalog the chief issues. Some, such as the painfully slow checkout times cardholders are encountering, are in the process of being solved but remain problematic. Still others, such as the vexed question of debit routing, have inspired lawsuits and are likely to plague the industry for some time to come.
Some well-publicized problems are not treated here because they are related to larger issues. An example is the certification queues ensnarling many merchants. A knotty issue, to be sure, but tied to the chargeback flood discussed below.
We stipulate, as noted earlier, that EMV technology is already having a salutary impact. Rather, our intent is to pull together, in brief, what is known about some surely unintended side effects that perhaps might yield sooner rather than later to some clever fixes (as is likely to be the case with those pokey transaction times, as noted below).
Marginalization Threatens the PIN-Debit Networks
First tested 20 years ago, EMV chip cards were developed for offline authorizations in the European market and not designed for the peculiarities of the U.S. debit industry. Unlike Europe, the U.S. facilitated online authorizations because of its ubiquitous telecommunications connections. But in addition to the Visa and MasterCard global networks, its market consists of more than a dozen surviving PIN-debit networks.
As soon as EMV became inevitable in 2011, the debit networks began worrying that EMV specifications would prevent point-of-sale transactions from reaching them. Complicating the matter was the Durbin Amendment in the Dodd-Frank Act of 2010. That law requires each debit card to offer an accepting merchant a choice of at least two unaffiliated networks for transaction routing, the intent being to promote network competition and reduce merchants’ card-acceptance costs.
The standard issuer response to Durbin was to put the Visa or Mastercard logo on the front of the card for signature-debit transactions, which generate higher interchange revenue for them than PIN-debit purchases. But they also programmed the card to access at least one PIN-debit network.
After much discussion and back-office work by programmers, the networks came up with their so-called common application identifier (AID), which removed technological barriers preventing EMV debit transactions from reaching all networks.
Still, merchant trade associations and some of the nation’s largest retailers accused the global networks of trying to subvert their PIN-routing preferences with confusing screen prompts that appeared on POS terminals when consumers inserted EMV debit cards. These prompts gave consumers a choice in the matter and resulted in more transactions being routed to the global networks. One prompt, for example, gave the cardholder the option of using “Visa Debit” or “US Debit,” the latter of which no one had ever heard of before.
Visa took most of the flak as the force behind these prompts, but Mastercard took some too. Wal-Mart Stores Inc., The Home Depot Inc., and The Kroger Co. sued one or both of the networks over the issue. The global networks steadfastly denied they were trying to undercut merchants’ routing rights.
Enough complaints rolled in that by last year the Federal Trade Commission started looking into Visa’s debit-routing practices. Plus, the Federal Reserve posted guidance on its Web site saying that a payment network would violate the Durbin Amendment if it required the merchant to let the cardholder make the routing choice and the application implementing that choice routes to only one network (“Routing Wars Draw in the Fed And the FTC,” December, 2016).
In response, Visa, which declined to comment on the controversy for this story, last November modified its transaction policies to assure merchants that they may use only the common AID to route a transaction to the debit network of their choice.
“For U.S. EMV-enabled debit cards, merchants have flexibility to use either the U.S. common debit AID or the Visa AID,” Visa’s new guidance said. “Merchants are never required to ask the cardholder to choose the AID for processing debit transactions … merchants are never required to use the Visa AID to process U.S. debit transactions.”
The Rising Tide of Chargebacks
It is now crystal clear that a good many U.S. merchants weren’t prepared for the chargebacks that suddenly began pouring into their back offices on Oct. 1, 2015—unless they were chip-ready, as few were.
The flood started at a trickle, but soon mounted into a roaring cataract as issuers transferred their liability to non-EMV merchants large and small. The toll in 2016 was 14.7 million chargebacks worth $5.8 billion, according to estimates from Boston-based researcher Aite Group LLC. That was up 17% in transactions and 21% in dollar value over 2015, the firm figures.
Some smaller merchants, seeing chargebacks in serious numbers for the first time, have gone to court to seek redress. One supermarket operator in Florida early last year filed a federal class-action suit against all the major card networks and eight of the 10 largest card issuers after sustaining 88 chargebacks between Oct. 1, 2015, and Feb. 15, 2016, compared to four in the same period a year earlier.
Last summer, Visa and Mastercard tried coming to the rescue with new policies. Visa started blocking all counterfeit-fraud chargebacks under $25 from going to acquirers and their merchants, and in October capped at 10 the number of such chargebacks of $25 or more on a single card account. Mastercard, meanwhile, adjusted its network intelligence to more accurately bar chargebacks that shouldn’t go to merchants.
Otherwise, relief will be long in coming, experts say. One problem plaguing merchants is that even if they buy the necessary EMV gear, they can’t switch on EMV functions until their installation has received all the necessary processor and network certifications. That leaves them exposed to chargebacks until those stamps of approval come through, and that has become a complicated matter with long certification queues that began forming shortly after the liability shift.
“We’re starting to see the [point-of-sale] chargebacks ease a bit as more merchants come online with EMV-capable terminals, but there are still a bunch of merchants who have yet to upgrade,” says Julie Conroy, research director at Aite.
Conroy doesn’t see the picture brightening much for non-ready merchants. While the EMV merchant count doubled in the 12 months leading up to March 2017, that total still represented just 44% of all U.S. storefronts.
“We still have a long way to go in terms of the migration,” Conroy says. “Until we see more merchants come online, especially the grocery chains, we’ll still see a large volume of chargebacks in the system.”
The POS Terminal Makers’ Date From Hell
For leading point-of-sale terminal makers VeriFone Systems Inc. and Ingenico Group SA, the U.S. EMV conversion had a dreamy quality in 2015 as big merchants placed big orders for chip card readers. But what looked like a rapturous EMV prom turned into a date from hell as large retailers completed their conversions and wallflower small merchants failed to fill the sales void.
The result: reduced revenue expectations and financial performance as 2016 wore on that looked lousy compared with year-earlier results.
France-based Ingenico, which has major operations in Canada and the United States, reported that its North American revenues declined 32% year-over-year in 2016’s fourth quarter to €66 million euros ($69.8 million at then-current exchange rates). For the year, North American revenues fell 13% to €276 million ($291.8 million).
It was a similar story at San Jose, Calif.-based VeriFone, where North American revenues plunged 30% in the quarter ending Jan. 31 to $165.9 million from $235.7 million a year earlier.
Both companies cited small merchants’ go-slow attitude about replacing old magnetic-stripe card readers. The networks’ temporary easing of chargeback rules, meant to help merchants cope with a tide of chargebacks in the wake of their October 2015 EMV liability shifts, gave small merchants yet another reason to further delay installation of chip card readers, according to Philippe Lazare, Ingenico’s chief executive.
The rules changes “dramatically affected the speed with which SMBs [small and mid-size businesses] are expected to adopt EMV technology,” Lazare told analysts last September. At an earnings call in February, Lazare essentially repeated that assertion.
Yet, according to at least one stock analyst who follows the payments industry, the terminal makers misread the market as EMV changed its longstanding dynamics.
“The upgrade to EMV wreaked havoc on the two large payment terminal providers VeriFone and Ingenico,” Gil Luria, director of research in equity capital markets at D.A. Davidson & Co. in Lake Oswego, Ore., says by email. “The initial ramp by large retailers ahead of the October 2015 deadline was mistaken by both companies to be a new, elevated level of activity, and as small retailers delayed their own upgrades to EMV, both terminal providers suffered a significant slowdown in their business.”
Lazare expects the slowdown not to turn around until 2018, but both he and VeriFone chief executive Paul Galant remain hopeful that small merchants eventually will get the EMV message. During a March conference call, Galant estimated that the EMV conversion still has 5 million devices to go, either through upgrades or replacements of old terminals and the addition of new merchants that currently don’t accept credit and debit cards.
VeriFone is hedging its bets, however, by continuing to boost its software-based products and services that generate recurring revenues and are less cyclical than hardware sales. The latest arrow in VeriFone’s software quiver is a portal for outside software developers to create applications that work on VeriFone products (for more on the trend toward open developer portals, see “Why the Secret Sauce Isn’t So Secret Any More,” May).
“We will soon be launching a VeriFone third-party developer portal in the U.S.,” Galant said on the call. “We have already assembled a strong pipeline of third-party developers looking to build commerce and payment applications for our clients on our platforms.”
Squeezing the Balloon
This is one issue that had an air of inevitability long before the onset of the EMV liability shift. As EMV closed off their opportunities at the point of sale, fraudsters would simply begin plying their craft online, experts figured. Squeeze the balloon at one end, the theory went, and it will simply expand at the other.
That prediction has proved accurate, though there’s a healthy debate among experts about how much of the increase in card-not-present fraud is due to the onset of EMV and how much can simply be attributed to the growth of e-commerce. It may prove difficult to separate the two factors. But the fact remains that U.S. e-commerce fraud will hit $4 billion this year, up more than 20% from the toll in 2016, according to Aite Group.
Interestingly, there wasn’t an immediate rise in online fraud following October 2015. The fraud total in 2015 was $3.2 billion, Aite says. “We didn’t see the uptick we anticipated last year due to the slow merchant adoption of EMV, but we’re definitely seeing losses rising this year,” says Aite’s Conroy.
But while online fraud has kicked into a higher gear, “it’s growing about on pace with CNP transaction volume as a whole,” she says. Some observers have been quick, indeed, to point out that fraud will simply increase as activity increases, whether online or elsewhere.
“Some of the reports of large rises in [card-not-present] fraud seem to be conflating consumer perception of fraud with actual fraud data,” said Randy Vanderhoof, executive director of the Princeton Junction, N.J.-based U.S. Payments Forum, in a statement released in April.
“While industry data and corresponding media reports are stating an overall rise in [card-not-present] fraud,” Vanderhoof argues, “what we are actually seeing is that the overall proportion of [card-not-present] fraud is actually staying relatively even—and perhaps even decreasing—as a percentage of online sales.”
Whether Vanderhoof is right or not, online merchants may not be so much looking for whom or what to blame as they are looking for relief.
Gas Stations Plead for More Time
The U.S. conversion from magnetic-stripe card payments to EMV chip cards certainly has had its share of unexpected developments. In retrospect, however, what seemed like a surprise last December when the bank card networks postponed their liability shifts for automated fuel dispensers (AFDs) for three years really is not.
More than other card-accepting merchants, the nation’s 150,000 gas stations have an expensive and potentially physically difficult job in retrofitting fuel pumps to accept chip cards. Card readers are integrated into pumps, meaning that the oldest ones might need to be replaced entirely, and many others will need specialized upgrade kits available from just a few suppliers.
The winners in the postponement are convenience stores and other gas-station owners who now have three more years to convert. The other winners, of course, are criminals if they succeed in committing more counterfeit fraud at fuel pumps as the base of other merchants that accept only mag-stripe cards rapidly shrinks.
The losers include point-of-sale terminal makers, which had counted on hefty sales of EMV equipment to gas stations coming sooner rather than later (“The POS Terminal Makers’ Date From Hell,” earlier in this story).
“We were disappointed and somewhat shocked at the three-year delay,” said Paul Galant, chief executive of VeriFone Systems Inc., the leading U.S.-based terminal maker, during an earnings call in December. Payment systems for gas stations are a big market for VeriFone.
Visa Inc. in 2011 recognized the difficulties gas stations faced when it announced the first U.S. EMV liability shifts. The biggest card network set its fuel-pump liability shift exactly two years later than its October 2015 POS liability shift. Mastercard followed with a similar schedule.
Early on, however, fuel retailers began complaining that they faced an expensive, years-long project with uncertain returns. A consultant in retail technology interviewed by Digital Transactions estimated that the total cost to upgrade fuel pumps for chip cards could fall anywhere between $4 billion and $6 billion (“How Ready Are They?” October, 2016).
An executive with a convenience-store/gas-station trade association said in the same story that he expected less than 20% of the nation’s 120,000 convenience stores with fuel pumps to be EMV-ready by October 2017.
Clearly, Visa and Mastercard would be in for a fight if they tried to enforce the liability shifts, which would assign to the pump operator financial liability for counterfeit fraud resulting from a transaction in which the pump couldn’t read an EMV card’s chip. The networks accepted reality last Dec. 1.
“We knew that the AFD segment would need more time to upgrade to chip because of the complicated infrastructure and specialized technology required for fuel pumps,” Visa said in a statement. “For instance, in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete. Furthermore, five years after announcing our liability shift, there are still issues with a sufficient supply of regulatory-compliant EMV hardware and software to enable most upgrades by 2017.”
While some observers said the delays would enable criminals to commit counterfeit fraud for an extra three years, Visa noted that fuel-pump fraud is “relatively low,” at just 1.3% of U.S. payment fraud. The network also took the occasion to promote its Visa Transaction Advisor fraud-prevention service, which it said has been effective in cutting fraud at the pump.
A Leisurely Pace at the POS
It wasn’t long after the liability shift that reports began surfacing of slow-as-molasses transaction times with EMV cards. Cardholders and cashiers accustomed to speedy mag-stripe swipes were sadly disappointed to find their high-tech chip cards had to be inserted in a terminal and then left there for what seemed an eternity.
Merchant processor Cayan figured last year that a typical EMV transaction took 16 seconds, compared to just three for a swipe. It calculated that, at that rate, EMV would cost cashiers and customers 116 million hours at the point of sale, compared to just under 22 million for old-fashioned mag-stripe transactions.
Again, sensing a PR fiasco, Visa and Mastercard intervened. Both networks last summer introduced technology updates that shaved EMV times down to about three seconds. Much of the time savings came from dispensing with computing routines that were necessary for offline authorizations, which were prevalent in Europe when EMV was introduced there. This spring, a startup called Index, which had designed the update, improved on it with what it says is a one-second transaction time.
But it will take time for these improvements to be adopted industrywide. Processors are still announcing the availability of Visa’s Quick Chip and Mastercard’s M/Chip Fast, and in the meantime the wasted hours relentlessly mount. At least it gives customers a chance to chat with cashiers about the weather.