Getting Heard by EMVCo

Six big networks control EMVCo, which in turn controls the global EMV standards. But merchants have ways to wield some influence.

Within the fraternity of commerce, merchants have at times taken issue with directives set out by payments organizations. The most common differences usually center on pricing, but disputes about payment methods and security also emerge.

Take the case of merchants and EMVCo LLC, the standards body charged with setting global specifications for EMV online and offline. They have the common goal of wanting secure, quick, and consumer-friendly digital transactions. But their separate visions for reaching that goal sometimes lead to disputes.

EMVCo’s domain includes contact, contactless, and quick-response code payments, payment tokenization, mobile EMV payments, and the e-commerce specs 3-D Secure and Secure Remote Commerce. While EMVCo runs the specs, merchants are finding their voices are being listened to.

In addition to its primary membership for payments organizations directly involved in the industry, EMVCo formed an associates program in 2010 as a way for those with business and technical interests in the organization’s payments realm to have some input.

Now, some of the biggest merchants are taking advantage of the program. The 140-member Merchant Advisory Group, an advocacy organization for merchants that counts the likes of Walmart Inc., Southwest Airlines Co., Target Corp., and The Wendy’s Co. among its members, joined EMVCo in 2018 as a business associate.

“We just joined last fall,” says Laura Townsend, the MAG’s senior vice president of operations, in response to the impending arrival of Secure Remote Commerce, an online payment spec under EMVCo’s domain.

“In light of SRC, we decided to join because we feel strongly there needs to be a strong merchant perspective in how they go about digital remote commerce,” Townsend says.

This input is critical, she says, because the ultimate decision makers are the owners of EMVCo: Visa Inc., Mastercard Inc., Discover, American Express Co., JCB Co. Ltd., and UnionPay International. “It’s really difficult for merchants, but what EMVCo did was they created a way for membership organizations like ours to join whereby our members can participate in the discussion, get access to documentation, and provide feedback,” Townsend says. “Economically, that works out very well.”

‘A Challenging Balance’

Prior to the 2010 launch of the business and technical associate programs, EVMCo operated a board of advisors and continues to do so, says Brian Byrne, EMVCo’s director of operations.

EMVCo itself formed in 1999 following the 1996 publication of the first EMV chip card specification. Though EMVCo is legally incorporated in Delaware, it does not have a central office. Its employees work from home or from their employers’ office.

“We were originally formed to focus on contact chip transactions, but as payments evolved and as commerce evolves, basically as card-based payments evolved, EMVCo evolved with it,” Byrne says. “Now we have a suite of specifications. As the need to support secure payments migrated from face-to-face to the virtual worlds, so did EMVCo’s work as well.”

These technical and business-associate members provide vital feedback, Byrne says. “We get a lot of strong and active input from our associate members,” Byrne says. That is in addition to feedback from its subscriber base, those individuals and companies wanting to stay informed about EMVCo actions.

At $750 per individual and $2,500 per company, subscriber status is less expensive than the annual $12,500 fee for a business-associate membership and $25,000 for the technical-associate program.

Subscribers get early access to EMV specification revisions and can directly ask EMVCo for feedback or guidance on technical issues. Technical associates can participate with working groups, attend twice-annual technical-associate meetings, and can vote on EMVCo board of advisors candidates.

Business associates can have a seat on the board of advisors, participate in the annual EMVCo meeting, and receive a discounted technical-associate membership rate. Retailer Amazon.com Inc. is both a business and technical associate, while Target Corp. is a business associate only.

MAG chief executive John Drechny, who attended his first EMVCo board of advisors meeting in March, says the meeting is beneficial because it “gives merchants an opportunity to voice our opinions regarding draft specifications, but EMVCo or their owners are not bound to implement any of the suggested changes.”

On that note, EMVCo’s Byrne says constituent input is vital. “We solicit a lot of direct input from the board of advisors meetings,” he says. “We ask about what’s going on in their markets. What technology has progressed to where a specification is needed. Every market uses its own implementation of our specifications. It’s a challenging balance to maintain.”

‘Cumbersome, Confusing’

As one of companies that owns EMVCo, American Express says it listens to merchants and others in the payments industry for guidance about how it implements EMVCo specifications.

“We are always actively engaged in discussions with industry stakeholders, including merchants, issuers, and organizations involved in the payments ecosystem, about solutions to provide consistency and security while preserving payment choice and flexibility,” an AmEx spokesperson says.

For example, the AmEx spokesperson says, in recent years merchants have said they want to see standardization within the online and mobile-commerce space, “especially to help minimize the risk of bespoke solutions and redundant integration efforts. American Express values the important perspective of the merchant community.”

Recently, the merchant community has been vocal about Secure Remote Commerce, one of the newest EMVCo standards (“The SRC Express,” January). This spec, also known as SRC, establishes the technical framework for enabling consumers to use their payment cards across channels more easily than current protocols allow.

For example, a consumer could choose to set a tokenized version of her payment card with an eligible merchant, though that merchant may not use the current card-on-file system.

“While digital commerce has become a preferred way to shop for many consumers, we continue to hear from our consumers and merchants that the online-checkout process remains cumbersome, and, at times, confusing due to the myriad checkout solutions available,” AmEx says. “That’s why American Express is working with other industry stakeholders to advance the EMV Secure Remote Commerce specifications, which for the first time establishes a way for card payments to be made in a consistent way across Web sites, mobile apps, and other digital platforms.”

EMVCo is “well positioned to develop SRC specifications given its expertise in payments, and the ability for stakeholders across the industry to participate in the development process,” the card brand adds.

While EMVCo’s work on the SRC spec continues—the organization released a draft spec in March with hopes of publishing the 1.0 version this year—merchants, such as those represented by the Merchant Advisory Group, are weighing in. The MAG, for example, submitted 10 comments on the SRC 0.9 draft.

The association has been public about its view on SRC, too. A year ago, Townsend described SRC as “another example of a payment product designed in a silo with limited information flow and arbitrary, tight timelines,” in a commentary posted on DigitalTransactions.net. She hoped then that EMVCo would engage other payments stakeholders in the development of the spec, which it appears to have done.

“To date, generally, EVMCo has been very good about listening,” Townsend says now. “They opened the SRC specification to the public. The proof will be in the pudding and what they do with our feedback.” EMVCo’s outreach includes acquirers, too. It hosted a free education session on SRC at Transact ‘19, the Electronic Transactions Association’s annual event.

‘The Nasty Details’

While EMVCo is charged with developing an interoperable standard that can be used around the world, the actual implementation is up to the users of the spec. “One thing that gets overlooked in EMVCo’s work is there are over 60 payment networks worldwide, including RuPay in India and Interac in Canada, and they all use EMVCo specifications royalty free,” Byrne says.

But that, too, can be an issue for merchants, Townsend says. “The implementation is different every single time,” she says. “Primarily the differentiation is because of the different networks and how they implement their business rules and how they implement the standards that come out of EMV.”

When the U.S. payment card networks migrated to EMV in 2015, each card brand had its own rules, requiring separate certifications for any payment equipment that accepted chip card transactions. Borne mostly by acquirers and processors, which are generally responsible for ensuring payment equipment is EMV-compliant, these certifications caused a backlog that since has dissipated.

This need to differentiate speaks to the card brands’ need to compete, Townsend says merchants are told. “The networks and the business rules they implement are how they compete, whether it’s incentives to issuers or rules around liability,” she says.

In EMVCo’s situation, it is not tasked with the implementation of the standards it shepherds, Byrne says. “EMVCo’s promise is to deliver the specifications for globally interoperable secure products that are delivered by the payment systems,” he says. The separation of development and implementation is there, Byrne says, because “we don’t want to be in the position of having any vested interest in one particular region.”

EMVCo wants to eliminate the risk of affecting the global interoperability of its specs, he adds. “That’s why we’re structured the way we are,” he says. “We believe it’s the right model to support the core mission of EMVCo, to make sure we have globally interoperable specifications.”

The trouble is, merchants, like those represented by MAG’s Townsend, may not enjoy the same global uniformity. “The reality is we go where the consumer wants to go,” she says. “They’re going to dictate what types of payments [and] what technology to implement. At the end of the day, we all want security, ease of payments, and making it simple to pay, but all the behind-the-scenes is where the nasty details come out.”