Have you noticed all of the press lately regarding the Europay, MasterCard and Visa (EMV) card coming out of Visa? It has been very hard to miss. As a result, I started wondering about the purpose of this full court press for EMV.
Before getting into my post, I need to be clear that EMV only refers to the chip in the EMV card. In the past I have gotten a lot of feedback from Visa when I referred to EMV as “chip and PIN” even though the world almost universally refers to EMV as “chip and PIN.”
With that disclaimer, since last August, Visa USA has been making a concerted effort to get merchants to adopt EMV. Just a week or so ago, there was another push by Visa USA to entice merchants to support EMV. So what is the driver behind this push? That is the $64,000 question and the more you talk to processors and merchants, the more confusing it gets.
Merchants are just as puzzled as I am regarding Visa USA’s EMV push. In the case of a number of large merchants I have spoken with, they do not get it as they refreshed their card terminals and POS equipment over the last three years and there is no way they are going to swap all of that new gear for EMV-capable equipment. These merchants are not even looking at contactless terminals. Such an equipment swap this soon would not be cost effective.
But merchants question what EMV would do for them. EMV was developed in response to the fall of the Iron Curtain when fraud ran rampant in Europe. Credit cards were being cloned at an obscene rate and card present fraud was huge. When EMV was fully implemented, card present fraud in Europe went to levels close to or a little lower than in the United States and EMV card present fraud has remained around those rates since. Given where card present fraud rates are currently in the United States, introducing EMV would have a limited effect on card present fraud and that would not be enough to offset the costs of implementing EMV or contactless terminals.
So if it is not card present fraud, it must be card not present fraud that Visa USA wants to address right? Card not present fraud, particularly on eCommerce Web sites is running almost out of control. I would like to say that this increasing fraud rate that is the reason for Visa USA’s push. However, EMV does nothing to address the rapidly rising rates of card not present fraud. The reason is that in order for EMV to address card not present fraud, there would have to be some sort of interface written that would produce codes, single use transaction numbers or similar that could be used by the consumer online. But no such solution exists, so card not present fraud cannot be the driver either.
Back in August Visa USA announced that merchants using EMV or contactless could avoid filing a PCI Report On Compliance (ROC) with Visa USA, so that must be the reason for the push. At this year’s PCI Community Meeting in Phoenix, Arizona, PCI SSC General Manager Bob Russo made it very clear that regardless of what Visa USA was saying about filing a ROC; all merchants were still required to prove that they are in compliance with the PCI DSS. Other card brands also reinforced this statement by reaffirming that they still required the merchant’s ROC and/or AOC as proof of compliance. As a result, merchants save themselves very little by not having to file a ROC/AOC with only Visa USA.
What about EMV being more secure? While that is typically true for small and mid-sized merchants, large merchants that switch their own credit card transactions would still likely have card data in their switch systems if not elsewhere in their computer systems. So claims by some, including at times Visa USA, that PCI compliance is easier with EMV are not totally true. Large merchants in Europe will back this up.
So after 15 years of EMV, what is Visa USA trying to prove with this push of EMV? Apparently only Visa USA can tell us because, for the rest of us, there are no business cases we can construct to justify the switch to EMV. Obviously, Visa USA knows something that the rest of us do not. Or do they? I have consistently said that without any card not present fraud solution; EMV is just a solution looking for a problem.
But wait, maybe there is something here that we have been missing. Is it possible that Google Wallet and similar current and future applications make Visa USA feel threatened? There may be some factual basis in that statement.
At the PCI Community Meeting last fall, I spoke with a number of processors that seemed to have an idea of why Visa USA was finally pushing EMV. These processors indicated that the EMV push was being driven by Visa USA to get EMV into the United States market before Google Wallet and similar applications could take the advantages of EMV away. After all, the United States is the largest credit card transaction market in the world and if EMV was not in the United States, there is no driver to get worldwide adoption pushed.
When I quizzed these processors about the supposed “advantages” of EMV, they said that was the real problem. With the advent of smartphones and applications such as Google Wallet, EMV has no advantages. As a result, merchants and banks have no incentive to implement EMV with these new technologies just on the horizon.
When I went back and talked to a couple of key merchants, they all said that they are waiting out the technology race to see what wins from a smartphone perspective. If Google Wallet and the contactless approach win, then that is where they will head. However, a lot of merchants are betting on one-time use transaction codes displayed as bar codes to win out as they do not typically require any technology changes at their POS. American Express went down the one-time use transaction code (15 digit number that appears like a credit card number) around five years ago, but only had limited success with it for online transactions. However, maybe the time has come for another try.
In the end, it is the consensus of merchants and processors that Visa USA has missed the window for EMV in the United States. Most organizations believe that if Visa USA wanted EMV in the United States, they should have pushed it long ago.
UPDATE: American Banker and PaymentsSource are holding a Webinar entitled “The End Of The MagStripe?” on Tuesday, March 6, 2012, at 3PM EST. Unfortunately, it is not free, it costs $99. This Webinar purports to answer some of the questions I have posed here as well as some other interesting insights into Visa and MasterCard’s thoughts on EMV.
Yes. You are right that EMV doesn’t solve the risks of frauds in e-commerce contexts. Is for this reason that in EUROPE we use “Verified by VISA” or “MASTERCARD Secure code” for e-comm transactions.
EMV without PIN has sense because the major cause of frauds is card cloning. Too bad that my card still has a magnetic strip that somebody can clone with a $ 20 device. But a fraud event due to card cloning is particularly harmful for the merchant because there is not “LIABILITY SHIFT” for transactions with magnetic strip. To clone an EMV card is a little bit more complicated…
It is the fact that the card brands, Visa in particular, hold EMV out as the answer to all of our security problems that drives those of us in the security field nuts. No solution is ever absolutely, 100% secure. New solutions just shift risks around or cure some risks and create new risks. But the key point missed or dismissed by most is that there are still risks, even with EMV.
A major reason your EMV card has a magnetic stripe in Europe is so that it will work in the ATMs. Very few ATMs in Europe are EMV enabled (although that is slowly changing) and, given that the rest of the world is not on EMV, ATMs need to support mag stripe anyway so it’s simpler and cheaper to just stay with the mag stripe reader only.
I fully agree that EMV is not the total solution. If you want to improve road safety needs to improve the quality of roads, road signs, but also the vehicles. Is no longer possible to cross a highway with a Ford T. ..
P2P encryption (from PIN-PAD to Acquirer) is another cornerstone. The third is an organization that sets the standards to which everyone should follow. In Italy, as we use the same channel for both international circuits and domestic payments, we have a national standard that covers the entire chain F2F using both EMV and P2P 3DES encryption. I know is not the same in other countries.
Cash withdrawals was always covered by a PIN which confirms what you say: there ‘a solution for everything and not the solution for everything. So, EMV is only the first step. Something or somebody should be involved for the others. PCI ?
Yes, EMV has made a difference in face-to-face, but that was where the problems were back when the Iron Curtain fell. Cloned cards were the problem and drove EMV to be developed.
But the risk moved. Once EMV got implemented, fraud due to cloned cards fell to below the level seen in the US. The risk now sits with eCommerce fraud and people using cloned card information. Once that risk gets addressed, there will be a new one that gets uncovered. I talked about this in my post at http://pciguru.wordpress.com/2010/09/12/what-happens-once-merchants-get-rid-of-cardholder-data/.
At the end of the day, like it or not, what drives all of this is the cost in losses/uncollectiables versus the cost to fix. If EMV teaches anything it is that only when the cost to fix is less than the losses incurred (usually by some multiple) will merchants and the banks do something. Sad, but that is how business works.
In fact, 95% of European ATMs are now EMV-compliant (Capgemini et al, WPR 2011, 26)
Nice to know. I wonder if the banks would agree with that fact? I know there have been a number of projects ongoing to get them EMV compliant, but I had heard most were suspending when the economy collapsed.
Visa is pushing EMV and NFC. Mobile payments using Smartphone and NFC is basically like contactless EMV. So if your theory is correct then why would Visa want to do this if it would indirectly benefit Google Wallet (which is using NFC)? For NFC to become widely adopted the infrastructure (i.e. merchants and their terminals) has to be in place. Bottom line is that all card schemes benefit if merchants use modern terminals capable of accepting many different types of payments.
I recetly read an article giving Visa accolades for their EMV push and a follow-up article giving MasterCard a golden review with EMV initiative. Of course it was a prominent terminal manufacturer providing the articles.
I too am trying to figure out Visa’s motivation into pushing EMV, especially non-PIN EMV and this theory is not one I had thought up. For some reason Google did not enter my thought process on this topic. Good article and well written.
I have to agree with the push for EMV without the PIN component as that just makes no sense. There is card present fraud in the US, but not much higher than is now present in Europe with EMV and PIN. So one has to wonder how you get an ROI with EMV in the US as it’s not from a significant lowering of card present fraud. I’m guessing that Visa is hoping to get traction with EMV in the US before Google Wallet and other solutions gain traction and make EMV obsolete. It’s the only thing that makes sense.