Have you noticed all of the press lately regarding the Europay, MasterCard and Visa (EMV) card coming out of Visa? It has been very hard to miss. As a result, I started wondering about the purpose of this full court press for EMV.
Before getting into my post, I need to be clear that EMV only refers to the chip in the EMV card. In the past I have gotten a lot of feedback from Visa when I referred to EMV as “chip and PIN” even though the world almost universally refers to EMV as “chip and PIN.”
With that disclaimer, since last August, Visa USA has been making a concerted effort to get merchants to adopt EMV. Just a week or so ago, there was another push by Visa USA to entice merchants to support EMV. So what is the driver behind this push? That is the $64,000 question and the more you talk to processors and merchants, the more confusing it gets.
Merchants are just as puzzled as I am regarding Visa USA’s EMV push. In the case of a number of large merchants I have spoken with, they do not get it as they refreshed their card terminals and POS equipment over the last three years and there is no way they are going to swap all of that new gear for EMV-capable equipment. These merchants are not even looking at contactless terminals. Such an equipment swap this soon would not be cost effective.
But merchants question what EMV would do for them. EMV was developed in response to the fall of the Iron Curtain when fraud ran rampant in Europe. Credit cards were being cloned at an obscene rate and card present fraud was huge. When EMV was fully implemented, card present fraud in Europe went to levels close to or a little lower than in the United States and EMV card present fraud has remained around those rates since. Given where card present fraud rates are currently in the United States, introducing EMV would have a limited effect on card present fraud and that would not be enough to offset the costs of implementing EMV or contactless terminals.
So if it is not card present fraud, it must be card not present fraud that Visa USA wants to address right? Card not present fraud, particularly on eCommerce Web sites is running almost out of control. I would like to say that this increasing fraud rate that is the reason for Visa USA’s push. However, EMV does nothing to address the rapidly rising rates of card not present fraud. The reason is that in order for EMV to address card not present fraud, there would have to be some sort of interface written that would produce codes, single use transaction numbers or similar that could be used by the consumer online. But no such solution exists, so card not present fraud cannot be the driver either.
Back in August Visa USA announced that merchants using EMV or contactless could avoid filing a PCI Report On Compliance (ROC) with Visa USA, so that must be the reason for the push. At this year’s PCI Community Meeting in Phoenix, Arizona, PCI SSC General Manager Bob Russo made it very clear that regardless of what Visa USA was saying about filing a ROC; all merchants were still required to prove that they are in compliance with the PCI DSS. Other card brands also reinforced this statement by reaffirming that they still required the merchant’s ROC and/or AOC as proof of compliance. As a result, merchants save themselves very little by not having to file a ROC/AOC with only Visa USA.
What about EMV being more secure? While that is typically true for small and mid-sized merchants, large merchants that switch their own credit card transactions would still likely have card data in their switch systems if not elsewhere in their computer systems. So claims by some, including at times Visa USA, that PCI compliance is easier with EMV are not totally true. Large merchants in Europe will back this up.
So after 15 years of EMV, what is Visa USA trying to prove with this push of EMV? Apparently only Visa USA can tell us because, for the rest of us, there are no business cases we can construct to justify the switch to EMV. Obviously, Visa USA knows something that the rest of us do not. Or do they? I have consistently said that without any card not present fraud solution; EMV is just a solution looking for a problem.
But wait, maybe there is something here that we have been missing. Is it possible that Google Wallet and similar current and future applications make Visa USA feel threatened? There may be some factual basis in that statement.
At the PCI Community Meeting last fall, I spoke with a number of processors that seemed to have an idea of why Visa USA was finally pushing EMV. These processors indicated that the EMV push was being driven by Visa USA to get EMV into the United States market before Google Wallet and similar applications could take the advantages of EMV away. After all, the United States is the largest credit card transaction market in the world and if EMV was not in the United States, there is no driver to get worldwide adoption pushed.
When I quizzed these processors about the supposed “advantages” of EMV, they said that was the real problem. With the advent of smartphones and applications such as Google Wallet, EMV has no advantages. As a result, merchants and banks have no incentive to implement EMV with these new technologies just on the horizon.
When I went back and talked to a couple of key merchants, they all said that they are waiting out the technology race to see what wins from a smartphone perspective. If Google Wallet and the contactless approach win, then that is where they will head. However, a lot of merchants are betting on one-time use transaction codes displayed as bar codes to win out as they do not typically require any technology changes at their POS. American Express went down the one-time use transaction code (15 digit number that appears like a credit card number) around five years ago, but only had limited success with it for online transactions. However, maybe the time has come for another try.
In the end, it is the consensus of merchants and processors that Visa USA has missed the window for EMV in the United States. Most organizations believe that if Visa USA wanted EMV in the United States, they should have pushed it long ago.