Is EMV 'A Colossal Waste of Time' for US Retailers?
'Industry experts' and observers in the US marketplace recently reported "EMV Return on Investment unlikely for Retailers". But is this true? And either way, does it matter, are there bigger issues at stake? To understand the issues, we must dig a little deeper.
United Kingdom, October 17, 2015 (Newswire.com) - There are probably THREE main issues to consider here:
Where is the USA compared to the rest of the world?
Who should be driving and leading the change in the US?
What are the costs / savings and overall business case?
REST OF THE WORLD
In spite of EMV being ‘invented’ by US head-quartered companies, the US market has consistently deferred adoption for a variety of reasons that are shown later; leaving the rest of the world to adopt EMV as the route for all card present transactions. There are of course ‘local adaptations’ for CVM requirements, offline authorisation, routing logic and other minor customisation of EMV standards, but generally, everyone has simply implemented the programme over the last 15 years and built upon the programme and the standards over time with increasing security and standards adopted as they have been required.
Has it worked and does it matter that the US is behind?
It is not an easy journey, but EMV has delivered on all expectations outside the USA, with significantly reduced card present fraud – both counterfeit and lost/stolen. EMV cannot deliver ‘world peace’, nor was it expected to do so, nor was it ever expected to fix or prevent the never-ending data breaches, nor protect against traditional CNP fraud events. It does however, enable a largely ‘risk-free’ payment platform for other initiatives such as secure NFC contactless; improved merchant and customer experiences, faster point-of-sale timings (even in a market of simply swipe and go), reduced occurrence of payment disputes; and moving the smaller remaining fraud liability from the participating merchant to the card issuer.
Furthermore, data compromises at places like Target, notably take place in the USA; largely because cards that are compromised utilise the old-fashioned ‘mag-stripe only’ technology. It has not been widely reported either, that EMV cards are largely useless to fraudsters after such compromises – except for use in the USA – where, even there, they would not be possible to use were there not still a magnetic stripe-only environment.
The rest of the world is looking forward to the long-awaited and delayed ‘transfer of liability’ that kicked-in on 1st October 2015 – when the so-called ‘liability shift’ took place. This means that from this date, card issuers around the world will start to be able to pass fraud losses (typically counterfeit-only, but some lost/stolen) on to the merchant acquirers in the USA when their EMV Chip payment card data is used in non-EMV enabled environments, and in-turn pass them onto the retailer where EMV is not deployed. The expected aggressive passing-on of these fraud losses will however, help to make a stronger business-case for retailers to adopt EMV and protect themselves.
The rest of the world has mostly moved away from the antiquated 60 year old insecure technology over the last 10 to 15 years – over to a now albeit 20+ year old technology, but which is being continually updated. It will continue to be updated and evolved, but we do need to get rid of the 60 year old platforms globally before things can really start to accelerate-away with new ideas and technology.
WHO SHOULD BE DRIVING THIS?
“Everyone” is the short answer – but in the US there are a few tough obstacles. The payments environment is embedded in the old technologies, legacy systems where the ‘lowest common denominators’ in the USA are fears of losing routing and processing revenues, control and profitability when the market adopts EMV technology; and issuers who protect their world-leading high interchange rates (as well as high fraud rates) that come with the insecure networks. The costs for a retailer associated with processing an EMV transaction – especially an EMV with a CVM such as PIN should fall – as the till throughput can be speeded up and the disputes and ‘validation/referral costs’ almost removed. Retailers are naturally confused, and they are trying to find other solutions, and the wider industry does not have a single strategic planning function or voice.
In many markets the retailer and retail communities demand:
Lower processing costs. To lower costs, some retailers champion interchange rate cuts, and greater transparency, and still others move their processing (even contrary to card scheme rules) to other continents!
Faster customer service at the till – i.e. EMV solutions should require customers to retain control of the card (at the ‘customer side’ of the till) – and with a PIN entry to speed-up and secure the customer journey and processing efficiencies, to focus retailer staff on service rather than upon security checks for the banks.
Lower administration/dispute costs: associated with no need to keep or retrieve paper versions of receipts with ‘signatures on them’, where vouchers become ‘electronic’.
Help from card schemes, acquirers, merchant processors, vendors, solution providers, etc., to lift or remove barriers to implementing EMV: e.g. ensure readiness and availability of solutions at reasonable prices, and assist with the deployment costs.
COSTS / SAVINGS / BUSINESS CASE
The business case for EMV adoption and its implementation was and still is not an easy one. It is difficult to justify an initial upfront cost (and ongoing costs) of deploying an EMV infrastructure with all its ‘back-office’ functions – for both big and small merchants. But the industry has calculated that the cost of fraud is greater than the cost of EMV migration, so benefits to the financial services industry are clear.
To reduce pain in implementing EMV in almost all markets, the planning and coordination has been carried out over an extended period of time. This made sure that:
Complex solutions were made easier, and that this was not seen as a ‘quick-fix’,
Costs were spread over a multiple years,
Advantage could be taken of constantly improving and new vendor solutions,
Early attacks on certain fraud types could be seen as ‘quick wins’,
All interested parties could engage and collaborate,
New payment solutions could evolve that took advantage of the EMV ‘railroad’,
Legislation and regulatory thinking on fraud and consumer rights could be initiated and honed,
The entire biosphere of payments could be moved forward 50+ years – and support modern security, authentication, and then new/alternative payment methods.
The challenge now is to transfer the value of fraud savings and cost savings that are today spread across the industry, over to the retailers. At the same time, the retailer should be able to quantify efficiencies, reduced costs and better customer service, increased sales and greater profitability. ‘Someone, somewhere’ needs to ignore ‘market protectionist’ thinking that still exists in some of the key stakeholder find coal service providers and management of the card schemes and develop a true industry strategy that will work – with a more compelling business case. Equally, people need to stop finding a "1001 excuses" for not adopting EMV, especially when most of them are plain wrong or irrelevant. The US can after all, negotiate hard to take advantage of the fact that all suppliers in this space have ‘done it all many times before’.
So is it a colossal waste of time to implement EMV? The answer is a profound and clear ‘No’.
Major stakeholders must now ‘get with the programme’; and the many individual participants that are not thinking about the wider industry position – need to ‘move forward too’ in their thinking.
Card scheme rhetoric and self-preservation, issuer, acquirer processor and vendor self-motivations need to be re-channelled towards the collective good, and for the benefit of the payments industry in the USA; and start to support evolving the US market to catch-up with, and if possible, to leap ahead of the rest of the world.
The first step though must be to reconfirm the issues and the longer-term vision, agree one set of facts, fully-loaded business case justifications and develop a collective and realistic market plan.
Riskskills is just one of only six organisations globally that have been confirmed as qualified and approved to complete GARS Reviews for Visa Inc. For further information, please contact Kevin Smith (Independent payment services, risk management and compliance consultant) at http://www.riskskill.com/ or contact him at firstname.lastname@example.org