EMV: Solving For The Wrong Problem

By Gloria Colgan, Managing Director, Market Platform Dynamics

We’ve been talking about standards an awful lot lately: or, more specifically, the lack of them. Wireless technology standards. Mobile payment technology standards. Common AIDs for debit routing implementation. Let’s face it. Standards accelerate adoption because they facilitate development – no arguing over what to build or how to build it. At the same time, they basically presume a “winning” solution has been determined – no more deliberation. VHS “won,” Betamax lost. Blu-ray “won” and no one remembers HD DVDs.

But sometimes the de facto standard takes too long to implement and technology moves faster than that standard can. Or, it becomes a mandate when other options and solutions should be considered. This is one of the fundamental problems with EMV.

Fraud is clearly a problem and a costly one. Bankcard fraud rates increased 70 percent between 2004 and 2010. U.S. fraud rates compared to other countries are high, perhaps due to our growing ease of purchasing anywhere, anytime, anyplace. Use of signature debit use vs. PIN debit also contributes to this difference since many countries are PIN debit only. But, for whatever the reason, time after time, U.S. stakeholders in the value chain have chosen to implement their own fraud protection measures, rules, systems or additional layers of control such as PCI, instead of spending the money to voluntarily implement EMV.

It’s not that EMV isn’t secure. It’s very secure. It was developed as a state of the art solution in 1996. It’s not that it doesn’t work. It does, for the channel where it can be used. The UK demonstrated significant drops in fraud rates for lost/stolen cards after complete implementation of EMV. BUT, and it’s a big BUT, fraud losses for phone, Internet and mail order skyrocketed, dwarfing the prior losses in lost/stolen. In the U.S., fraud occurring over digital and phone channels represents 40 percent of the losses but only 5 percent of the sales. What will happen to that number when EMV is implemented at POS in the U.S.? The number one mantra of fraud, as taught to me by my many esteemed colleagues over the years, is this: If you don’t actually eliminate the source or effectively eliminate all channels of access, it just moves to the weakest link in the process.

This is the problem with EMV. It was developed around a form factor, not data. The chosen form factor was the “rising star” of the early 90’s – the smart chip. This made a lot of sense. The digital revolution was in its infancy. Plastic was the sole mechanism for physical distribution of card payments. Smart cards were a technology searching for a problem to solve and they found one in authentication and fraud mitigation. The ability to provide a mechanism for communicating with the consumer at the POS to determine that they are who they say they are, in real-time with the issuer, was a stroke of genius. However, it becomes much more difficult when things move and shift to cloud based transactions in a digital environment. Yes, there are workarounds. You can plug a reader into a laptop to read your card. We can all wait for contactless readers at the POS and secure elements (and apps) in our phones. More complications and costs are added to the process, which just make it harder. U.S. consumers don’t like harder. We like safe AND convenient. If authentication truly focused on the data and not physically located in a piece of hardware, then it could evolve as rapidly as new solutions are being created – moving to wherever the data needs to be, in a tokenized or encrypted fashion.

I recognize that this is 20/20 hindsight. The chip was a brilliant idea for a problem occurring in Europe several years ago – rampant fraud with debit cards. But volume is moving and shifting – and fairly rapidly. Fraudsters don’t sit still and won’t. If stakeholders, primarily merchants, are reluctant to implement EMV even though they swallow approximately 40 percent of the total losses associated with fraud, shouldn’t we be looking for alternatives or, at a minimum, an evolved solution that better meets future needs? As volume continues to grow in the fully digital environment, it seems like we are going to spend lots of time and money on a solution that was predicated on different assumptions and not as flexible as it could be for the future.