Even as the Federal Reserve steps up to regulate interchange, the payment technology industry and some merchants are hoping for a government intervention to mandate EMV in the United States. The reference to fraud prevention technology in the Durbin Amendment of the Dodd-Frank Act has fueled the debate. As the argument goes, the payment industry has not been capable on its own of material advances in fraud prevention technologies in the United States (as demonstrated by the lack of adoption of 3D-Secure). The U.S. payments system stands vulnerable to massive fraud migration as other markets complete their migrations to EMV. Thus, the intervention of the regulators is warranted.
Over the course of the last 20 years, chip card implementations have demonstrated clear benefits in preventing counterfeit fraud, transaction replay attacks, as well as lost and stolen fraud when leveraging offline PIN. It is appropriate to raise the question of when and how to best modernize the aging card solutions, but it is also legitimate to question the appropriateness of EMV as the next payment technology for the U.S. market. One needs to recall that EMV was designed in the mid-90s as an offspring of the French chip card, the so called “B0-prime,”which was deployed in the mid-80s. At the time of EMV’s seminal specification design, the world’s payments were mostly serviced by Europay, MasterCard and Visa (hence the “EMV” acronym).
In 1996, when the EMV commercial specifications were firmed, the world was a very different place. eCommerce was in its birthing stage, mobile penetration in developed countries averaged less than 18 percent and mobile services were limited to voice and SMS. Internet broadband didn’t exist. Most POS dialed up their acquirer, thus requiring upwards of 15 seconds per transactions. Direct connection to the payment networks was reserved for select merchants. Online and mobile banking didn’t exist.
Today’s reality is a far cry from that world. Many different payment services are being deployed. eCommerce and mCommerce are the fastest growing payment channels. Most merchants are connected via broadband to the payment networks. Consumers are using many different providers to manage their payments and access their assets. To understand the impact of the advent of new technologies, one need only consider the fraud statistics in the UK after the deployment of EMV cards. While fraud in France in the 1980s was reduced by 90 percent thanks to chip cards, fraud losses remained stable in the UK in recent years in spite of EMV, as increasingly sophisticated attacks rapidly shifted to online and cross-border transactions. In today’s world, securing transactions at the POS, while necessary, is no longer sufficient. Thus, the business case for EMV is rendered tenuous. While the argument for using dynamic data in authorization and settlement messages and leveraging stronger user authentication is ever more valid (as expressed by Visa’s Ellen Richey in last month’s Lydian Journal), it is legitimate to question the appropriateness of EMV for the United States for the following reasons:
1. EMV as deployed in Europe is based on ISO 7816 compliant chips, which require a lengthy power-on reset process and are limited to 9600 bps for transmission speeds. This results in extended POS transaction times on the order of 4 to 6 seconds, as compared to 0.5 to 1.2 seconds for an online authorization. Without commitment to changes to the payment services to absorb this increase, such as PIN authentication in lieu of signature and the suppression of card receipts, the deployment of EMV would result in increased costs for the merchants, as they would shoulder the bulk of burden of change.
2. The EMV platform was engineered to provide secure offline authorizations to compensate for the costs and/or availability of telecommunications. Consequently, EMV includes a complex structure of scheme and issuer public keys to enable offline authentication. This not only significantly increases the cost of the chips, as the complexity of card issuance and management, but it also limits the ability of new payments schemes to participate. At a time when most payment innovation comes from prepaid card programs and new payment solutions, EMV would be a barrier to innovation.
3. Application selection enables EMV cards to support more than one payment account. Yet practical business considerations, such as branding, have effectively limited the deployment of EMV cards to single-issuer and single-account implementations. More than ever, consumer are carefully managing their spending holistically and looking for wallet functionality that cannot be implemented via EMV.
4. EMV readers are not supported as a standard feature in PCs. While support for a reader firmware stack is standard in Windows since the advent of PC/SC, it is not the case in Linux or Mac OS. Considering that consumers routinely perform eCommerce transactions on more than one PC, for instance at home and work, securing payments with EMV would demand supplying several peripherals per cardholder, which is not an option. In addition, as the share of Windows in personal computing system erodes, securing eCommerce with EMV cards is further complicated.
5. While most mobile phones include a SIM card with similar technologies to EMV, dual SIM slot phones were unsuccessfully trialed earlier this decade and are unlikely to re-emerge. Thus, the newest and most vibrant commerce channel is not supported. Furthermore, as the telecommunication industry adopts Near Field Communications (NFC), for which no EMV-like payment application is commercially available, the efforts of the payment providers and mobile operators would collide at the point of acceptance.
6. Dual authentication methods for online connections, for instance to online banking, have been implemented for a number of years without the need for a consumer handheld device or a PC reader. For instance, virtual tokens for one-time passwords and forms of device fingerprinting have proven effective in deterring fraud. In these cloud-based methods, not only is security strong, but it is more adaptable. Deployment and maintenance can occur in much faster cycles than equivalent EMV-based solutions.
7. Historically, the implementation of EMV in any market has required between 10 and 15 years, as issuers, networks and acceptance infrastructure get upgraded, and business processes are updated. While payment networks and issuer processing are slowly approaching the point of supporting “Field 55” (the incremental EMV data), most merchant systems are not. Even as POS devices are capable of interfacing with a chip, the integration with the merchant infrastructure remains a daunting task. It is worth noting that EMV benefits have only accrued when over 90 percent of points of transactions are covered. Thus, assuming a migration of seven years – the average replacement cycle for merchant checkout systems across the entire merchant population – the United States would not materially benefit from EMV-driven fraud reduction before 2018 to 2020 at the earliest. Considering the speed with which commerce is evolving, no one can doubt that by then EMV would be hopelessly obsolete.
Thirty years after the introduction of the magnetic stripe, the time to update the U.S. payment infrastructure is undoubtedly now. However, a new solution needs to be future-proof, not merely the implementation of an aging platform. After all, would anyone today consider rolling out a 1G mobile network? Deploying EMV in the United States would cost issuers, acquirers and merchants in excess of $10 billion without fully solving today’s and tomorrow’s security issues. Delivering a modern payment platform requires evolving the technical standards that enable the interoperability between the various payment and commerce participants. Such a solution will have to account for the role mobile devices and IP networks increasingly play in commerce. This will not be achieved under the current governance of EMVCo, which places the complete control of the specification with incumbents whose card focus and commercial objectives will limit and thus undermine a Smart Payments 2.0 solution. As a result, the EMV platform, especially as deployed in Europe, may not be right for the United States neither from a technology nor from a governance standpoint. Payment services in the United States are in need of modernization.
Now is time for issuers, acquirers, the payments technology providers and the payment new entrants, such as telecom operators for eCommerce providers, to define a new, open, future-proof platform that can be rapidly embraced and deployed for the benefits of consumers and merchants.
Patrick Gauthier is a payment industry executive with 20 years of experience in developing, selling, and deploying around the world new technologies for payment and commerce. Patrick is currently Head of Market Intelligence at PayPal. The views expressed in this column are that of the author only and do not necessarily reflect that of PayPal or eBay Inc. Patrick can be reached via LinkedIn (http://www.linkedin.com/in/prxgauthier) or Twitter (PRGauthier).