Call me a skeptic, naysayer, contrarian, payments rebel or girl with a death wish, but I’m still not getting the logic of why EMV is being forced into the US market.
What got me back on my high horse were two reports over the last couple of days about how long it’s going to take to get EMV “ubiquity” in the US – both cards and terminals.
The short answer to that question: minimum 5 years, probably more like 10.
I will admit that I’d reluctantly made peace with the fact that, thanks to the Target breach, it was “game over” with respect to the wholesale movement of merchants in the US to embrace the two-plus decade old chip and pin standard rooted in transacting via a plastic card at a fixed point of sale. Before that breach, I thought we were a fly’s eyelid away from having merchants push back as a result of not wanting to spend the money to install terminals that didn’t support what they really wanted to do – enable a future where digital commerce between two connected devices reinvented the exchange of value between consumers and merchants. The Target breach and almost immediate public embrace of EMV by the now former Target CEO, Greg Steinhafel and the equally quick endorsement by the NRF of EMV as the retailer’s line of defense against fraud (and oh, lots of bad stories about using cards at retailers) popped that bubble for me.
Of course, everyone who understands card security knows that EMV wouldn’t have prevented the Target breach. We also know that EMV alone can’t prevent fraudsters from wreaking havoc with cardholder data. The best weapon in the fight against fraud isn’t a single thing. It’s, as many are advocating, a “layered” approach which includes tokenization and end-to-end encryption, in addition to EMV, so that data is rendered useless when transmitted at the point of sale. EMV simply makes it more expensive for the bad guys to produce counterfeit physical cards in the event of a data breach. EMV alone does nothing to render data useless when it is in “in the clear” and being transmitted between the POS device and the acquirer.
So, for retailers, the sort of good news/bad news here is that they can absolutely protect cardholder data from breach but spending money on EMV is just the beginning and interpreting the liability shift implications can get pretty tricky. And when fraud moves online, which we know it will since it has every other place in the world where EMV is implemented, that’s pretty much on them. And, breaches that are related to a back door intrusion a la the Target breach, well, that’s probably going to be on them, too. The offline moving to online part of this story is where things get sort of scary as well. Commerce online is increasing rapidly – thanks to mobile devices that enable access to commerce online – and increasingly, transacting at the physical point of sale with digital wallets that rely on methods that move physical transacting online.
But you guys know this already.
What you may not know is that Phil Tomlinson, TSYS’ CEO, told investors at its annual investor day in New York last week that six months ago, it had 4 issuers signed up for EMV, today it has 18 and I don’t know how many of those are the “big ones” that would account for the preponderance of credit and debit cards. But ubiquity means that every issuer issues every card with EMV capabilities and there are thousands of issuers in the US. Until that time folks, it’s mag stripes and EMV at the point of sale. And, with Chip and Choice, not only Chip and PIN technology, it means putting cardholder data on mag stripes. And without tokenization and encryption in addition to EMV, cardholder data could be as vulnerable as it is right now, $2.8 billion dollars in terminal upgrades later.
Tomlinson said that most banks are waiting for merchants to respond to consumer demand for EMV terminals. I haven’t heard anyone I know ask for them, have you? Tomlinson was also reported to have remarked at the meeting, "It's a chicken-and-egg thing. The merchant community is going to have to put the terminals out that are chip-enabled … it's not going to happen overnight." He went on to say that it would take two to five years to become widespread in the US based on his experience in Europe and the Canada. Widespread isn’t ubiquitous. And, we know from the experience in Canada that 4 years after the “liability shift mandate” and more than a decade after it was announced as the standard, only 54.2 percent of cards and 84.7 percent of terminals are EMV compliant (according to the EMVCO website.)
The second slug of data that gave me pause was a report released by Javelin. It affirmed what Tomlinson said, reporting that only a sliver of the overall merchant community will have moved to an EMV standard by the liability shift deadline of October 2015 and that it will take “years” for small merchants to accept EMV. Javelin says that while roughly half of merchant locations will likely be EMV-ready by that time, around 25 percent of stores with fewer than 20 employees will be. The lack of small merchant awareness of the mandate, along with that pesky chicken and egg scenario, is to blame here as well. Javelin reports that by the end of 2015, issuers will have issued 166M EMV credit cards and 105M debit and prepaid cards – representing 29 percent and 17 percent of total cards in circulation, respectively. They forecast that it is likely to be the end of 2018 for 96 percent of credit and 98 percent of debit and prepaid to be EMV. Again, this further reinforces that the combo platter of EMV and mag stripe cards will be in our future for a while.
So, I hear all of you saying to yourself, okay, but won’t the existence of EMV terminals accelerate the use of contactless and NFC transactions and even accelerate the move to mobile via NFC?
I don’t think so.
Javelin says that given the cost to add contactless capabilities to cards (they say already at roughly $3.50 a card) that isn’t likely to happen. So ixnay the notion of contactless cards making a comeback. The report’s author said just issuing EMV cards alone will already cost issuers almost $5 billion and adding another billion or so to include a contactless chip isn’t likely to happen.
And, just because EMV terminals have NFC capabilities doesn’t mean that merchants will turn on NFC. It certainly hasn’t happened in many countries in Europe where both EMV and NFC were birthed and where handsets with NFC chips have been around for a while. Part of the reason that every analyst in the world, once so bullish on NFC, revised their forecasts for NFC volume via mobile devices is because consumers weren’t using NFC-enabled handsets at merchants, in part, because merchants hadn’t turned on the service. (Refer to the graphic for the visual depiction of the incredibly shrinking forecasts of NFC adoption over the years.)
Now, I can also hear you saying, okay Karen, but you’re missing two important points: lots of handsets will have NFC chips in them soon since here in the US, many major merchants will likely have EMV terminals capable of supporting NFC-enabled phones and Apple is rumored to be ready to NFC-enable their iPhones, so get over it already.
Here’s what I think.
On the first point, merchants have to be convinced that there are enough consumers with NFC-enabled wallets running around to go to the trouble of activating the service. At the moment, there is a dearth of populated NFC-enabled wallets in the marketplace. And, no I don’t think that this is just the break that ISIS needs to finally move from the pole position to first place. It’s a long, long way from preinstalled app on new phones and free Jamba Juice to adoption of the digital wallet that consumers will embrace and use.
On the second point, having Apple come out and say that it will embrace NFC to enable payment at the point of sale would surely help ignite NFC payments. But this is where I scratch my head. I know that I am practically the only one in the world now that thinks that Apple isn’t likely to enable NFC for payment, given all of the rumors that are swirling around. But it just isn’t Apple’s style to (a) ignite an ecosystem for everyone else to free ride and monetize (which is what it would be doing if it enabled NFC for payment), (b) outsource its customer experience to others, and (c) give customers something now that they can’t use.
Yes, it’s predicted that there will be EMV terminals at roughly 50 percent of large merchants a year or so from now, but that’s a year or so from now. Apple’s obsession with the customer experience seems at odds with enabling a function that can’t be used at most places that consumers shop now. Plus this is the company that reinvented the way music is consumed not only by creating iTunes, but the devices that you use to access iTunes. They reinvented the way that content is consumed via apps and the devices that access those apps. They even created its own operating system which they control total access to. But the big point to be made here is that even if Apple comes out with NFC for the iPhone 6, it still won’t ignite NFC unless merchants have agreed to accept an NFC-enabled iTunes account. And, even if Apple embraces NFC for itself, I’m not convinced that it will necessarily be a solution that will operate out of an all-Apple controlled experience.
By the way, I’ll have more to say on my theory of Apple and how it will enter payments next week, in advance of their WWDC on June 2nd.
Well maybe the good news here, potentially, is that consumers will hate “dip-ping and whatever-ing” (since they won’t be required to use PINS) so much that it will accelerate the move to mobile, which is, of course, what retailers want to happen anyway! Javelin suggests that consumer confusion is likely to slow down checkout lines, too – doesn’t that sound lovely. But then again, so few consumers will have chip cards at the start that it at least it will be a slow boil.
Now before there’s a collective call from the payments community for my head, I totally support the need for a global standard, and an interoperable and secure one, at that. But, as I have said before, payments, consumers and technology have come a long way in the last twenty years, and have been moving at mach speed in the last five. In a year, nearly 80 percent of consumers in the US will have smartphones, most people who travel and need interoperable methods of payments do too. Those who don’t probably live in developing countries where cards and terminals will be leapfrogged by cloud-based and/or other non-card solutions anyway, eg Kenya and mPesa and China and Alipay.
So, if it’s going to take 5 (or more likely 10) years for ubiquity around a standard that’s already moving into middle age, aren’t we better off putting our collective energies into something that will enable the future right now – a future that isn’t tied to hardware like NFC is but enables any connected devices to interact with any other connected device?
For instance, tokenization and encryption are concepts embraced by the networks today and what they agree is really essential to render data useless to criminals at the point of sale but also accessible to merchants in order to conduct their business. Even with EMV cards, mag stripe will be around until EMV is ubiquitous which means that tokenization and encryption will have to be embraced by retailers anyway to protect their data completely. It just seems to me that if we were really serious about staying in lockstep with what merchants and consumers really wanted, we’d do something different. Like maybe take the $10 billion or so that the industry will spend on just EMV deployment, and create a standard that protected data and gave merchants and the consumers the ability to leverage the connected devices of today and the future to both reinvent the retail experience and keep it safe.
But, hey, that’s just me. Based on what I am hearing though, maybe not. Maybe I’ve just said out loud what a lot of payments people are already thinking.
And maybe, that’s what a few third party players, who’ve been tracking this data, are already scheming to do, too. Wouldn’t it be ironic if small merchants, the long tail in all of this, and a subset of large merchants that drive a collective majority of spend actually end up being the first-movers in mobile payments as they ditch EMV entirely for mobile apps that enable lots more than payment, that rely on the cloud and tokenization to protect cardholder data and that plow the money they’d spend on upgrades into incentives to get consumers to adopt?
Crazier things have happened in payments.