A friend of mine in Belgium owns a beautiful BMW M5, capable of doing nearly 300km/h if de-restricted. The national speed limit is 120km/h. He doesn’t go to track days, but he does drop his kids off at school each day and they certainly arrive in style. He says that he owns it for the thrill of the acceleration and performance, but to be honest he could have spent a whole lot less and got himself an Ariel Atom (here) and made the kids walk to school. Or moved to Germany.
Why am I telling you about this in a payments blog? Well I’m here in the States at the SCA Payments Summit in Salt Lake City listening to the latest info and thoughts on the US EMV rollout. The International Brands, Visa; MasterCard; Discover; AMEX; have all reiterated their liability shift timetables and so come October 1, 2015, those not compliant in the US will become liable for any fraud. Yay! Issuers are already putting EMV chip cards into market – starting with their high transactors first (here) – and merchants such as Wal-Mart are already switching on EMV acceptance capability in high tourist areas. This is all great news and very promising as the migration gathers pace. There is however one flaw – and here we go back to my friend’s BMW…
While others are openly explaining that Chip with PIN is the most secure option, Visa continue their declaration that the US should be a Chip and Signature market – merely mimicking the current magstripe environment but on EMV cards. Visa is telling card issuers to buy a hypercar for the school run – getting a huge leap forwards in technology and security possibilities, then running it in first gear. I’m not going to speculate on the reasons why here, as there are a few possibilities to do with business model, pragmatism and blind faith in the current system. However, what is clear is that this advice isn’t good for the long term future of the market. US Issuers should be encouraged to do as much as possible in the first instance to build systems that take them forwards instead of spending the estimated $11bn cost of migration just to stand still.
It’s fine to have a minimum standard, but it just won’t bring the intended benefits to the market if the majority only achieve this baseline. Furthermore, merchants understand the value of PIN. They understand that signature has near-zero value as a cardholder verification method (CVM) and certainly doesn’t stand up in the chargeback process. They also understand that in chip-on-chip transactions (which will be about 40% of volumes come liability shift) signature is not going to help them out much.
Clearly the added cost of offline PIN and the intrinsic difficulties of PIN change that it brings will be a step too far for most Issuers. However, as the majority (if not all) cards will be issued with online PIN for ATM, why not just extend this to POS and make a bold statement to the merchant community – the US will be Chip and (online) PIN with signature fallback because we want to protect transactions and integrity of our payments system. During the tricky migration period, which will last probably until 2021, magstripe fallback will be the norm and so counterfeit will continue through cards with disabled chips and counterfeit magstripe. Signature as the main CVM will not stop this and so the fraud will go on, and on. PIN won’t stop data breaches, but it will greatly reduce the capacity for replay of counterfeited cards into the POS channel.
Merchants are calling for PIN and most processors I’ve spoken to believe that it’s the right option, all they need is a little advice from the International Brands. It’s time to unleash the US’s new hypercar on the Bonneville Salt Flats rather than sitting at 55 on Route 66.