[Dave Birch] I popped in to Best Buy in Chicago to get a couple of things and when I went to pay I noticed that there was a contactless reader. I tried to pay with with PayPass sticker on my iPhone and the transaction was (correctly) declined because I didn’t have the balance (it’s a prepaid MasterCard). So I tried my UK Visa contactless credit card and the terminal didn’t recognise it. Nor did it recognise my UK contactless Visa debit card nor my colleagues UK contactless MasterCard credit card. The terminals have been configured to only read the non-EMV US “magnetic stripe with dynamic signature verification” (MSD) contactless cards and not EMV cards. No wonder stickers are the future.

Bank of America Corp. is building on its mobile payments strategy with plans to issue contactless stickers to its credit and debit card customers next year

[From mobile-payment-stickers-bofa – PaymentsSource Article]

If anyone has one of these, I’d be interested to know what they think about them. Similarly, I’d be genuinely interested in customer feedback on these.

Discover card today announced that it has begun issuing Discover® Zip®contactless credit cards and stickers, targeted at early adopters of its mobile technology.

[From Discover Financial Services – Investor Relations – Press Release]

I know I annoy people by continuing the meme – that started as a joke borne out of frustration – that stickers are the future but… anyway, stickers to one side and back to Best Buy. I used my trusty John Lewis MasterCard to pay. The clerk asked me for ID, so I showed her a UK driving licence that shouldn’t possibly verify, and then signed the transaction “Carlos Tevez”*. The transaction was completed successfully, thus illustrating the point that Jamie Henry (Senior Director, Payment Services at Walmart) made very well during his presentation to the Smart Card Alliance this year. He said that signature was a waste of time and a waste of paper. (While noting that their chargeback rate for signature debit cards is two hundred and fifty times greater than for PIN debit, he called for an early shift to EMV in the USA.) With the first EMV cards now issued (listen to Merrill Halpern, who issued the first EMV card in the US in this week’s podcast) perhaps things are indeed going to change. This reminded me (again) of Deborah Baxley’s neat summary of the immediate future for cards in the USA:

Banks scrambling to replace lost fee revenue will likely shift focus to credit and prepaid, impose DDA and other fees, along with new account services and comprehensive pricing packages.

Consumers: Australia’s example illustrates the consequences of interchange fees capping, in which consumer benefits failed to materialize.

Merchants benefit from lower acceptance costs for debit cards. In a surprising twist, incentives and steering could have the perverse result of driving consumers toward cash and checks.

[From Changing the Game in Cards – pymnts.com]

I think this is a realistic projection, especially given that merchants don’t care about the costs they impose on the rest of society by driving up the use of cash. Let’s put the consumer position to one side. Can banks use EMV, NFC, SMS or some other TLA (three letter acronym) to recover some of this money? Cards dominate the non-cash retail POS (more specifically, debit cards dominate the non-cash retail POS) so we should focus on the particular case of EMV. Some people think that this might be the year for EMV to finally get off the ground in the US.

Don Rhodes, senior director of risk management policy for the American Bankers Association, says a number of emerging technologies, such as the EMV chip standard, mobile payments and peer-to-peer or person-to-person payments, will soon change the way U.S. financial institutions and merchants connect and transact. And it could all happen in 2011, much sooner than most industry experts expect.

[EMV, Mobile and the Payments Landscape]

I’m sure Don is right about mobile and peer-to-peer, but what about EMV? One the one hand, of course, I really hope that EMV gets going in the US: Consult Hyperion have world-leading expertise in EMV strategies for financial institutions and many, many years experience providing independent advice on EMV deployment. There are guys in my office who know as much, if not more, about EMV than anyone else in the world, so a US rollout would be good news for us. But what, I hear you all say, is the business case? There isn’t (yet) enough fraud to tip the scales.

“If we can envision a world where magstripe doesn’t exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs,” said Mike Cook, Wal-Mart’s VP and assistant treasurer. “So you no longer have to have your database encrypted. You no longer need to have the secure lines. You’re no longer storing data that could be used by somebody else. The PCI costs become significant cost savings.”

[From StorefrontBacktalk » Blog Archive » Target, Wal-Mart On EMV: The Metric System Of Payment]

That’s a very interesting new perspective, one that other retailers have echoed, it given the enormous cost of PCI-DSS, could well be enough to tip the scales where fraud can’t.

Visa recently recognized the importance of chip-and-pin along with PCI DSS compliance when it announced its Technology Innovation Program (TIP). With TIP, merchants will no longer have to go through costly annual PCI DSS validation if 75 percent of their Visa transactions are completed at chip-and-pin-enabled terminals—but TIP is not available to merchants in the United States

[From Portals and Rails]

Interesting. All these years we’ve been thinking that the EMV migration business case depends on fraud, and now it turns out that it might instead depend on fraud prevention, the cost of which is becoming punitive. PCI-DSS has undoubtedly had a positive impact reducing card fraud, but the cost to merchants is enormous. But there’s another factor serving to reinforce the pressure for change. Retailers have terminal replacement cycles, and they may well be wanting to replace terminals for other reasons, at which time the marginal cost of adding the smart card reader is very low.

Target’s Marc Black, the chain’s guest data security director, was asked what it would take before Target would start purchasing EMV-friendly POS units. “Part of that investment decision will be how terminal manufacturers incorporate smartcard readers in their products. We need a firm roadmap, so we can guide our investment. This is not the only new payment technology out there,” he said, referring to near field communication (NFC), among others.

[From StorefrontBacktalk » Blog Archive » Target, Wal-Mart On EMV: The Metric System Of Payment]

Together, these two issues (PCI-DSS compliance and NFC capabilities) might be actually replace fraud in the business case calculation. But are the US retailers ready? When I’d finished paying in Best Buy, I realised that the POS terminal had a smart card reader, so just out of curiosity I asked the clerk what it was for. She told me that is was ready for the new credit and debit cards that were going to have chips on them but there was no software for it yet. Props to Best Buy human resources.

* I always sign stripe transactions with a bogus name. My rationale is that a thief would sign the transaction using the name on the card, because they wouldn’t know which Premier League footballer’s name that I am using for the month. Thus, if I dispute a transaction and the retailer produces a receipt with my name on it, then I know it’s false.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers


1 comment

  1. Thanks, Dave – I have pointed out many times that the cost of PCI greatly exceeds the cost of EMV; some of these costs represent good practice but the expensive bits are the bits that would be unnecessary with EMV. If the card numbers and expiry dates that PCI is protecting are really secrets, then banks are criminally negligent in printing them on cards, statements etc.

    The retail arms of banks long ago decided that account numbers are public information but authentication data must be fiercely protected – this is the correct answer.

    Mike

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: