Now that EMV has made the hop across the pond, should retailers skip it? Speaking the CNP Expo in Orlando, Lee Jurgens from Ralph Lauren (who was my favourite panelist at the event) said that the US should have skipped chip & PIN and gone straight to mobile because it is the more secure payment mechanism. He's got a point, and there's no point the industry pretending that he hasn't.
Look. There's no doubt that going to PIN reduces fraud substantially, irrespective of whether there's a chip there or not. So some retailers are clearly wondering whether adding the second authentication factor of a PIN, whether at POS or via an app, is really where they want to go.
For retailers such as hamburger chain Wendy's – which already accepts PIN debit at the checkout – the fraud rate is so small "it's hardly worth mentioning," said Gavin Waugh, Wendy's vice president and assistant treasurer. "Even if we pay the fraud liability, it's a whole lot cheaper than putting in (new EMV) terminals."
Years ago, when I interviewed Jamie Henry of Walmart for a podcast, he told me that the fraud rate on PIN debit was 250 times less than the fraud rate for signature cards. It doesn't make any difference whether it's online PIN or offline PIN: switching from signature to PIN seems to be the key. Maybe online PIN or mobile PIN (the "something present" transaction) would be better solutions in the US? After all, there's hardly a deluge of chip cards on the way. I remember going along to Dinah Tobias' excellent Payments Forward breakfast briefing on the US payments market a few months ago. The briefing, from First Anapolis, was quite interesting. Unfortunately, the slides presented were marked "confidential", so I can't tell you about them. I will, however, comment on what was said in the discussion afterwards. Part of the presentation was about the EMV migration timeline (which, as far as I know, isn't in the least confidential) and over coffee afterwards several of the attendees agreed that many US institutions would miss the impending liability switches.
In fact, 71 percent of the financial institutions have no immediate plans to issue EMV cards
[From Portals and Rails]
In essence, some people were assuming that US financial institutions have decided to eat some fraud losses while they decide what to do. These losses could be in the millions of dollars, by the way.
In a study based on a fictitious bank with 5 million cardholders and average market characteristics, MasterCard Advisors estimated losses could be as high as $25 million if EMV migration is delayed until 2015, rather than starting in 2013.
So what should they do? Well, perhaps, when a retailer of the order of Ralph Lauren poses the question about going straight to mobile then we should at least evaluate the proposition. You could argue that the "mainstream" payments industry (ie, my customers) already have a strategy to use POS estate renewal as a stepping stone on the way to mobile. This is the idea that contactless is just a step on the road to NFC.
On the other hand, since most EMV POS devices are already NFC-enabled, many deployers, especially banks and independents are already seeing the writing on the wall in giant letters: N-F-C.
If the mainstream doesn't do this (ie, decides to use mobile to go past EMV) then what might the options be? There are thousands of different mobile payment propositions out there right now, and a good many of them have the sole intention of cutting my customers out of the payments loop completely! So what about tackling them head on with son-of-EMV? I'm hardly the first person to have floated this idea and I'm hardly the first person to suggest that son-of-EMV be identity-centric and based on open standards rather than any financial sector standards or new yet-to-be-invented-by-the-payments-industry-standards.
Could there be an open, industry-based alternative to EMV? The Accredited Standards Committee X9 Inc. seems to think so.
So, yes, there could be a son-of-EMV. It's not a crazy idea. And if it is to be based on industry-standard open identification and authentication technologies, not finance industry standards or even payments industry standards, then it will be moving us toward the "something present" transaction as the norm. The industry could bite the bullet and the scrap the 1971-style messaging protocols in use in favour of ISO 20022 XML-based messaging that can carry the remittance and receipt information as well as the payment details, not as an admission of "defeat" (EMV made perfect sense when it was developed) but as recognition that things have changed.