EMV is at the heart of global payment card processing. As a specification it governs the processing of billions of transactions globally, with the vast majority of those flowing through the international payment schemes. As a technology it has been incredibly successful, reducing fraud levels everywhere it’s been introduced and its extension into contactless payments is now the fastest growing area of face-to-face payments. The idea that EMV might soon be obsolescent seems far-fetched, to put it mildly, but there are reasons to believe that its hegemony is under threat.
EMV, as a specification, can be complicated and expensive but much of that complexity relates to card and terminal based risk processing. Why, you might ask, are cards and terminals doing this? Well, the answer lies back in the dark days before the internet was everywhere and always on. EMV was designed for an offline world in which merchants attempted to connect to issuers, via acquirers and schemes, to check whether cardholders had the funds to purchase goods. When they couldn’t connect, the card stood in for the issuer and the terminal for the acquirer in order to make a risk-based decision to accept or decline the transaction.
Today, with the advent of the internet, the idea of off-line transactions has largely, although not totally, disappeared. Issuers can make their own risk based decisions in real time and liability, for the most part, sits with them.
In parallel terminals are changing, rapidly. One of our biggest areas of growth is in SoftPOS – essentially using off the shelf hardware running apps for POS devices. Whereas traditional POS devices are complex, security hardened devices, with SoftPOS they’re tablets or smartphones sometimes with and sometimes without additional secure hardware. Acquirers or PSPs now need to do their own risk based management to ensure that the software on these devices isn’t being attacked. Plus, of course, SoftPOS devices can easily be upgraded to support alternative payment methods.
But in payments the biggest change of all has been the internet. E-commerce is booming and it isn’t obvious that cards are the best payment instruments for the online world. Why do I need to give my card details to a merchant so they can pull funds from the issuer when I can authorize my issuer directly to push funds to the merchant? That’s far safer in security terms, as my payment credentials don’t get shared with third parties. Hundreds of new style payment instruments have sprung up to utilize this type of payment flow, with the EU’s PSD2 regulation making it ubiquitous across the union.
The card payment networks are already adapting. The purchase of Vocalink by Mastercard and further pushes into the world of real-time payment networks, the recent acquisition of Tink, a major EU push payment processor, by Visa, as well as their attempted purchase of Plaid, clearly shows that they are, at the very least, hedging their bets. Smartphone based digital wallets mean that consumers won’t really care – all things being equal – whether or the underlying payment instrument is card or some other method.
In e-commerce EMV is largely irrelevant – none of the chip based processing can be used as there’s no way of connecting the chip to the network. It is of use in tokenized payment methods like ApplePay or Google Pay but for how much longer? In India Google disconnected card payments and replaced them with UPI – the Indian API based push payment methods – and rapidly took over 20% of online payments. Increasingly API based payments look like the future.
If you wrap these changes together – and particularly if smartphone based digital wallets continue to grow in popularity, Paypal being the market leader – the obvious conclusion is that EMV as we know it is in terminal decline. Yet even as we write, many of our customers are fintechs that are actually developing their own card issuance programs because cards are still the single most popular payment instrument in use across the world. Behind this is the robust regulatory and governance regimes that apply to card payments which haven’t yet been replicated by alternative payment methods along with ubiquitous acceptance at both online and offline merchants
We think it’s inevitable that EMV will come under sustained pressure from other payment methods. The rise of SoftPOS means that deploying new payment methods to acceptance points is no longer a major challenge. The development of the new generation of PSPs and acquirers – Stripe, Square, Adyen, etc – mean that the intermediaries are not weighed down by technical debt. The creation of real-time payment networks – Faster Payments, TIPS, P27 or any of the other fifty or so networks deployed or in development across the world – means that new payment instruments can integrate these and create their own clearing and settlement regimes for very little cost. And, of course, the rise of smartphones and the internet means that risk management no longer needs to be done in cards or terminals but has moved to the cloud where it can be adapted quickly and flexibly to meet new challenges.
None of this means EMV will end overnight – but it does mean that payments as we know them are changing rapidly. Managing that change is going to be an enormous challenge for all parties in the global payments supply chain.