Credit and debit cards in today’s world come equipped with tiny computer chips or microprocessors provisioned securely with the cardholder’s credentials. These “chip cards” operate on standardised protocols to enable face-to-face payments at point-of-sale (POS) machines in shops and other physical locations (referred to as “card present” in industry argot). The standard protocol is known as EMV (Europay-MasterCard-Visa).
Historically, in European markets, due to the significant costs of telecommunication, not all transactions were authorised online. European markets lacked the scale of the US market necessary to reduce and rationalise operational costs. Fraud rates were high.
Chip cards allow transactions to be authorised offline or authorised against the information programmed on the chip, rather than sending a message all the way to the bank or the card issuer to obtain authorisation. The deployment of chip cards significantly reduced the level of fraud arising from counterfeit and lost / stolen cards.
European and other markets have already adopted EMV. European markets generally deploy personal identification numbers (PIN) to authenticate the cardholder. Not all cards in some markets use this “chip and PIN” combination. Some use the less secure “chip and signature” alternative.
Meanwhile in the United States
The world’s largest and most sophisticated card market, the United States, for many years, remained sceptical of the benefits of EMV and continued to use the older magnetic stripe technology. Fraud levels in the country were way below those experienced in other markets since all transactions were authorised online. There was little reason to invest in a technology that was developed primarily to reduce fraud.
The US market finally decided to move to EMV to meet international standards but there was no sense of urgency even though fraudsters deterred from using counterfeit cards in shops in Europe were doing so in the US. In other words, US was importing European counterfeit fraud. But still, in the bigger scheme of things, this was not significant.
Just before Thanksgiving 2013, and in the run up to Christmas, perhaps the busiest shopping period of the year, hackers managed to install malware on the security and payment systems of Target, one of the country’s largest retailers. Every time a card was swiped, the malware captured the card information off the magnetic stripe. The hackers had also put in “exfiltration” malware that transmitted the stolen card numbers “first to staging points spread around the U.S” and then onward abroad. Somehow internal alerts and warnings went unnoticed. Hackers managed to steal 40 million card numbers and 70 million customer addresses, phone numbers, and other bits of customer information. Despite the unprecedented havoc the hack generated, the resulting losses, and the litany of law suits that followed, the technology deployed by the hackers was simple, “absolutely unsophisticated, and uninteresting.”
This would not have been possible in an EMV environment.
The Target hack was high profile and it garnered much negative attention and bad press for the company and the card industry as a whole. There were also major breaches before and after such as those at T J Maxx, a discount retailer and Heartland Payment Systems, a credit card processing company. It created the industry anxiety and a heightened sense of urgency to move things forward.
The Difficult Road of EMV Deployment
The migration from magnetic strip to EMV is challenging for any market however small. For a card market as large, diverse, and complex such as the US, the move has proved a real challenge. Many industry observers think that the migration could have been better planned and executed and that it lacked stakeholder coordination. But the US market is unique not just because of its sheer size and legacy infrastructure but also because there isn’t one central authority or a government entity mandating procedures, monitoring compliance, and imposing penalties as in many other markets. Contentious issues are likely to be decided by prolonged legal entanglements and court procedures rather than promulgations from an agreed central agency.
There are multiple debit networks in the US and the “Durbin amendment”, part of the 2010 Dodd-Frank law regulates the way debit cards operate. Its aim was to reduce card acceptance costs for retailers and provide more choice in terms of how they process debit card transactions. The amendment prohibited electronic debit transaction to be processed “to fewer than two unaffiliated networks, regardless of the method of authentication.” This created delays as the major cards companies and the debit networks worked to find an acceptable solution and when they finally did, the courts ruled against it. It took several more months for the federal court of appeals to overrule the decision.
The deployment of EMV certified terminals has proved yet another major hurdle. Many small retailers have not yet replaced their old POS terminals and many others, typically medium sized merchants have installed new terminals but are waiting for these to be certified. This lack of certification allows card issuers to “chargeback” fraud losses on such terminals due to the liability shift rule which makes the merchant liable for fraud if their terminals are not EMV compliant. This has resulted in a blame-game and a lot of finger pointing. Last year, Patrick J. Coughlin, a lawyer for retailers in a recent lawsuit that accuses the major card networks of deliberately creating impossible requirements for merchants said in an interview to the New York Times that payment processors “don’t have any incentive to hurry the certification along… they’re not the ones paying the fraud charges.”
At many merchants where EMV is fully deployed, transactions can take a very long time to complete. The terminals and the various intermediaries through which the transactions must flow through have not been suitably optimised. This created a negative perception of the technology in the minds of consumers.
Finally, there are industry sector specific issues that have to do with the type of legacy hardware and software deployed. Replacing these is a major headache and expense for merchants. Fuel or “gas” stations in the US experience high levels of fraud and EMV holds the promise of substantially slashing these losses. But the costs of deployment are also significant. Business Insider estimated that “the upgrade is expected to cost the industry roughly $4 billion, because fuel pumps often need to be replaced in their entirety in order to upgrade to EMV.” The card networks accordingly changed the deployment deadline for gas stations, the date when the liability shift rule will apply, to 2020.
Despite the complexities of the marketplace and the several hiccups that could have been avoided, the largest card market in the world is finally coming to terms with the necessity to adapt global standards and the reality that embracing new technologies is not simply a matter of returns on investment but of maintaining the structural integrity of an industry eco-system and the key to its future.