The Green Sheet Online Edition
April 08, 2013 • Issue 13:04:01
EMV for U.S. merchants: Effects and side effects of compliance
A recent article on the American Banker's website stated that after years of decline, fraud losses on U.S. credit and debit cards appear to be on the rise, and "one key culprit, according to experts, is this country's slow adoption of technology that will improve security."
The answer to payment card fraud is the implementation of a more secure technology standard, which is known as Europay/MasterCard/Visa (EMV) in the United States. EMV has been a trending topic over the past months in the United States as a result of impending liability shifts decreed by the major payment schemes (Visa Inc., MasterCard Worldwide and American Express Co.).
A large number of countries have already implemented the new standard, and positive results from early-adopters made the case for EMV in the United States even stronger. A change in one area, such as at the ATM or the POS, can't be effective unless the entire ecosystem gets behind the migration. Issuers, acquirers, processors and merchants are all part of the ecosystem.
The merchant's perspective
Merchants are, in fact, the net payers of transaction fees in the payment ecosystem: the merchant service charge, which they pay to their acquirers, essentially funds various fees to the other actors in the payment chain. And now they seem to be presented with a bill for something they did not even ask for.
To implement smart-card acceptance, merchants will be responsible for upgrading or replacing their POS devices to be EMV compliant, and they will have to carry the costs associated with this. And it is far from straightforward to see a direct positive business case in such a migration. The migration can also be a complex project: merchants of all sizes - from single location to nationwide - will have to make many decisions in order to have a successful migration that meets their specific requirements and interests.
There are even additional implications and side effects for merchants, such as having to train staff in dealing with the new technology and with consumers who have to get used to using it.
Why comply with EMV - and PCI?
One main driver will be the liability shift from the issuers to the merchants, as initially proclaimed by Visa (and after which the other payment schemes followed). This liability shift implies that, from a certain date, merchants (instead of issuers) will become liable for card fraud (in case the merchant did not yet migrate to EMV and the issuer did).
Even if merchants are fully EMV compliant, this won't relieve them from Payment Card Industry (PCI) Data Security Standard (DSS) compliance. PCI guidance sets forth that merchants need to be PCI compliant to protect cardholder data (which is something EMV doesn't really address). Noncompliance may result in increased fraud, expensive lawsuits, financial-institutional fines, loss of merchant service agreements, compromised brand integrity, diminished customer confidence and loyalty, lost sales, and so on.
Is there a positive side for merchants?
Given all the above, merchants will not necessarily welcome the requirement to become compliant. But there are attenuating factors. In parallel to pushing merchants to engage in the migration through the liability shift, the card brands also offer certain direct incentives to merchants for implementing compliant terminals.
To take Visa as an example, the Technology Innovation Program (TIP) is offered to encourage EMV adoption. "TIP will eliminate the requirement for eligible merchants to annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant's Visa transactions originate from chip-enabled terminals," Visa stated when announcing the EMV liability shift in 2011. This could save merchants thousands annually on traditional PCI compliance.
To be eligible for TIP relief, the merchant must demonstrate compliance with all other goals and requirements of the PCI DSS. Also, POS terminals must accept both contact and contactless payments, including near field communication (NFC) and mobile payments, in order to qualify.
But that last requirement actually underlines that the move to EMV is well-timed in providing opportunities for merchants to embark on new business-enabling technologies. An investment in a new terminal means merchants can "future proof" themselves and prepare for what's to come.
Think about all the developments around mobile commerce, including mobile NFC payments and loyalty schemes facilitated and greatly enhanced through mobile handsets.
Is it worth the hassle?
Some merchants might maintain that the potential negative financial effect of a liability shift may not weigh up against the investment associated with deploying the new technology (even taking into account the direct migration-incentives provided by the card brands). Compliancy may indeed be a hassle, but it probably is the only way forward.
Preventing fraud is one thing; updating the infrastructure is also an opportunity to get ready for new technologies that pave the way for promising developments such as mobile commerce.
Peter Helderman - a presenter at CARTES America, taking place April 23 through 25, 2013, in Las Vegas - is an expert in the mobile telecom, smart card and contactless card, and semiconductor spheres. In his approximate 20 years' experience, Peter has been involved in both the technological side and the commercial side of these industries. He has in-depth understanding of commercial deployments and architectures around smart cards and mobile payment. This has allowed him to be the trusted advisor of mobile network operators, public transport operators, banks and various consortia, providing guidance regarding the best contactless and mobile payments strategies. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.