Visa’s announcement of a move to the EMV standard in the U.S. is both welcome and long overdue and should eventually lead to a substantial reduction in counterfeit plastic card fraud. With the U.S. – the last major market EMV holdout – finally onboard, it will also enable the eventual death of the Achilles Heel of card security – the magnetic stripe on the back of the card that stores cardholder authentication data. This will lead to a substantial reduction in global, domestic and cross-border fraud.
What’s not in it for the Merchants and card acceptors?
Despite the strong security benefits, Visa and the card issuers come out much farther ahead in this program when compared to the merchants, as generally seems to be the case when it comes to card industry events. With this program, Visa and the card issuers “incentivize” the merchants to upgrade their point of sale equipment to accept mobile contactless NFC payments as well as plastic card contact payments. (In other parts of the world, the terminal upgrades Visa required were restricted to enabling just plastic contact card acceptance). Unless the merchants adopt this ‘dual interface’ technology, they won’t benefit from potential ability to escape annual PCI compliance validation (except their first one), which is a key incentive merchants have in adopting this Visa program.
Further unless MasterCard, American Express (and Discover) launch similar EMV adoption programs, merchants will still have to validate each year for PCI compliance to these other card brands. In addition, most Level 1 and the majority of Levels 2 and 3 merchants are already PCI compliant. So while merchants may eventually save about $30,000 to $55,000 on the annual cost of PCI audits and assessments (if MasterCard and American Express join the fray), they will now need to fork out at least $30 a payment terminal upgrade to enable chip payments, plus unpublished activation, installation and maintenance fees. The new upgrade fees will almost surely amount to more than the annual PCI audit fees for most large merchants.
Finally, given that at least 75% of merchant Visa transactions must originate from chip-enabled terminals, the merchants won’t stand a chance of gaining the benefit of not having to validate PCI compliance annually until at least 2016 or later. That’s well after most will have spent all the money on terminal upgrades and years of annual PCI audits.
What’s in it for the Issuers and Visa?
Besides benefiting from merchant paid-for terminal upgrades and stronger card security that will reduce the counterfeit fraud issuers are responsible for, the card issuers can now start to count on many merchants trying to avoid annual PCI compliance validation having the equipment to accept mobile NFC payments. And rather than spend the money issuing new smart EMV chip cards to their customers, the issuers can rely to a large extent on consumer-owned mobile phones that are capable of transmitting NFC-based EMV payments. This will enable the card issuers and Visa to compete much more forcefully in the mobile payments world, and not necessarily have to concede market leadership to non-bank players like Google and Apple. The latter companies can benefit from the merchant terminal hardware upgrades done for Visa EMV payments, but if they use different non-EMV payment instruments and standards, they will have to figure out the complex logistics and incentives involved in activating merchant payment terminals with their own message formats and routing the payments to their own payment ecosystems.
Visa card issuers can also avoid spending money on manufacturing and distributing relatively expensive plastic chip cards and will instead invest in lower cost software applications and ‘trusted’ services that provision and manage mobile EMV payment services to already-paid-for consumer mobile phones.
Further, under the new Visa program, issuers are able to shift even more of the counterfeit plastic card present fraud over to the merchants than they do today, if the merchants don’t have their payment terminals chip ready by October 2015. According to the 2010 Federal Reserve Board report on Debit Interchange fees, 57% of reported fraud losses across all types of transactions were borne by issuers and 43% by merchants. Now with the announced liability shift, U.S. merchant fraud liability share will dramatically escalate above the 43% they bear today if they don’t chip enable their terminal payment acceptance.
Interestingly and notably, Visa did not extend the shift in fraud liability from issuers to merchants for mobile contactless payments and just kept the shift with plastic contact card payments. Merchants already pay higher rates for NFC payments, according to retailers Gartner has spoken with, which naturally disincents many of them from accepting them. It seems to me from this liability shift exemption, that Visa is doing everything it can to promote contactless payment adoption among the merchants and doesn’t want to give them any excuse to push back from accepting them. Visa and the card issuers understand well that widespread merchant adoption is key to NFC EMV-payment success. And that’s good business for the card companies because it will boost their merchant fee revenues.
No one can argue against stronger card security and in that sense this program is a very good move. However, in the end, it seems to me that the merchants are paying more than their fair share, just like I think they are today when it comes to card fraud and security.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.