Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Second Thoughts about Visa’s EMV program

by Avivah Litan  |  August 9, 2011  |  4 Comments

Visa’s announcement of a move to the EMV standard in the U.S. is both welcome and long overdue and should eventually lead to a substantial reduction in counterfeit plastic card fraud. With the U.S. – the last major market EMV holdout – finally onboard, it will also enable the eventual death of the Achilles Heel of card security – the magnetic stripe on the back of the card that stores cardholder authentication data. This will lead to a substantial reduction in global, domestic and cross-border fraud.

What’s not in it for the Merchants and card acceptors?

Despite the strong security benefits, Visa and the card issuers come out much farther ahead in this program when compared to the merchants, as generally seems to be the case when it comes to card industry events. With this program, Visa and the card issuers “incentivize” the merchants to upgrade their point of sale equipment to accept mobile contactless NFC payments as well as plastic card contact payments. (In other parts of the world, the terminal upgrades Visa required were restricted to enabling just plastic contact card acceptance). Unless the merchants adopt this ‘dual interface’ technology, they won’t benefit from potential ability to escape annual PCI compliance validation (except their first one), which is a key incentive merchants have in adopting this Visa program.

Further unless MasterCard, American Express (and Discover) launch similar EMV adoption programs, merchants will still have to validate each year for PCI compliance to these other card brands. In addition, most Level 1 and the majority of Levels 2 and 3 merchants are already PCI compliant. So while merchants may eventually save about $30,000 to $55,000 on the annual cost of PCI audits and assessments (if MasterCard and American Express join the fray), they will now need to fork out at least $30 a payment terminal upgrade to enable chip payments, plus unpublished activation, installation and maintenance fees. The new upgrade fees will almost surely amount to more than the annual PCI audit fees for most large merchants.

Finally, given that at least 75% of merchant Visa transactions must originate from chip-enabled terminals, the merchants won’t stand a chance of gaining the benefit of not having to validate PCI compliance annually until at least 2016 or later. That’s well after most will have spent all the money on terminal upgrades and years of annual PCI audits.

What’s in it for the Issuers and Visa?

Besides benefiting from merchant paid-for terminal upgrades and stronger card security that will reduce the counterfeit fraud issuers are responsible for, the card issuers can now start to count on many merchants trying to avoid annual PCI compliance validation having the equipment to accept mobile NFC payments. And rather than spend the money issuing new smart EMV chip cards to their customers, the issuers can rely to a large extent on consumer-owned mobile phones that are capable of transmitting NFC-based EMV payments. This will enable the card issuers and Visa to compete much more forcefully in the mobile payments world, and not necessarily have to concede market leadership to non-bank players like Google and Apple. The latter companies can benefit from the merchant terminal hardware upgrades done for Visa EMV payments, but if they use different non-EMV payment instruments and standards, they will have to figure out the complex logistics and incentives involved in activating merchant payment terminals with their own message formats and routing the payments to their own payment ecosystems.

Visa card issuers can also avoid spending money on manufacturing and distributing relatively expensive plastic chip cards and will instead invest in lower cost software applications and ‘trusted’ services that provision and manage mobile EMV payment services to already-paid-for consumer mobile phones.

Further, under the new Visa program, issuers are able to shift even more of the counterfeit plastic card present fraud over to the merchants than they do today, if the merchants don’t have their payment terminals chip ready by October 2015. According to the 2010 Federal Reserve Board report on Debit Interchange fees, 57% of reported fraud losses across all types of transactions were borne by issuers and 43% by merchants. Now with the announced liability shift, U.S. merchant fraud liability share will dramatically escalate above the 43% they bear today if they don’t chip enable their terminal payment acceptance.

Interestingly and notably, Visa did not extend the shift in fraud liability from issuers to merchants for mobile contactless payments and just kept the shift with plastic contact card payments. Merchants already pay higher rates for NFC payments, according to retailers Gartner has spoken with, which naturally disincents many of them from accepting them. It seems to me from this liability shift exemption, that Visa is doing everything it can to promote contactless payment adoption among the merchants and doesn’t want to give them any excuse to push back from accepting them. Visa and the card issuers understand well that widespread merchant adoption is key to NFC EMV-payment success. And that’s good business for the card companies because it will boost their merchant fee revenues.

No one can argue against stronger card security and in that sense this program is a very good move. However, in the end, it seems to me that the merchants are paying more than their fair share, just like I think they are today when it comes to card fraud and security.

4 Comments »

Category: Uncategorized     Tags:

4 responses so far ↓

  • 1 Tom Mahoney   August 11, 2011 at 12:11 am

    For me, at least, the bigger question is how this will impact on-line merchants. Will we see a significant increase in CNP fraud like we did across the pond when EMV became ubiquitous over there? I suspect that we will, at least until the mag strip goes away, but I’d likke to hear what the real experts think.

  • 2 Avivah Litan   August 11, 2011 at 8:40 am

    Great question and point Tom. Yes I think history will repeat itself, so you just need to be a ‘historian’ to conclude that we will see more online fraud as we have around the world when countries moved to EMV for card-present transactions. We will also see more cross border fraud when the magstripe data can still be used. There are solutions however to both these other fraud types and they will become more heavily utilized as EMV rolls out in the U.S.

  • 3 Second Thoughts about Visa’s EMV program | Compliance Software   August 11, 2011 at 1:31 pm

    [...] via Second Thoughts about Visa’s EMV program. [...]

  • 4 Merchant Link SecurityCents :: Encryption Tokenization :: Visa Announces Extension of the TIP Program but Lacks Provisions for Data Security   August 17, 2011 at 1:12 pm

    [...] several analysts and my fellow bloggers have pointed out, this program says at least as much about Visa’s focus on NFC as it does about EMV. But, [...]