Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Target and the EMV aftermath

by Avivah Litan  |  February 11, 2014  |  4 Comments

Target boldly told Congress and the world that it was escalating its $100 million EMV upgrade program and would implement it before the October 2015 deadline. Target is absolutely correct when it says that payment system security is a responsibility that needs to be shared across all players in the payment ecosystem – i.e. issuing and acquiring banks, card networks, processors, retailers and other card acceptors.

EMV will definitely help secure the card present payment systems, although estimates are it will take about 6 years to roll out across the U.S. to the point where U.S. card issuers can stop producing cards with magnetic stripes on them. In the interim we can expect card-present in-country fraud rates to decline commensurate with the pace of EMV adoption. Eventually (but not before 6 or more years), the criminals will be unable to use mag stripe data that they steal so they will be dis-incented from breaching companies like Target who accept payment card transactions.

That’s a very long time to wait and now that POS malware is rampant in the underground, it’s safe to assume the card data breaches and the arms race to secure vulnerable payment systems will continue.

So where does that leave merchants like Target:

a) They still have to secure their cardholder data environment and comply with PCI

b) They have to spend money upgrading their POS terminals to accept contact and contactless EMV chip payments.

c) As of October 2015, if they don’t upgrade their terminals and a physical chip card is presented to them, they have to eat any fraud that occurs as a result of that transaction (even though I’d expect the fraudulent transactions from chip cards to be minimal).

d) Significantly, merchants don’t get the liability shift if it’s a mobile contactless EMV payment.

e) That means that merchants may encourage consumers to use Mobile contactless EMV payments, the Visa and MasterCard standard for mobile payments.

f) Card issuers will also likely be inclined to issue EMV payment functionality by provisioning it to consumer mobile devices rather than issue a physical chip card (although they may do both). This way they keep their card production costs down and start ingratiating themselves with consumers and their mobile digital wallets.

g) Merchants again become ‘hostage’ to the large market grip of Visa and MasterCard when it comes to mobile payments – and lose one of their last holdout hopes of a channel they can control and so that they can avoid paying relatively high Visa and MasterCard merchant fees.

h) As EMV takes hold in the U.S. the fraud will shift to Card Not Present fraud as has happened in other countries. Merchants are already responsible for CNP fraud and will have to spend more money beefing up their CNP fraud detection systems in the future, in anticipation of this fraud migration.

i) And finally rates – I know there is a debate underway in the U.S. on whether or not the EMV Chip program here will be PIN or Signature based. Merchants prefer PIN; banks prefer Signatures. I’m guessing banks prefer signatures because it is advantageous to them – and disadvantageous to the merchants – economically. My guess is that the banks will win this debate even though PIN with Chip is more secure than just signature Chip.

So all in all – the banks come out ‘ahead’ and the retailers come out ‘behind’.

a) The U.S. gets a more secure in-store payment system, i.e. EMV

b) The retailers pay more money in fraud costs, mobile payment fees, and EMV related fees.

c) Visa and MasterCard and their card issuing banks dominate mobile NFC payments, lessening the chances for competitors with competitive rates to succeed.

I suppose that – other than squelching mobile payment competition which is a bad thing for the economy – this is a wash for U.S. consumers. What consumers lose in terms of having to pay higher prices from retailers (who have to cover their costs) – is equal to what they likely gain in terms of loyalty programs and other financial and customer service benefits from payment card issuers.

Would you rather pay more for laundry detergent if you got double frequent flyer points for buying it?

4 Comments »

Category: Uncategorized     Tags:

4 responses so far ↓

  • 1 Target and the EMV aftermath | All that Cuteness   February 11, 2014 at 5:28 pm

    [...] By Avivah Litan [...]

  • 2 Gary H.   February 11, 2014 at 6:15 pm

    No, I would NOT rather pay more. I am not a frequent flyer.

  • 3 Randy Vanderhoof   February 14, 2014 at 10:46 am

    [ f) Card issuers will also likely be inclined to issue EMV payment functionality by provisioning it to consumer mobile devices rather than issue a physical chip card (although they may do both). This way they keep their card production costs down and start ingratiating themselves with consumers and their mobile digital wallets.] I disagree. There can be no “mobile rather than cards” for issuers. It will be “mobile and cards” or cards only for many years. Issuers costs go up supporting cards + mobile. Merchants who enabled contactless will have the benefit of accepting all mobile payments options consumers bring in, not just the low cost options that merchants prefer.

  • 4 Dave Birch   February 16, 2014 at 7:11 am

    I suspect merchants will use the double frequent flyer miles to incentivise consumers to select “direct” solutions (e.g., MCX) via ACH over _any_ card-based option.