Target boldly told Congress and the world that it was escalating its $100 million EMV upgrade program and would implement it before the October 2015 deadline. Target is absolutely correct when it says that payment system security is a responsibility that needs to be shared across all players in the payment ecosystem – i.e. issuing and acquiring banks, card networks, processors, retailers and other card acceptors.
EMV will definitely help secure the card present payment systems, although estimates are it will take about 6 years to roll out across the U.S. to the point where U.S. card issuers can stop producing cards with magnetic stripes on them. In the interim we can expect card-present in-country fraud rates to decline commensurate with the pace of EMV adoption. Eventually (but not before 6 or more years), the criminals will be unable to use mag stripe data that they steal so they will be dis-incented from breaching companies like Target who accept payment card transactions.
That’s a very long time to wait and now that POS malware is rampant in the underground, it’s safe to assume the card data breaches and the arms race to secure vulnerable payment systems will continue.
So where does that leave merchants like Target:
a) They still have to secure their cardholder data environment and comply with PCI
b) They have to spend money upgrading their POS terminals to accept contact and contactless EMV chip payments.
c) As of October 2015, if they don’t upgrade their terminals and a physical chip card is presented to them, they have to eat any fraud that occurs as a result of that transaction (even though I’d expect the fraudulent transactions from chip cards to be minimal).
d) Significantly, merchants don’t get the liability shift if it’s a mobile contactless EMV payment.
e) That means that merchants may encourage consumers to use Mobile contactless EMV payments, the Visa and MasterCard standard for mobile payments.
f) Card issuers will also likely be inclined to issue EMV payment functionality by provisioning it to consumer mobile devices rather than issue a physical chip card (although they may do both). This way they keep their card production costs down and start ingratiating themselves with consumers and their mobile digital wallets.
g) Merchants again become ‘hostage’ to the large market grip of Visa and MasterCard when it comes to mobile payments – and lose one of their last holdout hopes of a channel they can control and so that they can avoid paying relatively high Visa and MasterCard merchant fees.
h) As EMV takes hold in the U.S. the fraud will shift to Card Not Present fraud as has happened in other countries. Merchants are already responsible for CNP fraud and will have to spend more money beefing up their CNP fraud detection systems in the future, in anticipation of this fraud migration.
i) And finally rates – I know there is a debate underway in the U.S. on whether or not the EMV Chip program here will be PIN or Signature based. Merchants prefer PIN; banks prefer Signatures. I’m guessing banks prefer signatures because it is advantageous to them – and disadvantageous to the merchants – economically. My guess is that the banks will win this debate even though PIN with Chip is more secure than just signature Chip.
So all in all – the banks come out ‘ahead’ and the retailers come out ‘behind’.
a) The U.S. gets a more secure in-store payment system, i.e. EMV
b) The retailers pay more money in fraud costs, mobile payment fees, and EMV related fees.
c) Visa and MasterCard and their card issuing banks dominate mobile NFC payments, lessening the chances for competitors with competitive rates to succeed.
I suppose that – other than squelching mobile payment competition which is a bad thing for the economy – this is a wash for U.S. consumers. What consumers lose in terms of having to pay higher prices from retailers (who have to cover their costs) – is equal to what they likely gain in terms of loyalty programs and other financial and customer service benefits from payment card issuers.
Would you rather pay more for laundry detergent if you got double frequent flyer points for buying it?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.