Gartner Blog Network

Second Thoughts about Visa’s EMV program

by Avivah Litan  |  August 9, 2011  |  4 Comments

Visa’s announcement of a move to the EMV standard in the U.S. is both welcome and long overdue and should eventually lead to a substantial reduction in counterfeit plastic card fraud. With the U.S. – the last major market EMV holdout – finally onboard, it will also enable the eventual death of the Achilles Heel of card security – the magnetic stripe on the back of the card that stores cardholder authentication data. This will lead to a substantial reduction in global, domestic and cross-border fraud.

What’s not in it for the Merchants and card acceptors?

Despite the strong security benefits, Visa and the card issuers come out much farther ahead in this program when compared to the merchants, as generally seems to be the case when it comes to card industry events. With this program, Visa and the card issuers “incentivize” the merchants to upgrade their point of sale equipment to accept mobile contactless NFC payments as well as plastic card contact payments. (In other parts of the world, the terminal upgrades Visa required were restricted to enabling just plastic contact card acceptance). Unless the merchants adopt this ‘dual interface’ technology, they won’t benefit from potential ability to escape annual PCI compliance validation (except their first one), which is a key incentive merchants have in adopting this Visa program.

Further unless MasterCard, American Express (and Discover) launch similar EMV adoption programs, merchants will still have to validate each year for PCI compliance to these other card brands. In addition, most Level 1 and the majority of Levels 2 and 3 merchants are already PCI compliant. So while merchants may eventually save about $30,000 to $55,000 on the annual cost of PCI audits and assessments (if MasterCard and American Express join the fray), they will now need to fork out at least $30 a payment terminal upgrade to enable chip payments, plus unpublished activation, installation and maintenance fees. The new upgrade fees will almost surely amount to more than the annual PCI audit fees for most large merchants.

Finally, given that at least 75% of merchant Visa transactions must originate from chip-enabled terminals, the merchants won’t stand a chance of gaining the benefit of not having to validate PCI compliance annually until at least 2016 or later. That’s well after most will have spent all the money on terminal upgrades and years of annual PCI audits.

What’s in it for the Issuers and Visa?

Besides benefiting from merchant paid-for terminal upgrades and stronger card security that will reduce the counterfeit fraud issuers are responsible for, the card issuers can now start to count on many merchants trying to avoid annual PCI compliance validation having the equipment to accept mobile NFC payments. And rather than spend the money issuing new smart EMV chip cards to their customers, the issuers can rely to a large extent on consumer-owned mobile phones that are capable of transmitting NFC-based EMV payments. This will enable the card issuers and Visa to compete much more forcefully in the mobile payments world, and not necessarily have to concede market leadership to non-bank players like Google and Apple. The latter companies can benefit from the merchant terminal hardware upgrades done for Visa EMV payments, but if they use different non-EMV payment instruments and standards, they will have to figure out the complex logistics and incentives involved in activating merchant payment terminals with their own message formats and routing the payments to their own payment ecosystems.

Visa card issuers can also avoid spending money on manufacturing and distributing relatively expensive plastic chip cards and will instead invest in lower cost software applications and ‘trusted’ services that provision and manage mobile EMV payment services to already-paid-for consumer mobile phones.

Further, under the new Visa program, issuers are able to shift even more of the counterfeit plastic card present fraud over to the merchants than they do today, if the merchants don’t have their payment terminals chip ready by October 2015. According to the 2010 Federal Reserve Board report on Debit Interchange fees, 57% of reported fraud losses across all types of transactions were borne by issuers and 43% by merchants. Now with the announced liability shift, U.S. merchant fraud liability share will dramatically escalate above the 43% they bear today if they don’t chip enable their terminal payment acceptance.

Interestingly and notably, Visa did not extend the shift in fraud liability from issuers to merchants for mobile contactless payments and just kept the shift with plastic contact card payments. Merchants already pay higher rates for NFC payments, according to retailers Gartner has spoken with, which naturally disincents many of them from accepting them. It seems to me from this liability shift exemption, that Visa is doing everything it can to promote contactless payment adoption among the merchants and doesn’t want to give them any excuse to push back from accepting them. Visa and the card issuers understand well that widespread merchant adoption is key to NFC EMV-payment success. And that’s good business for the card companies because it will boost their merchant fee revenues.

No one can argue against stronger card security and in that sense this program is a very good move. However, in the end, it seems to me that the merchants are paying more than their fair share, just like I think they are today when it comes to card fraud and security.


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on Second Thoughts about Visa’s EMV program

  1. Tom Mahoney says:

    For me, at least, the bigger question is how this will impact on-line merchants. Will we see a significant increase in CNP fraud like we did across the pond when EMV became ubiquitous over there? I suspect that we will, at least until the mag strip goes away, but I’d likke to hear what the real experts think.

  2. Avivah Litan says:

    Great question and point Tom. Yes I think history will repeat itself, so you just need to be a ‘historian’ to conclude that we will see more online fraud as we have around the world when countries moved to EMV for card-present transactions. We will also see more cross border fraud when the magstripe data can still be used. There are solutions however to both these other fraud types and they will become more heavily utilized as EMV rolls out in the U.S.

  3. […] via Second Thoughts about Visa’s EMV program. […]

  4. […] several analysts and my fellow bloggers have pointed out, this program says at least as much about Visa’s focus on NFC as it does about EMV. But, […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.