Thursday, October 1, 2009

If the US does not go down the EMV road...

The debate over whether US should deploy EMV infrastructure or not has been intensifying of late. Some estimate the cost of deploying EMV in the US at $30B. Ms Baxley, retail payments management consultant, observed that Javelin Strategy estimates US EMV transition at a lower $5.5B. She also noted that, in lieu of EMV, leveraging contactless cards and readers [presently being deployed in the US] would adequately meet the payment card security needs while costing significantly less (even lesser than Javelin's estimates). As you might recall, contactless infrastructure being deployed in the US is based on Mag Stripe Data (MSD) fortified with dynamic CVx (in effect making a payment card number a one-time use card number). Please note that in this post, when I refer to US contactless cards/readers, I am referring to MSD with dynamic CVx (dCVx)

Debating card security aspects between EMV and US Contactless is an enticing topic, which can be set aside for another day and another blog.

Assuming that the US heads down the Contactlesspath (a significant leap of faith) as a means to enhance security of payment cards, let us look at the implications to the card payment infrastructure by fast forwarding to 2015 when US has transitioned to the brave new world.

  • Cards: Cards would have to support both EMV applet and Contactless applets. Obviously, the cards would have to support both contact and contactless interfaces. Would we still need support for mag stripe on cards, for those still in the 20th century?
  • POS infrastructure: Contactless readers supporting both US implementation and the EMV implementation would be necessary. Would US merchants need to offer support for EMV contact feature? Would ROW (Rest of the World) merchants need to support US contactless feature?
  • Who is going to pay for retrofitting the global POS infrastructure to support both EMV and US Contactless.
  • User Education: ROW consumers will have been educated (hundreds of millions of dollars of expense) of how and where to use contact EMV contact and contactless cards. It would be a very interesting consumer education experience and an expensive customer support issue of educating consumers, when they travel, about when and where contact cards are acceptable.
When you look at this picture, don't you long for the good-old-days of magnetic stripe cards, when one size fit all.

One of the lessons emerging from EMV deployments in Europe is that legacy support features (mag stripe on EMV cards) opens a large back door for fraudsters to take advantage of. As EMV cards reduced mail non-receipt, lost/stolen card, and counterfeit card fraud, online fraud and fraud abroad ballooned up. Card Issuers migrating to EMV were hoping for for 30% annual reduction in fraud, but realized only 10% reductions (APACS data), thereby significantly reducing ROI.

There are no silver bullets. However these are things that keep us awake at night.

As we look at the emerging economies of the world, payments card security is not a bottom-line issue (reducing fraud) but a top-line issue which communicates trust and security thereby bringing in large sections of population into the non-cash payments world, thereby growing the pie for all.

Where do you think that the payment card industry needs to be in the G-20 countries by 2015?

No comments:

Post a Comment