If the US does not go down the EMV road...

The debate over whether US should deploy EMV infrastructure or not has been intensifying of late. Some estimate the cost of deploying EMV in the US at $30B. Ms Baxley, retail payments management consultant, observed that Javelin Strategy estimates US EMV transition at a lower $5.5B. She also noted that, in lieu of EMV, leveraging contactless cards and readers [presently being deployed in the US] would adequately meet the payment card security needs while costing significantly less (even lesser than Javelin's estimates). As you might recall, contactless infrastructure being deployed in the US is based on Mag Stripe Data (MSD) fortified with dynamic CVx (in effect making a payment card number a one-time use card number). Please note that in this post, when I refer to US contactless cards/readers, I am referring to MSD with dynamic CVx (dCVx)

Debating card security aspects between EMV and US Contactless is an enticing topic, which can be set aside for another day and another blog.

Assuming that the US heads down the Contactlesspath (a significant leap of faith) as a means to enhance security of payment cards, let us look at the implications to the card payment infrastructure by fast forwarding to 2015 when US has transitioned to the brave new world.

• Cards: Cards would have to support both EMV applet and Contactless applets. Obviously, the cards would have to support both contact and contactless interfaces. Would we still need support for mag stripe on cards, for those still in the 20th century?
• POS infrastructure: Contactless readers supporting both US implementation and the EMV implementation would be necessary. Would US merchants need to offer support for EMV contact feature? Would ROW (Rest of the World) merchants need to support US contactless feature?
• Who is going to pay for retrofitting the global POS infrastructure to support both EMV and US Contactless.
• User Education: ROW consumers will have been educated (hundreds of millions of dollars of expense) of how and where to use contact EMV contact and contactless cards. It would be a very interesting consumer education experience and an expensive customer support issue of educating consumers, when they travel, about when and where contact cards are acceptable.
  

When you look at this picture, don't you long for the good-old-days of magnetic stripe cards, when one size fit all.

One of the lessons emerging from EMV deployments in Europe is that legacy support features (mag stripe on EMV cards) opens a large back door for fraudsters to take advantage of. As EMV cards reduced mail non-receipt, lost/stolen card, and counterfeit card fraud, online fraud and fraud abroad ballooned up. Card Issuers migrating to EMV were hoping for for 30% annual reduction in fraud, but realized only 10% reductions (APACS data), thereby significantly reducing ROI.

There are no silver bullets. However these are things that keep us awake at night.

As we look at the emerging economies of the world, payments card security is not a bottom-line issue (reducing fraud) but a top-line issue which communicates trust and security thereby bringing in large sections of population into the non-cash payments world, thereby growing the pie for all.

Where do you think that the payment card industry needs to be in the G-20 countries by 2015?

Card acceptance infrastructure in India: A perspective

I have been scouting Bangalore for innovations in the payments industry. Bangalore is as good a place as any in India to deploy new offerings. The economy is vibrant, consumers willing to try new things, retail space is hyper-competitive with enough investments coming in...

Let me first take a step back and frame the merchant payments space (to help provide context). Retail payments are characterized by:

• It is customary to see a retailer have card acceptance devices from multiple acquirers. Depending on the card provided by the consumer for payment, the retailer decides to run the card thru' the acceptance device that provides him the most favorable terms (which typically results in an 'On-Us' transaction)
• Though there are third-party acquirers (e.g., Venture Infotek), leading card issuers are also acquirers (e.g., ICICI, Citi, HDFC...)
  
• Smaller retailers will charge a fee of about 2% (surcharge) for purchases paid using payment cards. Some of these retailers may also share their POS terminal. They will run the card transaction thru' the neighboring retailer's terminal!
  
• Benefits of India's cash economy (by some estimates, about 50% of India's economy) handily overcomes cash-handling costs borne by the merchant
  
• As multiple acceptance devices are the norm at retailers, deploying new payment products is not as much of a challenge as you do not have to displace incumbents.
• Over 70% of sales are cash-based (based on my informal spot surveys; will update this blog when I am better figures and support links)
  

Quite a few of the high-end retailers accept chip-n-PIN (EMV) cards, though very few card issuers in India have deployed chip-n-PIN cards. This is primarily to cater to tourists and visiting Indian diaspora (high-end high-margin clientele). Indian card issuers seem to have bought time till 2011, by which time they are expected to have rolled out EMV cards. I am keeping my fingers crossed regarding this target date.

It was a pleasant surprise to see PayPass readers at retailers. However, the excitement was tempered after finding out that the deployments were part of a trial. I hope that commercial deployments follow (both by card issuers and acquirers).

[Updated Aug 20 '09] First Data is continuing to push into India, first with their relationship with Kotak Mahindra (link), and next with their association with Yes Bank (link). First Data also offers a payment gateway (Merchant Solutons), in association with Standard Chartered Bank.

While I started off the post talking about Bangalore, I would like it to end talking about Delhi. As you might be aware, Delhi is having a coming-out party of sorts next year. It is hosting the Commonwealth Games 2010. Watch out for unveiling of new payment products next year around this event.

If you are interested in following trends in the Indian Payments industry, this is the conference for you (Digital Payment Conference, Mumbai, Aug 21 2009)

Heartland breach, One-time credentials & EMV

The inauguration is over, and we are waking up to a new tomorrow. We are realizing, as is to be expected, that nothing much has changed in our lives.

The latest breach, at Heartland Payments Systems, was shocking. However, a cynic would say that after Madoff, the TARP fiasco, 8 years of Bush... the Heartland breach seems rather benign. Reports are that, as many as, 100 million accounts could have been compromised. To put this in perspective, TJX breach affected 45 million accounts.

Security audits, certifications et al are necessary. But these are essentially a cat-n-mouse game. As long as there is value in the data, the bad guys will continue to try to steal it (and they will occassionally succeed). Making payment transaction data worthless maybe a way to break this vicious cycle.

One-time credit card numbers is one way to get there. Orbiscom, recently acquired by MasterCard, offers such a solution. Citi, Paypal, among others, offer such payment cards.

Additionally, the US might need to get moving on adopting EMV / Chip-n-PIN. Creating magstripe payment cards using skimmed data is too easy. Creating chip cards using skimmed data is a tad tougher. As the rest of the world moves towards EMV, the US will increasingly be the soft target. I wonder what the trigger needs to be for the US payments industry to decide that cost to move to EMV is cheaper than status quo?

Feedback / Comments?