Making Sense of Retail Payments

There is a new technology sweeping through the retail payments landscape that promises to revolutionize the way that consumers pay for goods and services. In the United Kingdom, the geographic region that is the furthest into their adoption process, this technology has been described as the biggest change in payments since decimalization, but is EMV, or chip and PIN as it is also known, really the silver bullet that Visa, MasterCard, JCB Co and American Express would have us believe? Retailers aren’t convinced it is.

It is hard to blame retailers for their skepticism. In the past 5 years they have been bombarded with changes to their payment card acceptance networks that have come at a significant cost and provided little additional value to retailers. The mention of a term such as PCI, EMV, contactless or interchange rate is enough to send a chill down the spine of small shop owners and CIO’s alike. The problem is that retailers view these changes as individual challenges rather than an opportunity to re-valuate their approach to retail payments, increase the security of their store systems and boost their bottom line.

The interchange rate refers to the percentage amount of each card based transaction that a retailer must pay for the right to accept a specific payment card brand. The interchange rate is tiered, with rates for standard cards ranging from 1.6% to 1.9% of each transaction and rates for premium cards significantly higher at 2.3% to 2.5%. It is the influx of these new premium cards that has increased the average monthly cost of credit card processing by 10% to 20% for many retailers. According to a study by investment firm Morgan Stanley, interchange costs in the United States will reach $32.4 billion by 2010. Merchants around the world have complained of their inability to negotiate these rates and in several geographies including Canada and the United States they have taken their concerns to the government in an appeal for increased regulation of the entire payment card industry.

In response to merchant concerns Visa and MasterCard have pointed to the wide variety of payment options available to consumers and stressed the fact that accepting payment cards is a business decision, not a requirement. Merchants argue that payment cards have become an industry standard to the point where they must accept multiple payment card brands or risk losing business. Merchants that choose to accept payment cards are bound by a card acceptance contract which mandates that any merchant who wishes to accept a specific credit card brand must accept all cards issued by that brand. The card acceptance contract also forbids merchants from setting minimum dollar amounts for payment card transactions or imposing surcharges on certain types of cards. In effect merchants are paying more for card processing, with no added value and there is absolutely nothing they can do about it.

A second blow to retailers came in the form of new data security best practices. The Payment Card Industry Data Security Standards or PCI DSS is a set of 12 rules designed to protect card holder data at the point of sale and within a retailer’s enterprise systems environment. This standard was created in response to a growing trend in high profile data breaches, such as those with T.J. Maxx and Hannaford Bros. Co., where a combined 50 million account numbers were stolen. According to the Ponemon Institute benchmark study, “2008 Annual Study: Cost of a Data Breach” in the United States the approximate cost per compromised account number to U.S. companies is $231. If you were to apply simple math to this research study, the value of the T.J. Maxx breach is over 10 billion dollars without consideration for fines and lost business.

It is obvious why the payment card industry is motivated to put standards in place to prevent data breaches of this magnitude and at first glance PCI regulations appeared to be a giant step forward in the security and protection of card holder data but as the initial excitement has worn off, the PCI standard has revealed itself for what it really is, a method for card issuers to boost their bottom line while transferring the responsibility and risk of card payments to the merchant.

This point became clear in May 2008 when Heartland Payment Systems, a PCI DSS certified organization, fell victim to a data breach that exposed the details of up to 100 million accounts to cybercriminals. Despite Heartland’s certification as PCI DSS compliant and a successfully completed audit by a third party PCI examiner they were condemned by much of the payment card industry. In the wake of the data breach Heartland was immediately removed from the list of certified PCI compliant organizations, forced to recertify and had heavy fines imposed upon them.

This served as a lesson for many merchants who were lead to believe that PCI compliance was the end game rather than part of a much more intensive and far reaching data security program. Merchants were shocked when they discovered that the huge investment many had made in order to achieve PCI compliance did not guarantee their immunity from an attack or a breach. Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer refused to acknowledge Heartland’s PCI compliant status and stated that "[Visa has] never seen anyone who was breached that was PCI compliant. The breaches that we have seen have involved a key area of non-compliance."

EMV is global standard for credit and debit payment cards based on chip card technology. These chip cards, or smart cards as they are also known, contain an embedded microprocessor and the microprocessor contains all of the information needed to use the card for payment. The chip is protected by various security features and is a more secure alternative to traditional magnetic stripe payment cards.

After enduring rising interchange rates and costly PCI compliance initiatives only to be punished with increased risk and responsibility in regards to card payments many retailers have shown a steadfast resistance to EMV migration. However, this resistance has not prevented more than 100 countries from taking the plunge in an effort to stem credit card fraud. The United Kingdom, which announced their adoption of the standard more than 5 years ago, leads all markets in EMV migration and therefore provides the greatest amount of insight as to how EMV will perform relative to the initial assumptions underlying the transition.

After the U.K. migration deadline of February 14th 2005, the U.K. payments association APACS reported a remarkable reduction in fraud for the year end of December 2005. Fraud due to counterfeiting and lost or stolen cards was reduced by U.S. $110.5 million dollars which was a decline of as much as 31%. This fact alone appears to validate the primary intent of this new technology but as with previous changes in the retail payments environment the benefits of this new standard would be experienced by issuers and associations while a large investment would be required on the part of the merchant. In order to avoid compounding this crisis issuers and acquirers have been careful not to release cost estimates of their own migration efforts and have simultaneously released studies that ignore or largely underestimate the costs for integrated merchants while justifying the migration based solely on the significantly lower migration costs of merchants with stand alone or non-integrated terminals.

While reviewing the vast library of negative press surrounding the payment card industry it is easy for many individuals and organizations alike to acquire a negative, one-sided view of the current retail payments landscape. In fact, the existence of many lobbyist groups is closely tied to their ability to slant various studies and statistics on the topic in this way. It would however be premature to end our analysis here. As with all good arguments, there is an alternative view point that paints a drastically different picture, one of a highly successful payments medium that supports the global economy and steadfastly focuses on security of its billions of subscribers.

Supporters of regulatory intervention in the structure of interchange fees typically ignore an analysis of the evidence in the Australian market. Since 2003 the Reserve Bank of Australia (RBA) has implemented a series of regulations on their national payment card industry. Most notable among these regulations is the reduction of interchange fees by approximately 50%. The merchants and lobbyist groups which argued for a reduction in interchange rates promised that positive benefits would be experienced by consumers, the same fundamental argument that similar groups have promoted in Canada and the United States. Official reports on the state of the industry after 5 years of regulation starkly contrasted this initial assumption. The RBA’s regulations have resulted in higher cardholder fees, reduced the value of rewards programs and eliminated the incentive for card associations and issuers to invest and innovate. In fact there is no evidence that these losses have been offset by price reductions or an improvement in the quality of retailer service.

It is clear that the reduction in interchange rates that merchants seek will not come as a result of government interference in an industry that does not exhibit clear market failure, instead it will come as a result of operational changes that promote increased efficiency within that industry. For decades the card associations have footed the bill for fraudulent usage of their payment networks. With the introduction of mandatory data security standards the payment card industry is taking a long overdue step in stemming fraud due to insufficient security measures on the part of the merchant. Until standards were introduced merchants had little incentive to secure cardholder data at all and many kept payment card details in completely unencrypted files. As cybercriminals became ever more cunning the retail industry focused primarily on reducing the theft of hard goods and largely ignored the growing threat to cardholder data. While it is true that the fines levied due to non-compliance are exorbitant and are more likely to bankrupt a retailer rather than punish them, it forces retailers to individually take responsibility for their security deficiencies rather than divide the cost of compromised accounts amongst the entire industry in the form of interchange rates. In fact if PCI DSS is able to reduce payment card fraud by the amount that card associations promise, the savings realized will be far beyond those experienced as a result of mere government intervention.

The EMV standard could have a similar effect on interchange rates. While globally EMV migration is still in its infancy, its ability to reduce fraud is already apparent. Card associations have even begun to address the unequal cost/benefit distribution through a variety of intra-systems transfers that have been designed as an incentive for individual parties to take action. Chief among these incentives are interchange subsidies and liability shifts. The card associations have proved adept in utilizing these intra-system transfers in order to achieve a critical mass of support from a group of stakeholders whose business case for EMV can be significantly better than the business case for the average merchant.

If payment card fraud is analyzed on a higher level, outside of retail payments and the association-issuer-merchant dynamic, taking billions of dollars a year out of the hands of criminal organizations is a positive benefit of EMV and PCI DSS that everyone can agree upon.

The United States is the largest country yet to announce an EMV migration timeline. Despite the fact that EMV offers greatly improved security over magnetic stripe, banks and merchants have shown little interest in footing the bill to distribute the cards and install the necessary readers at the point of sale. Some analysts have warned that the financial industry’s reluctance to adopt EMV in the United States will make the U.S. payment system a target for international fraud as criminals back away from markets with tighter security.

Since EMV migration in the U.K., fraud abroad has increased 11% as criminals look to markets that have not yet adopted EMV technology in order to exploit stolen magnetic stripe card data. At U.S. $380 million per year fraud abroad accounts for 38% of total card fraud losses on cards issued in the United Kingdom and fraud on U.K. issued cards in the United States has increased 181% since the U.K. adoption in 2005. By comparison, France which was the largest target for U.K. fraud abroad in 2005 adopted the EMV standard and has since seen a reduction in fraud on U.K. issued cards of U.S. $9.2 million per year, or 48%, over the same time period.

Mexico and Canada are set to complete their EMV migration projects in December 2009 and October 2010 respectively leaving the United States sandwiched between two EMV complaint nations. With EMV projects already complete in Europe, Asia, Latin American and South Africa, the United States will be the final developed market yet to implement the international standard. While losses thus far have been written off as a cost of doing business, fraud is expected to increase at an unprecedented rate once EMV adoption is complete in every other geographic region. It is therefore only a matter of time until the cost of card fraud will justify the expense of upgrading the enormous card-acceptance infrastructure and the United States will implement the EMV standard.

Another possible source of momentum for the U.S. migration is the growing acceptance of contactless payment cards. While it may initially appear that contactless and EMV are moving in opposite directions this is not the case. In fact EMV is a security protocol that works with contact and contactless chips. Visa is already using EMV specifications in their contactless payWave technology equipped cards that are accepted in the U.S., Canada and the United Kingdom. Merchants have been eager to adopt this technology because of the dramatic improvement in customer throughput that contactless payments provide.

U.S. market demand for EMV compliant chip cards is growing from consumers and issuers which are two segments of the industry that have not traditionally led the push for adoption. Demand for EMV chip cards is increasing from U.S. consumers as they more frequently encounter issues using their cards when traveling abroad and issuers that are keen to stay “top of the wallet” in the extremely competitive U.S. card issuing environment are looking to EMV as a new means to differentiate themselves.

The ability to pay for products at the point of sale by simply waving a cell phone near a reader device represents a new payments frontier in North America even though the technology has been in use in Japan since 2004. The NFC standard employs similar technology to that of contactless cards and will enable a wide array of mobile commerce services for cell phones, such as contactless payments and ticketing. Stakeholders in North America have demonstrated a strong interest in deploying mobile payments and are now actively implementing pilots. These pilots have shown that consumers find mobile payments to be both functional and convenient. Results which were not surprising as analysts have widely speculated that NFC will be an easy sell to consumers, who have already demonstrated a fondness for contactless payments.

Mobile payments implementations will allow merchants to further capitalize on their contactless payment infrastructure and offer immediate benefits in the form of faster payment transactions and improved customer convenience. Issuers and card associations will benefit by offering a new, differentiated payment service as well as increasing transaction volumes and extending their respective brands. These benefits coupled with the fact that NFC phones will almost certainly utilize EMV standards only emphasize the case for the impending EMV adoption in the United States.

The problem for retailers with the adoption of so many new payments technologies in a compressed time frame is that they have chosen to view each technology as an individual challenge and the tactics that they have taken as a result have been largely reactionary. Viewed as individual projects it is difficult for retailers to imagine a return on investment sufficient enough to warrant their migration to these new technologies. The point they are missing is that PCI, EMV, contactless and even NFC are not separate projects but rather a single opportunity to re-evaluate their entire approach to retail payments. Instead of augmenting obsolete bank code, retailers should instead consider implementing a modern retail payments application that is modular and flexible enough to incorporate solutions to both today’s pains and tomorrow’s opportunities. This new wave of applications that is already available in the marketplace also incorporates new functionality that allows retailers to easily transfer from one acquirer to another, effectively altering the balance of power and providing the merchant with the much desired ability to negotiate their interchange rates.

The winners and losers in the constantly evolving retail payments landscape will be determined not by one’s position as an association, issuer, acquirer or merchant but by the decisions and tactics taken in the face of the monumental changes already underway. While some retailers continue to debate or deny the merits of PCI DSS and EMV others have already leveraged these standards to transform their organization for the better.