Making Sense of Retail Payments
It is hard to blame retailers for their skepticism. In the past 5 years they have been bombarded with changes to their payment card acceptance networks that have come at a significant cost and provided little additional value to retailers. The mention of a term such as PCI, EMV, contactless or interchange rate is enough to send a chill down the spine of small shop owners and CIO’s alike. The problem is that retailers view these changes as individual challenges rather than an opportunity to re-valuate their approach to retail payments, increase the security of their store systems and boost their bottom line.
In response to merchant concerns Visa and MasterCard have pointed to the wide variety of payment options available to consumers and stressed the fact that accepting payment cards is a business decision, not a requirement. Merchants argue that payment cards have become an industry standard to the point where they must accept multiple payment card brands or risk losing business. Merchants that choose to accept payment cards are bound by a card acceptance contract which mandates that any merchant who wishes to accept a specific credit card brand must accept all cards issued by that brand. The card acceptance contract also forbids merchants from setting minimum dollar amounts for payment card transactions or imposing surcharges on certain types of cards. In effect merchants are paying more for card processing, with no added value and there is absolutely nothing they can do about it.
It is obvious why the payment card industry is motivated to put standards in place to prevent data breaches of this magnitude and at first glance PCI regulations appeared to be a giant step forward in the security and protection of card holder data but as the initial excitement has worn off, the PCI standard has revealed itself for what it really is, a method for card issuers to boost their bottom line while transferring the responsibility and risk of card payments to the merchant.
This point became clear in May 2008 when Heartland Payment Systems, a PCI DSS certified organization, fell victim to a data breach that exposed the details of up to 100 million accounts to cybercriminals. Despite Heartland’s certification as PCI DSS compliant and a successfully completed audit by a third party PCI examiner they were condemned by much of the payment card industry. In the wake of the data breach Heartland was immediately removed from the list of certified PCI compliant organizations, forced to recertify and had heavy fines imposed upon them.
This served as a lesson for many merchants who were lead to believe that PCI compliance was the end game rather than part of a much more intensive and far reaching data security program. Merchants were shocked when they discovered that the huge investment many had made in order to achieve PCI compliance did not guarantee their immunity from an attack or a breach. Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer refused to acknowledge Heartland’s PCI compliant status and stated that "[Visa has] never seen anyone who was breached that was PCI compliant. The breaches that we have seen have involved a key area of non-compliance."
After enduring rising interchange rates and costly PCI compliance initiatives only to be punished with increased risk and responsibility in regards to card payments many retailers have shown a steadfast resistance to EMV migration. However, this resistance has not prevented more than 100 countries from taking the plunge in an effort to stem credit card fraud. The United Kingdom, which announced their adoption of the standard more than 5 years ago, leads all markets in EMV migration and therefore provides the greatest amount of insight as to how EMV will perform relative to the initial assumptions underlying the transition.
After the U.K. migration deadline of February 14th 2005, the U.K. payments association APACS reported a remarkable reduction in fraud for the year end of December 2005. Fraud due to counterfeiting and lost or stolen cards was reduced by U.S. $110.5 million dollars which was a decline of as much as 31%. This fact alone appears to validate the primary intent of this new technology but as with previous changes in the retail payments environment the benefits of this new standard would be experienced by issuers and associations while a large investment would be required on the part of the merchant. In order to avoid compounding this crisis issuers and acquirers have been careful not to release cost estimates of their own migration efforts and have simultaneously released studies that ignore or largely underestimate the costs for integrated merchants while justifying the migration based solely on the significantly lower migration costs of merchants with stand alone or non-integrated terminals.
Supporters of regulatory intervention in the structure of interchange fees typically ignore an analysis of the evidence in the Australian market. Since 2003 the Reserve Bank of Australia (RBA) has implemented a series of regulations on their national payment card industry. Most notable among these regulations is the reduction of interchange fees by approximately 50%. The merchants and lobbyist groups which argued for a reduction in interchange rates promised that positive benefits would be experienced by consumers, the same fundamental argument that similar groups have promoted in Canada and the United States. Official reports on the state of the industry after 5 years of regulation starkly contrasted this initial assumption. The RBA’s regulations have resulted in higher cardholder fees, reduced the value of rewards programs and eliminated the incentive for card associations and issuers to invest and innovate. In fact there is no evidence that these losses have been offset by price reductions or an improvement in the quality of retailer service.
It is clear that the reduction in interchange rates that merchants seek will not come as a result of government interference in an industry that does not exhibit clear market failure, instead it will come as a result of operational changes that promote increased efficiency within that industry. For decades the card associations have footed the bill for fraudulent usage of their payment networks. With the introduction of mandatory data security standards the payment card industry is taking a long overdue step in stemming fraud due to insufficient security measures on the part of the merchant. Until standards were introduced merchants had little incentive to secure cardholder data at all and many kept payment card details in completely unencrypted files. As cybercriminals became ever more cunning the retail industry focused primarily on reducing the theft of hard goods and largely ignored the growing threat to cardholder data. While it is true that the fines levied due to non-compliance are exorbitant and are more likely to bankrupt a retailer rather than punish them, it forces retailers to individually take responsibility for their security deficiencies rather than divide the cost of compromised accounts amongst the entire industry in the form of interchange rates. In fact if PCI DSS is able to reduce payment card fraud by the amount that card associations promise, the savings realized will be far beyond those experienced as a result of mere government intervention.
The EMV standard could have a similar effect on interchange rates. While globally EMV migration is still in its infancy, its ability to reduce fraud is already apparent. Card associations have even begun to address the unequal cost/benefit distribution through a variety of intra-systems transfers that have been designed as an incentive for individual parties to take action. Chief among these incentives are interchange subsidies and liability shifts. The card associations have proved adept in utilizing these intra-system transfers in order to achieve a critical mass of support from a group of stakeholders whose business case for EMV can be significantly better than the business case for the average merchant.
If payment card fraud is analyzed on a higher level, outside of retail payments and the association-issuer-merchant dynamic, taking billions of dollars a year out of the hands of criminal organizations is a positive benefit of EMV and PCI DSS that everyone can agree upon.
Since EMV migration in the U.K., fraud abroad has increased 11% as criminals look to markets that have not yet adopted EMV technology in order to exploit stolen magnetic stripe card data. At U.S. $380 million per year fraud abroad accounts for 38% of total card fraud losses on cards issued in the United Kingdom and fraud on U.K. issued cards in the United States has increased 181% since the U.K. adoption in 2005. By comparison, France which was the largest target for U.K. fraud abroad in 2005 adopted the EMV standard and has since seen a reduction in fraud on U.K. issued cards of U.S. $9.2 million per year, or 48%, over the same time period.
Mexico and Canada are set to complete their EMV migration projects in December 2009 and October 2010 respectively leaving the United States sandwiched between two EMV complaint nations. With EMV projects already complete in Europe, Asia, Latin American and South Africa, the United States will be the final developed market yet to implement the international standard. While losses thus far have been written off as a cost of doing business, fraud is expected to increase at an unprecedented rate once EMV adoption is complete in every other geographic region. It is therefore only a matter of time until the cost of card fraud will justify the expense of upgrading the enormous card-acceptance infrastructure and the United States will implement the EMV standard.
U.S. market demand for EMV compliant chip cards is growing from consumers and issuers which are two segments of the industry that have not traditionally led the push for adoption. Demand for EMV chip cards is increasing from U.S. consumers as they more frequently encounter issues using their cards when traveling abroad and issuers that are keen to stay “top of the wallet” in the extremely competitive U.S. card issuing environment are looking to EMV as a new means to differentiate themselves.
Mobile payments implementations will allow merchants to further capitalize on their contactless payment infrastructure and offer immediate benefits in the form of faster payment transactions and improved customer convenience. Issuers and card associations will benefit by offering a new, differentiated payment service as well as increasing transaction volumes and extending their respective brands. These benefits coupled with the fact that NFC phones will almost certainly utilize EMV standards only emphasize the case for the impending EMV adoption in the United States.
The winners and losers in the constantly evolving retail payments landscape will be determined not by one’s position as an association, issuer, acquirer or merchant but by the decisions and tactics taken in the face of the monumental changes already underway. While some retailers continue to debate or deny the merits of PCI DSS and EMV others have already leveraged these standards to transform their organization for the better.