The recently disclosed data breaches at Target Corp. and Neiman Marcus Group have breathed new life into an industry dispute over how to account for network choice in routing EMV debit transactions.
The ATM Industry Association on Tuesday issued a statement critical of MasterCard Inc. for earlier this month declaring it is sticking to a key October 2015 EMV deadline, despite the absence of industry agreement on the routing question. MasterCard, Visa Inc., and other major networks have set a so-called liability shift for October of next year in which responsibility for a counterfeit card transaction at a retail point of sale will rest with the party that is not prepared for EMV.
The shift for the ATM industry occurs October 2016 under MasterCard’s current plan, and October 2017 under one promulgated by Visa.
In a Jan. 8 open letter setting out MasterCard’s reasoning for not extending the deadline, Chris McWilton, MasterCard’s president for North American markets, called the shift an important “incentive” for merchants, issuers, and other parties to implement EMV, which refers to the Europay-MasterCard-Visa chip card standard. In the letter, McWilton made an apparent reference to the Target breach, in which card and other sensitive data on up to 110 million consumers have been compromised. “In the wake of the recent reported merchant data breach, chip technology has gained even greater interest and rightfully so,” he said.
But in the ATMIA response Tuesday, David Tente, USA executive director for the Sioux Falls, S.D.-based ATM deployer association, says the liability “incentive” will work only if the payments industry can agree on a debit-routing solution for EMV.
“A liability shift date only serves as an incentive (albeit a negative one) if those subject to it have reasonable and timely access to everything they need for a complete deployment of EMV-capable terminals,” Tente says in the statement. “If widespread implementation by ATM acquirers and others is inhibited due to the lack of a generally acceptable debit solution, a liability shift has no impact on the level of fraud. It merely shifts those fraud losses from the issuer to the acquirer.”
Pointing to the relatively short time remaining until the 2015 deadline, the ATMIA statement calls on MasterCard to join regional debit networks in supporting a so-called common solution to the debit-routing issue. This solution was advanced last year by 10 regional debit networks that now compose a group called the Debit Network Alliance. MasterCard’s “support could be the breakthrough needed to accelerate progress toward EMV migration in the debit space,” Tente says in the statement.
Speaking to Digital Transactions News, Tente says MasterCard can’t dig in its heels on the liability-shift deadline without telling how it will solve the impasse over debit routing. Tuesday’s statement “was a response to [MasterCard’s] determination to maintain the liability-shift schedule,” he says. “They should show leadership and accept the common solution and get things moving.”
While ATM operators have a later deadline, Tente says that date isn’t likely to be met if merchants can’t meet the October 2015 deadline.
But in his open letter, McWilton indicated MasterCard is not prepared to modify its own solution, which it offered a year ago. Mindful of the uncertainty created by a federal court ruling last summer striking down the Federal Reserve’s routing and pricing regulations for debit, McWilton’s letter said: “We will not make any changes to the U.S. debit solution at this time.” That ruling is now in the hands of a federal appeals court.
A MasterCard spokesman did not respond to a request for comment on the ATMIA statement.
The standoff on debit routing stems from a requirement in the Durbin Amendment calling for merchants to have a choice of unrelated networks for each transaction. Unlike mag-stripe cards, EMV wasn’t designed to support routing choice, forcing the networks to create solutions that would meet the Durbin requirement. Complicating matters is that the Fed’s interpretation of the requirement, that merchants have a choice of unaffiliated networks for each transaction, was thrown out by the federal court ruling, which reads Durbin to call for at least two networks for each authentication method, PIN or signature.
While MasterCard and Visa have offered to license their own solutions, many of the country’s most prominent regional networks have rejected those offers and instead have proposed a solution that would be owned and managed equally by all participating networks.
The dispute had gone more or less quiescent until news of the Target breach put EMV back in the headlines. “No doubt Target is concentrating a lot of minds in boardrooms. We will see more people getting ready for EMV, even with this uncertainty [from the federal court decision], and more emphasis on point-to-point [data] encryption,” says George Peabody, a senior analyst at Glenbrook Partners, a Menlo Park, Calif.-based consultancy.
While the Target case is neither the first nor the largest such breach, it is having more impact on payments professionals, Peabody says.