2015 is the year of EMV, as much for the various ways chip cards are causing anxiety for the payments business as for their putative benefits. But a host of other issues is keeping payments executives awake these days, as well.
Well, it seemed like a good idea at the time. Trouble is, that time was 20 years ago. That’s when payments experts first promulgated the idea of replacing the magnetic stripes on credit and debit cards with microprocessors that could lock down sensitive card credentials and introduce more speed and flexibility at the point of sale.
The technology, which seemed pretty advanced in 1995, was based on a standard developed and owned by three card networks, Europay (now part of MasterCard), MasterCard, and Visa, or EMV for short. Nowadays, it may seem a bit passe in a world boasting mobile technology and an Internet of Things.
Still, by 2015, the developed world—with one glaring exception—had adopted these chip cards. That exception would be the United States, which is now finally in the process of rolling out the EMV standard nationwide. But the rollout is causing a few headaches. These include an almost-certain upsurge in e-commerce fraud, consumer confusion in the store, a snarled certification queue, and a raging debate between banks and merchants over whether cardholders should sign for their EMV credit card transactions (favored by most banks) or use a PIN (backed by retailers).
The problems facing payments executives don’t stop with the EMV rollout. There are plenty of others that have nothing to do with the troublesome chip card. There’s the looming threat of increased regulation and seemingly endless litigation, nearly ubiquitous cart abandonment in mobile commerce, and more. See the bill of particulars in the paragraphs that follow as we present our ninth annual ranking of the 10 biggest issues in the payments industry
But there’s one thing the industry can celebrate: It continues to grow at a nice clip. Our annual estimate of electronic transactions (at the point of sale, in e- and m-commerce, and at the ATM) in the U.S. stands at 123.4 billion, representing a smart 4% average annual rate of increase since 2007, the last year of flush times before the financial collapse.
So break out a bottle of bubbly. It may be a bit too early for New Year’s Eve, but with the issues documented below, you may need some fortification.
1. Where Fraud’s Going Up
Many payments-industry executives and researchers predict that the coming of EMV chip card payments to the U.S. point of sale will spur fraudsters to move to card-not-present channels such as mail order/telephone order and especially the Internet.
The reason is that while EMV chips will take a big bite out of counterfeit and lost-and-stolen card fraud in stores, in CNP channels the new cards do not offer any more protection from fraud than the magnetic-stripe cards they’re replacing.
The U.S. officially became an EMV country Oct. 1 when the major payment card networks’ so-called liability shifts for POS payments took effect. If the experiences of older EMV countries are any guide, the U.S. indeed is in for a CNP fraud boom.
In the United Kingdom, face-to-face fraud plunged after the 2005 liability shift there, but CNP fraud jumped 79% in three years to £328 million ($601 million) before dropping back for a few years, according to figures cited in a 2014 report by Boston-based Aite Group LLC.
In Canada, CNP fraud rose steadily in the years just before its 2011 liability shift and continued growing, albeit at a slower rate, afterward. In 2013, CNP credit card fraud of C$299.4 million was 133% higher than its 2008 level of $128.4 million, according to Aite.
Some observers say the U.S. has employed better CNP fraud-control measures than most other countries, so the increase might not be as proportionately large as other countries’. And Javelin Strategy & Research expects most of any rise in CNP fraud in the next few years to come from the boom in e-commerce itself, not an EMV-induced migration of nefarious activity.
In any case, fasten your seat belts. For more on CNP fraud, see “Repelling the Card-Not-Present Fraud Assault,” this issue.
2. An Unsettled Settlement
The biggest court case in payment card history seemed to be headed for closure in July of 2012. That’s when merchants on one side and bank card networks and big banks on the other announced a settlement of the merchants’ class-action claims challenging credit card interchange and network rules. The settlement was valued at just over $7 billion in damages and temporary interchange reductions.
The merchants also were to get relief from what they said were some oppressive network rules, including those that restricted their ability to surcharge card transactions. In return, the merchants would be barred from suing Visa and MasterCard over interchange and rules.
It took almost a year-and-a-half for the complicated settlement, which capped a case that dated back to 2005, to win approval from Judge John Gleeson of U.S. District Court in Brooklyn, N.Y. Along the way, thousands of merchants, especially big ones, opted out of the damages part so they wouldn’t be barred from bringing similar cases to court in the future.
These so-called opt-outs reduced the total prospective payout to the class merchants to about $5.7 billion. Meanwhile, some merchants appealed the settlement to the Second U.S. Circuit Court of Appeals in New York. As a result of all the continued legal wrangling, distribution of the settlement funds from the card networks and banks has yet to be made in the case, known as MDL 1720.
As if that weren’t enough, a new threat to the settlement appeared in July. This one originated with the plaintiffs’ attorney in a merchant lawsuit challenging American Express Co.’s rules barring its merchants from steering customers with AmEx cards to cheaper forms of payment. The attorney had negotiated a $79 million settlement, but provided confidential case documents to a lawyer friend of his who happened to be one of MasterCard’s attorneys in MDL 1720.
That action caused the judge in the AmEx case to throw out the proposed settlement. It also inspired a group of about 30 merchants to challenge the pending MDL 1720 settlement on grounds that the negotiation process was compromised.
Attorneys for the MDL 1720 merchant class downplayed the notion that the leak was serious enough to scuttle the settlement, but it will be up to a judge to decide. No decision had been rendered as of mid-October as the case enters its 12th year.
3. Sky-High Dropout Rates in M-Commerce
This is one of those issues that has shot from the nervous-whispering stage to the “we need to find a solution for this” stage to the “we need a solution fast” phase. All in a matter of a few short years.
And no wonder. Remote commerce on mobile devices holds out great promise, but suffers intrinsically from the very nature of its form factor. People just aren’t happy about the tedium of typing out billing and shipping addresses, let alone card numbers, expiration dates, and card-verification values, on tiny mobile screens. So most of them abandon the effort, literally leaving merchants holding the shopping bag.
This spring, the Baynard Institute, a Danish company that researches the e-commerce shopper experience, found the overall online cart abandonment rate stood at 68.5%. But for remote mobile transactions specifically, most estimates put the rate much higher, sometimes greater than 90%.
Understandably, the rate is lower for tablets than for smart phones, but consumers are using tablets less often for m-commerce. Adyen, a gateway provider specializing in e- and m-commerce payments, says the tablet share of mobile traffic on its platform fell from 38.2% to 34% just in the six months through Sept. 30.
What to do? One promising technology is the so-called single-click checkout. PayPal Holdings Inc. has been pushing this capability for mobile commerce since its Braintree and Venmo units have found success with it for person-to-person payments and other applications.
The technology, which PayPal calls One Touch, lets users who log in separately check out on merchants’ mobile sites with a single click or touch, a process PayPal expects will reduce abandonment rates and boost merchant sales. The company projects One Touch will be available on half of its transactions by the end of the year, up from 5% this summer.
Others are looking at or implementing variations on this tokenized card-on-file theme. Startups emerged this year with platforms to enable so-called buy buttons for merchants and social networks. The platforms, which access online retailers’ inventory, allow consumers to buy with a single click.
Where all this is going, say some observers, is to a place where users won’t even be conscious of a “checkout” because the experience will have been entirely sublimated by the mobile app. A prominent example is what has come to be known as the “Uber experience,” in which the payment flow with the mobile car-hire service occurs entirely in the background, allowing passengers to simply exit the car at their destination.
4. False Declines
Most merchants probably think a fraud chargeback is worse than a perfectly good transaction that they rejected because of a so-called false positive—a fraud probability that turned out to be wrong.
But as it turns out, actual fraud is the smaller problem.
Last year, some 33 million U.S. adults had at least one transaction denied because of a false positive indicating fraud, according to research by Javelin Strategy & Research, Pleasanton, Calif. That added up to $118 billion in foregone sales. Meanwhile, real fraud totaled a relatively modest $9 billion.
Since many of these false rejections occur with high-end merchandise, the cost on a single lost transaction can be high. But it’s not a problem affecting only retailers. Issuers suffer, too, as they lose out on interchange income and as affected cardholders stick the card in the back of their wallets, using it sparingly or not at all. Yet, if issuers loosen their fraud controls and actual fraud occurs, cardholders will blame them for that, too.
And with the advent of EMV, look for the problem to get worse in e-commerce. That’s because criminals will shift their illicit activity to online marketplaces, prompting issuers to tighten fraud routines and leading to more false positives. Even in-store transactions could become more problematic. Most EMV cards are coming with magnetic stripes, allowing cardholders to continue swiping. But issuers looking for a so-called chip-on-chip transaction may automatically decline those transactions.
The problem is largely caused by fraud-analytics engines issuers have long relied on to authorize transactions. These engines sometimes get it wrong, but no technology is fool-proof.
Javelin’s advice? Issuers should rely more on a mix of mobile technologies to supplement those engines. These might include biometric authentication, geolocation, and two-way alerts, all of which can supply critical indications that a transaction is genuine.
5. Control of Tokenization
Don’t look now, but what had seemed a settled matter—at least for the time being—is about to become unsettled. The matter in question is who controls the vital function of token service provider (TSP).
That’s the key player that serves as gatekeeper to much of the nascent business of mobile payments. TSPs receive token requests from card issuers and in response convert actual card credentials into random strings of digits for transactions using Apple Pay, Android Pay, and other wallet programs. The tokens are useless to data thieves but allow mobile transactions to be processed accurately and securely.
The expected rapid growth of wallet platforms makes the TSP function increasingly vital, and right now it’s controlled by just three entities—American Express Co., MasterCard Inc., and Visa Inc. The three massive card networks have cannily positioned themselves squarely in the center of a burgeoning business that could generate nearly $500 billion in volume by 2020, according to Aite Group LLC, a Boston-based researcher. That’s from a base of just $7.5 billion this year.
There’s nothing new about the business of providing a token to mask a real primary account number for a payment account. Acquirers and technology companies have been doing this on a limited basis for years. But with the March 2014 release of tokenization specifications by EMVCo, the standards body for the EMV chip card system, and Apple Inc.’s launch a year ago of its Apple Pay mobile-payments service, tokenization has hit the accelerator.
Google Inc.’s Android Pay and Samsung Electronics Co. Ltd.’s Samsung Pay are now available to compete on the Android side with the iPhone-centric Apple Pay. And the rollout of EMV chip technology is equipping merchants with new terminals, most of which can also handle near-field communication, the standard that connects mobile wallets with the point of sale. Samsung Pay, indeed, also works with most mag-stripe-only terminals.
All of this makes the role of TSP look ever more enticing. And at least some issuers aren’t entirely convinced that the current hammerlock by MasterCard and Visa is a good idea. The two networks have said they won’t charge for tokens so long as the issuer processes with them, but skeptical issuers aren’t convinced that will always be the case. In any event, the networks do charge for every transaction they see, and that includes mobile.
The result of all this? Look for the emergence of more TSPs, says financial-services researcher Celent, to compete with the big networks. In fact, the firm foresees a sort of token gateway, what it calls a token requestor aggregator, that will link token requestors with TSPs created by issuers and processors.
But Celent cautions the TSP role isn’t suited to all comers. Interested parties will have to tread carefully.
6. Consumer Confusion Over EMV
How valuable to shoppers are a few seconds at the point of sale?
U.S. retailers are finding out as the migration to EMV chip cards begins in earnest. Long accustomed to a speedy swipe of a magnetic-stripe card through a card reader, consumers now face a new way to pay. EMV cards require dipping credit and debit cards into point-of-sale terminals—and then waiting for the authorization to arrive.
What might this mean for retailers now that their stores are dealing with the crucial fourth-quarter crush of business? Queues, already stretched because of the sheer volume of shoppers in the holiday season, could be affected even more by the additional few seconds an EMV transaction requires.
And that’s for consumers who know what they’re doing. Clueless customers may confess confusion with how to use the cards and require a little instruction from the cashier. Or they may just default to the mag stripe. But doing that will then trigger a prompt to use the chip, says Andrey Tikhonov, senior director of payment technology at Infinite Peripherals Inc. “Associates may need to ask customers if they are using a chip card, and check the card if necessary,” he says.
To counter some of the potential slowdown, most U.S. issuers are using signature instead of PIN as the cardholder verification method. “There will be some impact, although hopefully less by the time the heavy holiday-shopping period begins around Thanksgiving,” says Beth Robertson, managing director of Robertson Payments Services LLC.
“Consumers with chip cards are becoming more familiar with the process as various merchants convert,” Robertson continues. “There is some delay in card authorization, but it’s minimal and more about familiarity with and consistency of the process.”
But there’s one other obstacle at the checkout counter: confusion about the equipment. “One problem at present is that many merchants have not converted even if they have readers in place that appear to accept chip cards.” Robertson says. “This can result in delay at the checkout as consumers fumble to determine if they should swipe or insert their card and then follow the prompts associated with each particular merchant’s device(s).”
7. EMV-Lagging POS systems
Retailers rely on their point-of-sale systems for more than payments, but it’s the payments component that may produce some concern as the U.S. payment card industry moves ahead on its EMV chip card migration.
Merchants using standalone countertop POS terminals can easily get a new device that accepts chip cards. And larger retailers have the financial resources to make the needed upgrade. But those merchants using POS systems often have to rely on the software developer to provide an update that works with chip cards.
POS systems are a critical area for EMV implementation, says Thad Peterson, senior analyst at Boston-based Aite Group LLC. That’s because these systems are often sold and installed by value-added resellers and independent software vendors whose concern is with the larger POS system, not just payments. A further complication lies in the fact that the EMV upgrades must run a gauntlet of certifications for each processor and each application.
“The VARs and ISVs generally drive the mid-large retail market, and many of them aren’t as familiar with payments and EMV as organizations that are fully involved in payments,” Peterson says.
“There has been an issue with certification of solutions driven through this channel and some implementations have been delayed because of the certification process, which requires a separate certification for each network,” he adds.
Payments companies have devised several products to aid developers, such as software development kits that simplify EMV integration. They may, for example, enable a short piece of code that removes the sensitive card data from the POS software’s programming and sends it directly from the payment-acceptance device to the acquirer and on to the processor.
The service may supply the transaction amount, customer identification information, and other non-sensitive data to the software so the merchant still can track purchase activity.
“The biggest challenge to the middle market is that ISVs, integrators, or VARs, work for the merchant,” says Allen Friedman, director of payment solutions, North America, for POS terminal maker Ingenico Group. “They typically don’t get a lot of bulletins directly from the card brands,” limiting their knowledge of payment card changes. “They are somewhat reliant on the merchant to get information from the merchant’s acquirer and to pass it to them.”
8. Sound And Fury Over Signatures
To sign or not?
That is the question retailer groups continue to set before the payment card industry. In the U.S. migration to chip, most issuers—with a few exceptions—are using signature as the cardholder verification method for EMV credit cards.
PINs often are used in other countries, and retailer groups argue that U.S. credit cards should use that CVM as well. Issuers, citing consumer familiarity with signature for credit card transactions, are not budging. A major reason is that issuers don’t want to disrupt consumer behavior more than necessary during the EMV migration. They don’t want to see their cards disfavored by consumers who aren’t accustomed to memorizing and entering a PIN.
“If your card is suddenly harder to use, you lose top of wallet,” notes Rick Oglesby, senior analyst at Double Diamond Research, Centennial, Colo.
Even the FBI found itself in the middle of the skirmish when it released a public service announcement in October—that it later rescinded and revised—warning consumers that the new EMV chip cards “are vulnerable to exploitation by fraudsters” and urging them to enter a PIN instead of a signature during EMV credit card transactions.
But some issuers, like First Niagara Financial Group Inc., have opted for PINs, citing consumer feedback that they’d prefer PINs for all of their payment cards. Bank officials said they considered the arguments for sticking with signatures for chip credit cards, but concluded consumers would adapt to PINs.
One reason is that most credit card holders have debit cards, which rely on PINs. “We were very confident [that] the one con, a change in customer experience, we felt we could change-manage that,” a bank official says. A big part of that “change management” will come from an upcoming consumer awareness and education program by the company.
9. An End to Acquirers’ Free Pass on Regulation?
Banking may be a heavily regulated industry, but the industry’s merchant-acquiring segment has largely escaped the myriad rules covering lending and other core banking services.
The major exception is the Dodd-Frank Act’s Durbin Amendment, which in 2011 capped debit card interchange for large banks for the first time and imposed transaction-routing requirements intended to spur more debit network competition.
But now, more regulation seems almost inevitable. Recent surveys by the Federal Reserve Bank of Kansas City have identified a growing trend by governments around the world, including the U.S., to intervene in the payment card industry to correct a host of perceived problems, including allegedly too-high interchange rates and restrictive network rules for merchants (“An American Fortress,” May).
Any future U.S. regulations, however, are unlikely to spring from a sweeping new federal law. Instead, they will probably be promulgated by agencies under existing authority. Other de facto regulation could arise from the courts through antitrust actions.
The new bogeyman, in the eyes of some in the payments industry, is the federal Consumer Financial Protection Bureau, a creation of Dodd-Frank that has broad authority to set rules for many financial services.
Last April, the CFPB let it be known that acquirers were on its radar. As part of a lawsuit against allegedly fraudulent debt collectors, the agency also sued one of the nation’s largest acquirers, Global Payments Inc., and three independent sales organizations that provided payment-processing services to the collections companies. The CFPB said that the processors knew, or should have known, that the collectors were defrauding consumers.
The defendants are fighting the case in U.S. District Court in Atlanta, saying they were simply doing their job in providing payment services. In the industry’s eyes, the CFPB case brought back painful memories of Operation Choke Point, a federal effort to put fraudulent merchants out of business by denying them access to payment services. Acquirers said the real intent was to go after legal but controversial businesses such as payday lenders, debt collectors, gun dealers, and others.
The CFPB also has proposed broad regulations on prepaid cards.
Meanwhile, the U.S. Justice Department prevailed earlier this year in its antitrust case against American Express Co.’s anti-steering rules, which the government alleged unfairly restrict merchants’ ability to steer customers to cheaper forms of payment than AmEx cards. AmEx is appealing.
With the specter of regulation increasing, the Electronic Transactions Association, the national acquiring industry trade group, has bulked up its Washington lobbying staff and created caucuses to educate senators and members of Congress about payments issues.
10. The Slow Development of Faster Payments
Some time ago, payments players began expressing the sentiment that payments—the actual mechanics of clearing and settling transactions—were too slow. Startups were emerging to take advantage of the impatience of a new generation of users accustomed to instant results.
The good news is that the industry has responded. NACHA, the regulatory body for the automated clearing house network, finally won approval for a rule change allowing for same-day settlement, carving at least a day out of its 40-year-old process. And no less an entity than the Federal Reserve early this year emerged as a champion of faster payments.
The bad news is that the conveyance toward faster payments is far from an express train. NACHA’s rule change won’t take effect until September 2016, and even then only for credits, which are used in hourly payroll, person-to-person, and bill-pay transactions. Further phases, including one for ACH debits, take effect later. And even after all this, the process will still be too slow for some critics.
Perhaps with those critics in mind, the Fed, along with companies like The Clearing House Payments Co. LLC, are talking about faster payments. But the results so far have disappointed observers who had hoped the Fed would take a stronger hand in the matter. The Fed sees its role as that of “leader-catalyst,” stressing that the central bank isn’t in a position to mandate any particular faster-payments approach.
But the current approach appears increasingly bureaucratic. It includes two task forces, one dedicated to faster payments and the other to the vital function of security, that are at work under the aegis of the Fed. More than 320 executives from the industry sit on the former panel, which is expected to wrap up its work—with a set of recommendations—by December 2016.
Still, once the process is finally finished, it will have ushered in a huge change in the way the nation processes payments. As one Fed official this summer reminded the audience at a payments conference, “We have not made any major changes to the payments system since the ACH in the ‘70s.”