Peter Lucas
The card networks’ gambit to rapidly accelerate EMV terminal rollout by waiving PCI compliance reporting for merchants is falling short.
Sometimes what looks to be a great deal is not all it’s cracked up to be. Offers by the payment card networks to accelerate the U.S. deployment of point-of-sale terminals that accept Europay-MasterCard-Visa (EMV) chip cards by waiving annual validation with the Payment Card Industry data-security standard (PCI) for merchants have been met with little more than a collective yawn.
Visa Inc. first introduced the incentive, which it dubs the Technology Innovation Program (TIP), to the U.S. market in August 2011, when it announced a multipronged plan to bring EMV payments to the last big industrial country still wedded to fraud-prone magnetic-stripe credit and debit cards.
TIP took effect in October 2012. Both MasterCard Inc. and Discover Financial Services have announced similar PCI reporting waivers for EMV-enabled merchants.
But payment executives and consultants say the adoption needle for EMV terminals in the United States has hardly moved. Pleasanton, Calif.-based Javelin Strategy & Research late last year estimated that about 10% of merchant locations have EMV-capable terminals.
Of course, it’s still early in the game and the PCI incentives could prove effective over time.
But some payments executives say merchants’ seeming early indifference to the incentives can be traced to several factors. The biggest is that the incentives do not actually relieve merchants of their obligation to annually conduct PCI audits, for which the largest merchants may pay $1 million or more.
Instead, TIP and related programs merely eliminate the need for merchants meeting the specified threshold for EMV transactions to report the results of those audits to the card networks.
“TIP does not remove the requirement for being PCI-compliant, just the reporting on compliance to the associations,” says Craig Tieken, director of product for Hauppauge, N.Y.-based TransFirst LLC, a large registered independent sales organization for Wells Fargo Bank. “Most, if not all acquirers—TransFirst included—continue to require their Level 1 and 2 merchants to submit proof of PCI compliance, and require their Level 3 and 4 merchants to complete the annual Self-Assessment Questionnaire and, if applicable, quarterly vulnerability scans supported by their PCI programs.”
Merchant acquirers also are quick to point out that while both the PCI and EMV standards were created to prevent fraud, they serve separate purposes and therefore no direct connection between them exists. As a result, the business case for TIP, which Visa rolled out earlier internationally, is weakened, according to some observers.
The bank card networks mandate merchants to validate compliance with the PCI standards to assure that the cardholder data they hold and transmit to their acquiring banks are secure. The networks deputize acquirers to enforce PCI compliance.
Large and mid-size merchants are required to validate compliance annually through audits conducted by a Qualified Security Assessor (QSA). Smaller merchants can perform PCI validation via the Self-Assessment Questionnaire, or SAQ.
‘A Bit Confusing’
EMV, on the other hand, prevents fraud by validating the authenticity of the card used to initiate a purchase to the POS terminal and vice versa. Validation is performed by the terminal communicating with secure elements within the card’s EMV chip before the exchange of any account data. In many countries, EMV card users also must enter a PIN to authenticate themselves at the time of purchase.
“The incentive to adopt EMV is to prevent card fraud and PCI is a data-security standard, so there is not much of a connection between the two standards,” says Eric Barth, senior director, Product Merchant Segment, for Total System Services Inc. (TSYS), a Columbus, Ga.-based processor. “PCI audits are a best practice for acquirers, so it’s a bit confusing why the incentive was offered.”
‘Least-Favorable Incentive’
With no clear-cut connection between EMV and PCI and acquirers unwilling to waive PCI compliance for merchants, the rationale behind the PCI incentives is a head scratcher to some industry observers.
Many payment experts believe the networks went down this path because their older tactic of providing short-term interchange relief to merchants to develop new acceptance markets or technology apparently faces obstacles this time around.
The Durbin Amendment in 2010’s Dodd-Frank Act cut the interchange revenue of the leading debit card issuers by about 50% beginning in late 2011, and both debit and credit card issuers want to prevent more cuts, even if they’re temporary.
“Interchange discounts are the least-favorable incentive for the card companies, and with pressure building on interchange rates, that incentive is something the card companies are steering away from,” says David Fish, a senior analyst for Maynard, Mass.-based Mercator Advisory Group Inc.
Because there is an added cost to EMV adoption, however, payments experts believe the networks felt compelled to offer some type of incentive to merchants, especially smaller ones, to keep them on track with October 2015 deadlines for liability shifts for fraudulent transactions intended to spur EMV adoption.
About 60% of Level 1 and Level 2 merchants (the two largest merchant categories as measured by card transactions) are expected to convert to EMV terminals in time to meet the 2015 deadlines, according to Javelin.
The remaining 40%, the smaller merchants, are expected to move more slowly. Plus, the networks gave petroleum retailers with automated fuel dispensers an Oct. 1, 2017 liability-shift deadline because of the operational complexities of adopting EMV technology.
Merchants not in compliance at the applicable deadline will be liable for losses from card fraud. In the meantime, Visa is requiring U.S. acquirers, processors, and sub-processors such as ISOs to support merchant acceptance of EMV transactions, effective April 1.
San Francisco-based Visa, the largest card network, was the first to offer a PCI incentive for EMV. Merchants originating at least 75% of their Visa transactions through EMV terminals are eligible for TIP. Merchants are required to support both contact and contactless EMV cards, including contactless mobile payments based on near-field communication (NFC) technology.
But Visa has made it clear that TIP will not relieve merchants of the need to meet the PCI standards. In the press release announcing TIP’s U.S. rollout Visa stated: “Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes, or PINs, and that they continue to adhere to the PCI DSS standards as applicable.”
‘Resource-Constrained’
Visa also said that it intends TIP to help merchants recognize the security benefits of EMV. It described the offer of waiving the PCI reporting requirement as a “tangible benefit” to merchants upgrading their terminals to be EMV capable. MasterCard and Discover later offered their own versions of the TIP incentive.
Visa declined comment on TIP and none of the other card brands responded to requests for interviews.
With merchants apparently not biting on the PCI incentive, they are likely to continue following their normal terminal-replacement schedules, according to payment experts.
In some cases, those schedules may go beyond the 2015 liability shifts set by Visa and MasterCard to spur deployments of EMV terminals. If that is the case, merchants will either have to speed up their replacement schedules or gamble that they don’t get hit by counterfeit-card fraud until they have replaced all their legacy terminals.
“Merchants view the TIP incentive—as well as those from the other card brands—differently depending on their EMV migration status, size, and current annual cost associated with compliance,” Erik Vlugt, vice president of product marketing for San Jose, Calif.-based VeriFone Systems Inc., the largest U.S.-based POS terminal maker, says by e-mail. “The EMV migration will certainly drive upgrades at merchants as the liability shift nears. As we get closer to 2015, some upgrade cycles will have to be accelerated.”
Although VeriFone sees EMV compliance boosting sales as the 2015 deadline nears, Vlught adds that most large merchants are ensuring that replacement POS terminals scheduled for deployment before 2015 are EMV-ready.
“I wouldn’t say that [the] EMV [liability shift] has accelerated the migration in a significant way at this point as most large merchants are upgrading equipment as part of their planned upgrade cycles,” he says.
While the cost of a PCI compliance audit can run $1 million or more for the largest merchants, small merchants can perform an audit for $100 or less on average and mid-size merchants can do so for $1,000 or more. PCI validation costs are secondary for small and mid-size merchants to the resources needed to ensure ongoing data security and PCI compliance.
“Merchants are like banks and acquirers—they are resource-constrained in their technical organizations and any compliance project like PCI reduces the amount of time they can spend on other priorities,” Marc Abbey, managing partner at Linthicum, Md.-based First Annapolis Consulting Inc. says by e-mail. “I don’t think merchants are particularly focused on EMV at the moment and the card brands’ PCI incentives are not likely to change the priorities that merchants have otherwise set.”
‘Elephant in the Room’
One sticking point to EMV terminal deployment is that no mandate exists for bank card issuers to put EMV cards into circulation in time for the 2015 deadline. Javelin expects U.S. issuers to convert the bulk of their credit, debit, and prepaid cards to the EMV chip between 2014 and 2017. As of late 2012, less than 1% of U.S. credit, debit, or prepaid cards had an EMV chip.
“Issuer participation in EMV is optional, and issuers are not lining up to issue chip cards en masse in the near future,” says TransFirst’s Tieken. “If a merchant buys an EMV/NFC-capable terminal, yet no consumers present a chip card, either contact or contactless, the merchant will feel he made a poor investment.”
Another distraction for merchants is that they are trying to wrap their arms around how the Durbin Amendment will affect EMV conversion. In addition to its interchange price controls on debit card issuers with more than $10 billion in assets, the amendment as of last April required all issuers’ debit cards to provide access to at least two unaffiliated networks.
The intent is to give merchants more transaction-routing choices, thus increasing competition among networks for merchant business and in turn helping to hold down interchange rates.
While that requirement makes sense for magnetic-stripe cards, it poses a problem with EMV chip cards because the EMV standard supports multiple payment types, such as debit, credit, and prepaid, but not multiple card brands. For merchants looking to run a transaction made on an EMV card through one debit network rather than another, the inability to choose that network poses a problem.
“Once an EMV card goes into a terminal, the terminal reads the first network app on the chip and routes the transaction accordingly, which means merchants can’t choose what network to route the transaction over,” says Terry Dooley, senior vice president and chief information officer for the Johnston, Iowa-based Shazam EFT network. “With that being the case, many merchants are still trying to understand the implications of Durbin on EMV compliance as opposed to considering TIP.”
Some EFT networks have come up with a so-called common app that would solve the network routing problem by letting EMV cards support unaffiliated networks. Visa and MasterCard were expected to announce in mid-January whether they would support the common app or their own exclusive apps.
“[Durbin] is the elephant in the room,” says Dooley.
Terminal Rebates?
Finally, questions persist about what incentive PCI validation relief provides for micro-merchants to adopt EMV terminals. Micro-merchants typically embrace mag-stripe dongle card readers that plug into their smart phone and enable card acceptance, as opposed to using purpose-built mobile POS terminals.
“I don’t think the TIP incentive is stronger for micro-merchants,” says Abbey. “EMV may prove a challenge to the business models of the MPOS players who have relied on being able to provide a free app and a free dongle to a merchant who already owns a phone for other reasons.”
Given the apparent weakness of the PCI incentive and the confusion surrounding how EMV will impact debit card transactions under the Durbin Amendment, some payments executives believe the card networks need to beef up their incentives for EMV terminal adoption.
Besides a temporary break on interchange to help underwrite the cost of the terminal, another option could be a rebate on the cost of the terminal itself. There is a precedent for such hardware incentives. In the early days of contactless cards, in the mid 2000s, the networks offered subsidies for contactless readers.
“If the goal is to accelerate adoption of EMV-NFC technology, the incentive needs to be strengthened,” says Tieken. “At what point is the value [proposition for EMV] strong enough for issuers to issue chip cards? Until you can get the consumer demand [for EMV cards] high enough, merchants will continue to challenge the need to upgrade their POS terminals.”
Key EMV Dates
Oct. 1, 2012: Visa extends TIP to U.S. merchants. To qualify, merchants must process at least 75% of their Visa transactions on terminals capable of supporting contact and contactless EMV cards.
April 1, 2013: Acquirer and processor deadline for supporting merchant acceptance of EMV cards.
October 2013: MasterCard’s Account Data Compromise (ADC) relief takes partial effect (50%). Under ADC, if a merchant’s data are breached, MasterCard will shift liability away from the merchant, depending on whether it has EMV terminals.
Oct. 1, 2015: Liability for counterfeit point-of-sale bank card transactions shifts to merchants if they do not have EMV terminals.
Oct. 1, 2017: Liability shift takes effect for transactions generated from automated fuel dispensers.
Source: Card networks, Digital Transactions