Since the late 1990’s, the EMV (Europay MasterCard and Visa) protocol—which uses microchip technology embedded in a credit card—has ensured that cards could never be compromised at a retailer during a face-to-face transaction. A contact EMV transaction occurs when the microchip-enabled card is dipped into an EMV capable reader. Europe and the rest of the world outside of the U.S. adopted this technology and discovered a significant decrease in card fraud transactions.
In the U.S., merchants and issuers did not evolve from magnetic stripe transactions to chip-based transactions for a variety of reasons. The most critical factor was the cost associated with the conversion from magnetic stripe readers to newer terminals capable of reading chip cards—costs were significant for both card issuers and merchants. Large retailers were looking at incurring significant costs related to replacing multiple terminals at each store location—as a result merchants and card issuers explored other ways to mitigate the losses from the magnetic stripe card systems.
Unfortunately, fraudsters have capitalized on this inertia. As we have witnessed in the last few years, U.S. retailers have been in the crosshairs of cyber criminals worldwide. The criminals’ end goal was to accelerate the race to deploy malware on retailers’ point-of-sale devices, as businesses, in a very reactive way, arrive at solutions to thwart them. The cyber criminals have been very successful in compromising millions of cards in the last few years. This did help the payments industry to gather momentum to launch EMV in the U.S.
Apple Pay shifts the landscape
While the payment networks have established timelines and mandates, the word on the street is that it will be many years before all payments in the U.S. are made via EMV. Many retailers are not happy with the staggering costs of implementing safeguards piecemeal, as the payment landscape is changing rapidly. Many are asking the question as to how effective this will be when in the next five years people are more likely to be using mobile devices to make payments. Are there mobile payment solutions that could replace EMV? Merchants are also enticed by the opportunity that mobile presents to incent customers with real-time targeted promotions.
Apple’s introduction of Apple Pay shifts the payments landscape significantly away from EMV. Two of the requirements in implementing mobile payments are the ability to make payments with a phone at any physical merchant and the ability to control for fraud. Apple Pay addresses these two requirements very elegantly.
First, Apple facilitated the ability to make physical payments with an iPhone by installing an NFC (near field communications) antenna in the newer model iPhones. A few years ago, the three largest mobile network operators in the U.S. created a company called ISIS (now known as Softcard) to promote NFC payments using a mobile wallet. This initiative unfortunately had the first-mover disadvantage in their inability to get a critical mass of users, as consumers had to trade in their mobile phones for expensive NFC-enabled phones. Thanks to the advancement in mobile technology, a much greater share of phones will now start to have NFC capability. With the announcement of Apple’s use of NFC technology in their iPhones, this should accelerate the prevalence of NFC-enabled phones within a two-year period. And this would facilitate the use of mobile wallets to pay for physical or in-store purchases.
As the second factor to enable mobile payments, Apple addressed security with a one-touch solution. While current mobile wallets are authenticated by the use of passwords, Apple’s Touch ID is a very elegant way of authenticating a person using their fingerprint—allowing them to complete a transaction in just one step. Additionally, a consumer does not have to worry about the storage of their fingerprint data in a cloud database that may be susceptible to hacking. Apple’s Touch ID stores each fingerprint locally on the user’s device and encrypts every transaction with a one-time use token. This feature allows for even the most unsophisticated consumer to make physical payments securely. Similar technology is likely to be available very soon for the Android and other mobile platforms.
What does this mean for EMV?
Currently, some card issuers are replacing their magnetic stripe equipped cards with EMV-enabled cards, and some merchants are upgrading their terminals with EMV capable terminals. There is also an option for retailers to upgrade to more expensive combination readers that can read both contact and contactless EMV cards or NFC capability. If we assume, hypothetically, that all transactions will be made via the mobile phone, then most retailers will prefer to simply upgrade to less expensive contactless readers instead of the combination readers. However, the general assumption is that the majority of the transactions in the U.S. are likely to be conducted with a physical card for some time. That assumption could be challenged by Apple Pay system or similar technology.
In addition to terminal costs, a retailer has to incur additional costs to protect and store customer card data and comply with laborious data security standards. With Apple Pay-like initiatives, retailers do not receive any card information at the time of a transaction. They will receive encrypted information with a one-time use number that will be used for authorization and settlement. This allows the retailer to receive payments without worrying about the storage of sensitive customer data, thereby minimizing their liability. On the other hand, with EMV implementation, retailers will still have to worry about point to point security and end-point or terminal security and storage of sensitive data, albeit less than what they have to deal with for magnetic stripe data.
This could pose a dilemma for retailers. They must decide whether to first implement contact EMV readers, and then upgrade once again to NFC, with the added worry of storing sensitive customer card data and the associated costs that go with it, or to go with the Apple Pay-like implementation of NFC and incent customers to use their mobile NFC wallets.
Retailers prefer mobile usage by consumers, as it allows for ways to improve customer loyalty and shopping behavior. With the implementation of Apple Pay-like payment systems, retailers will realize a significant reduction in the cost of securing customer data, thereby freeing up these resources to improve profitability. This, combined with the fact that an average person upgrades her phone every couple of years, most retailers are unlikely to rush into EMV implementation. They will even be assuming liability for the next two years, as they will start to weigh the total cost of implementing EMV—including the associated data storage costs—against the cost of liability on fewer and fewer transactions that are likely to be card-based. Card issuers will slow the reissue of EMV chip cards as they find many consumers switching to mobile wallets. I think we will begin to see a push for NFC adoption, and I believe that this will signal the beginning of the end of EMV in the U.S.
About the author
Prakash Santhana is a director in the Analytics practice of Deloitte Transactions and Business Analytics LLP, where he leads the fraud management practice for payments, banking and securities. He has worked in the fraud/risk management groups of large credit card issuers and payment startups for over 20 years.