Written by Andrew W. Tarbox
EMV reminds me of the Laurel and Hardy line – “Well, here's another fine mess you've gotten us into…”
Twenty plus years ago the goal of EMV was to improve security, reduce fraud and maintain consumer confidence that cards and transactions were safe. The business case was largely driven around supporting offline approval of low value transactions. EMV was designed to support the issuer’s transaction requirements at the point of sale in a mixed online/offline environment. This included offline transaction dollar limit, card authentication and card holder authentication as well as signing the information to prevent altering the amount, replaying the transaction, or fraudulent transaction denial after the fact.
The business case for most of the world was straight forward; expensive regulated telecoms, limited bank processing and growing fraud. Indeed, when you did the math, migration to chip had a solid business case for most of the world. Unfortunately, here in the US the business case was always harder. This is because in the US virtually all the transactions were online, fraud was manageable, and moving to chip would cause a rise in card cost.
Fast forward to today and EMV migration in the rest of world is complete. However, US migration in many cases is moving forward with pain. And, there is plenty of blame to pass around from legislation to back-end system upgrades and more. Unfortunately, the result of this slow migration in the US is causing several problems for both merchants and consumers. For example:
Original Use Case
When we designed EMV, the process to get a transaction certificate (TC) was built to reduce two kinds of fraud. The first occurred when someone at the merchant organization changed the amount before submission. The second occurred when consumers denied a valid transaction causing a fraudulent charge-back. Therefore, having the TC as the final step ensured the amount was not changed and that the consumer had entered a PIN or another card holder authentication method.
Presently organizations are considering shortening the transaction time and flow by eliminating this last step (signing the transaction) so consumers can complete the transaction before the all the items have been scanned at the checkout. This will make the transaction process similar to what consumers and merchants experienced before EMV. One can argue that PCI protects against merchant modification of the transaction amount but this change will not address fraudulent chargebacks caused by nefarious consumers.
Without the TC, EMV in the US will be simply provide strong card authentication. I believe we should be very careful to consider the ramifications of this EMV process change and perhaps consider making it a merchant option rather than a wholesale change. Merchants should do the math. Will faster checkout with the risk of increased chargebacks save or cost money?
I believe that EMV at retail merchants is only a small piece in improving consumer payment. Truthfully, there is so much more that can be leveraged by this technology in order to increase merchant revenue and drive top of wallet for issuers. At Thornebrook we stand ready to help merchants, acquirers and issuers with EMV migration and much more.
As such, we are very excited to announce that we will joining the EMV Migration Forum this week at the meeting in Boston. We look forward to meeting as many members as possible and look forward to contributing to the implementation of EMV.
Finally, in my next blog I may tackle Signature versus PIN – “another fine mess” we’re now debating.