MasterCard Pushing EMV PIN. Visa? Not So Much

Tools

MasterCard's Monday (Jan. 30) rollout of its roadmap for EMV in the U.S. set it on the opposite side of payment security from Visa, with MasterCard pushing for EMV with PIN and Visa arguing that PIN isn't necessary. MasterCard is backing up its preference with some serious fraud-dollar forgiveness. Oddly enough, the much-smaller MasterCard has trumped—or, more precisely, nullified—Visa's position, at least as far as retailers are concerned.

Given that greater-than-99-percent of Visa retailers in the U.S. also accept MasterCard, chains must go along with whichever brand has the more strict requirements. Typically, that's been Visa, but not this time. On EMV-related PCI relaxations, however, the two brands opted to adopt identical policies.

The calendar part of the timetables are pretty similar, too, with both brands insisting that acquirers be able to handle EMV transactions by April 2013. It's the post-fraud promises where the two diverge. Visa's position can best be described as PIN optional, where the brand argues that PIN won't be needed in the U.S. and that implementing it might serve to slow down consumer acceptance by layering on another behavior change.

Put another way, Visa is arguing that the current EMV chip is so much more secure than magstripe cards today that the small additional level of security delivered by a PIN doesn't make that much of a difference. And if that small difference causes a slowdown in the card's acceptance, it may not make ultimate sense for retailers.

MasterCard this week made it explicit that it considers PIN to be the more secure approach and that it will back up that position with dollars. (Clearly, Chip-and-PIN is more secure than chip-and-nothing-else. But I digress.) MasterCard describes a liability hierarchy, with issuers and retailers on sort of a payment seesaw.

If the issuers are considered to be using the less secure approach—which MasterCard defines as anything other than PIN—then they have to absorb the costs of post-fraud cards being reissued, in addition to the direct costs of the crimes. If issuers and retailers are using the same approach, the costs still stay with the issuer. But if the retailer is using the less-secure approach, then it has to pay the fraud bills.

For the record, both brands have the same core position, which is that they are not requiring any retailer to do anything. But they can certainly telegraph their preferences and use money to persuade. "Merchants are free to adopt any technology that they want," such as adopting EMV or choosing to stay with magstripe, said Colin McGrath, the MasterCard VP for U.S. market development. "We're not going to dictate a particular cardholder verification approach."

That said, here comes the carrot and the stick. "If the retailer opts to go for PIN and the issuer is only pushing signature," McGrath said, "if fraud were to occur, the issuer would be responsible for that fraud."

Both brands are using the same entry benchmark, that 75 percent of a chain's payment transactions must be processed through an EMV terminal that supports both contactless and contact. The E-Commerce and mobile implications are unclear. Such transactions today are typically limited to the card number, an expiration date and a CVV, with no practical way to access the chip data. The only way to do that would be with an EMV reader attachment for a desktop/laptop/mobile device, which is certainly not the typical arrangement for most U.S. E-Commerce and M-Commerce transactions today.

Therefore, if a chain has enough online transactions, it might not be possible to process 75 percent of transactions through an EMV reader. Presumably, the intent is to encourage 75 percent of in-store transactions being processed through such EMV-friendly terminals.

If the retailer is pushing 75 percent of its transactions through an acceptable EMV terminal, MasterCard is promising to cut cost recovery in half by October 2013. Two years later (October 2015), MasterCard will make the reductions 100 percent.

Why not make it 100 percent as soon as the retailer hits the percentage of transactions?Why not make it 100 percent as soon as the retailer hits the percentage of transactions? McGrath said the delays are necessary, because MasterCard wants EMV to be sufficiently widespread before fully kicking in the reductions. "There needs to be a certain level of penetration for this to be most effective," he said. "We need the market to mature to a particular point."

The liability hierarchy seesaw also does not kick in until October 2015, according to MasterCard. Note: That liability hierarchy in October 2015 excludes fuel retailers, which don't get to participate in that program for another two years (October 2017).

The back-and-forth between the two top card brands on EMV specifics glosses over the fact that a fundamental investment argument has to be made to retailers that any of this is worth doing. Trinette Huber, the manager of Information Privacy and Security at Sinclair Oil, a $7 billion oil and gasoline company with 2,700 gas stations and convenience stores, made the argument on these virtual pages in November 2011 that both brands still have a lot of convincing to do.

After MasterCard described its roadmap and its incentives, Huber said she still is not convinced. "I don't understand how threats of having to pay for fraudulent cards is such a great motivator. So, pretty words but no substance on why retailers should consider this an opportunity," she said.

Verifone, which has a huge stake in the terminal side of this debate, opted to not be a cheerleader for the specifics of the MasterCard move, while taking a subtle dig at Visa. "We're awaiting further details from MasterCard but, at this stage, they seem firmly supportive of Chip-and-PIN EMV, whereas Visa appears somewhat indifferent," E-mailed Erik Vlugt, Verifone's VP of product marketing.

Not so sure I'd say Visa was being indifferent. More that it is super-nervous about making sure American consumers don't reject EMV the way they, for the most part, did not fall in love with contactless.

Randy Vanderhoof, the executive director of the Smart Card Alliance, said he sees both card brands in a very delicate position.

"The issuer has a really tough decision to make if they're a Visa issuer. Am I going to continue to absorb all of this fraud by relying on signature?" Vanderhoof said. "Should I implement PIN, knowing that introducing PIN is going to make EMV implementation more difficult? There's no question about that."

Then again, if the intent is to eventually support PIN, isn't doing it all at once the best way? As long as the consumer is going through disruption, isn't that the least painful time to introduce PIN? "Now would be a good time to do it," he said. Still, the argument about disruption also has merit: "Anything you layer on top of (the change) is disaster plus. Until we get EMV out in the field, we can't tackle these other issues. It's messy any way you cut it."

The challenge won't even be limited to training consumers to move from swipe (magstripe) to insertion (EMV). (Fortunately, few consumers ever got used to wave—contactless—so at least that behavior won't have to be unlearned.) Vanderhoof gives the example of a consumer walking into a favorite retailer with his new EMV card for the first time. The associate patiently explains how the new card needs to be inserted. But when that consumer walks into the retailer down the street, the same card still may have to be swiped.

But that is not so different from today, where different types of terminals force consumers to swipe on top or on the left or to have the card facing a different direction. In other words, consumers are already used to having the card processing drive them crazy.