When Apple rolled out its new hardware in October, along with its Lightning port, it created an annoying short-term problem for retailers, because the Lightning adapter it sells interferes with the card sleds retailers use. Until Lightning-compatible sleds start shipping, chains have to improvise. And even when those new sleds ship, the inventory of existing sleds will still require workarounds.
On Monday (Dec. 3), a European mobile and E-Commerce payments and POS card reader vendor (Adyen) introduced a device that can handle both magstripe and EMV, which certainly makes sense for Europe. The interesting part, though, is that the Adyen approach uses two units (a reader/scanner and the Apple or Android smartphone or tablet) connected by Bluetooth. That's a lot of hardware for an associate to lug around in the aisles, but it's apparently necessary (at least now) for the EMV functionality. It also nicely—if unintentionally—sidesteps the Apple Lightning problem. Indeed, Bluetooth would theoretically avoid other interface upgrade issues, too. Is the trade-off worth it?
As a practical matter, the Adyen approach requires at least four hands. Typically, customers would hold the 4.2-ounce (about 118 gram) card interface device (roughly 3.9 inches long, 2.7 inches wide and about 0.75 inches deep) in one hand while holding (or swiping) their payment card with their other hand. Meanwhile, the associate uses one hand to hold the mobile device (typically a tablet) and the other hand to type.
Speaking of trade-offs, the Adyen approach also raises an interesting EMV question for the U.S. When Adyen contacted us about its rollout, company spokesperson Eric Sokolsky said: "Adyen is looking to the future when EMV cards will be the standard format in the U.S." That is undoubtedly true, but the company is apparently looking with quite a powerful pair of binoculars, as it made this announcement with three simultaneous rollouts: London, Amsterdam and Berlin.
Sokolsky said Adyen is not even offering this approach for U.S. retailers at this time but would if any retailer requested it. Although that is hardly a rousing endorsement of U.S. retail EMV enthusiasm, it's probably a realistic one.
Adyen is "focusing on Europe for now, because that's where the EMV action is," Sokolsky said, adding that the company will roll it out to other geographies based on EMV market maturity. "That said, should a major retailer contact Adyen asking for the device, we will work with them on an individual basis."
Although the card brands are pushing readers to be able to handle EMV in the U.S., not many retailers have embraced EMV—for some very good reasons. There's a fine chance that a healthy number of readers will be able to handle EMV in a couple of years, but will consumers have such cards anytime soon? The changes within mobile payments are sufficiently up in the air that most chains want to see those events play out more before committing to EMV.
That all said, two U.S. issues may make EMV mobile card swipe capabilities more interesting than their countertop-based older cousins.
First, there's the age-old border issue, given that Uncle Sam is surrounded by two EMV strong supporters. As Walmart argued more than two years ago when it first tried pushing U.S. EMV, if you have to support EMV for Canadian and Mexican customers coming to stores in northern Minnesota, Maine, Vermont, North Dakota, southern Texas, California, Arizona or New Mexico (among other border states), you might as well standardize EMV chain-wide (as Walmart has done).Depending on where the chain has stores, that may or may not be a compelling argument. But it's certainly something to consider.
The other is the percentage game that the brands have laid out. MasterCard's plan—which is almost identical to Visa's plan—speaks of Account Data Compromise relief to start in October 2013 and kick in fully two years later. The carrot is that it will shift the cost of data breaches, including the cost of reimbursing issuers for distributing new cards and the cost of unauthorized transactions, to the issuers. But that will only happen if the chains use EMV contactless-and-contact terminals for 75 percent of all in-store transactions.
That's where the stats get interesting. Today, mobile in-store transactions are irrelevant numerically, because they are not likely to materially impact the overall number of transactions. In other words, even if zero percent of in-store mobile transactions were done through non-EMV-compliant devices, it's unlikely to make any major chain miss its 75 percent goal—assuming it would have otherwise made it through countertop card swipes.
Then again, mobile card swipes (both sleds and separate Bluetooth-connected devices) are relatively easy to swap out. And the small number of in-store mobile purchases is likely to become not so small by the end of 2013 and into 2014. So does it make sense to use EMV-compliant devices now?
For the moment, it's an academic question, because there are simply very few—if any—major-chain-ready EMV-compatible mobile devices available for the U.S. market. Adyen makes that point well. The company acknowledges the U.S. market, having offices in Boston and San Francisco, and yet even it is not willing to even offer the product for sale in the U.S.—except as a response to a special retailer-initiated request.
Square, one of the biggest and most active mobile payment players in the U.S., does not support EMV and hasn't said if it ever will.
Given the need for enterprise-level support for these payment devices, it probably makes the most sense for chains to wait for a major player—such as Square—to start supporting EMV. It's not a very risky strategy, because those firms will almost certainly start offering it as soon as EMV marketshare in the U.S. becomes significant.
The only wrinkle will be those percentages. If general mobile in-store payments start to soar and using a non-EMV device for mobile makes a difference if a chain qualifies for the card brand incentives, chains might be in the bizarre position of wanting to have an EMV-compliant device even though they have no intention of using it for any EMV cards.
This illogical situation is due to the brand rules that say a chain must push 75 percent of its transactions through an EMV-friendly device, while saying nothing about whether any of those transactions actually use EMV. There's a good reason why the brands did that: They want to have the infrastructure in place first, before trying to cause any EMV cards to happen.
Although Bluetooth is hardly the first choice of security execs, the Adyen approach seems to do encryption properly, claiming PCI PTS V3.0 compliance and—more critically—SRED validation. Of course, the application's security (or lack of same) would trump the device. But at least Adyen seems to be getting the device security right, which is more than most have done.