By early next year—and possibly by this year's holiday season—Wal-Mart will start accepting Chip-and-PIN cards at all U.S. locations, said Jamie Henry, Wal-Mart's director of payment services. Because of the global needs of the world's largest retailer—its stores in much of the rest of the world already required Chip-and-PIN—Wal-Mart's POS hardware in the States has supported Chip-and-PIN for years. (Well, Henry points out, it's not absolutely complete yet, even hardware-wise. But it's in place at 100 percent of the U.S. stores and 98 percent of the lanes in those stores.)
The POS software is not yet Chip-and-PIN compliant, but that should be in place "toward the end of this year or early next year," Henry said. "It's just a matter of coding to the specification." Wal-Mart has been able to repurpose much of that code from other recent POS Chip-and-PIN work for other countries—such as Wal-Mart Canada—and much of the rest is dealing with the U.S. payment authentication mechanisms.
But being able to accept such payments won't help Wal-Mart's security situation unless U.S. consumers start using the cards there. Right now, no card issuer in the U.S. has issued Chip-and-PIN cards so, with the exception of one specialty bank that supports United Nations employees. Most of these workers need cards that can work both in the U.S. (for when they leave the U.N. compound and venture into New York City or, heaven forbid, New Jersey) and in the countries they represent. Increasingly, non-U.S. retailers—especially in the U.K.—are strongly discouraging or even preventing the use of mag-stripe-only cards.
So when Wal-Mart is able to accept the Chip-and-PIN cards in January or so, what consumers would be in a position to offer them to get Wal-Mart goods? It's an admittedly small set. There will be small pockets of country cross-overs from our two Chip-and-PIN accepting neighbors, Canada and Mexico. Those Canadian and Mexican consumers could impact Wal-Mart stores in regions that abut the extreme North and South. Then there are those U.N. employees, tourists and other visitors from the rest of the world. Initially, that will be about it.
At best, it's hard to see those combined groups even breaking one percent of Wal-Mart's U.S. purchases. What's the plan to increase the U.S. acceptance of Chip-and-PIN?
Wal-Mart's perspective is that it wants the U.S. financial industry to at least agree to a timetable. "The United States has made no progress. We're not even on the field yet," Henry said. "My concern is that, every single day, merchants are making a decision on IT. Wal-Mart is pushing for 'Let's get a plan. We're going to plow ahead. We're going to do it.'"Henry said the chain is hoping that U.S. consumers will then start lobbying their banks to begin offering the EMV cards because they're more secure. But he conceded that American consumers' legendary security apathy—fueled overwhelmingly by the card brands' zero-liability programs—makes such a movement unlikely.
To avoid government action, the cause has to be embraced by the brands (primarily Visa) or at least by some of the largest card issuers. Wal-Mart has talked with all of them, and the reaction has been less then encouraging. That's hardly surprising. The clout of Wal-Mart and other chains is huge, but not on this issue.
Unless Wal-Mart threatens to stop accepting any MasterCard, AmericanExpress and Visa cards that are not EMV-compliant—which simply won't happen—there's little reason for Visa, MasterCard, Amex and the other brands to accommodate the retailer. That's especially true when such accommodation would be extremely expensive and intrusive. Please don't get us wrong. The card brands will almost certainly eventually make the move in the U.S., but they'll do whatever they can to delay and drag it out. Unless, of course, something else forces their plastic rectangular hand.
Henry's approach of getting consumers to pressure the issuing banks to make the move to Chip-and-PIN is a good one, but only on paper. What would motivate consumers to start such a campaign? Wal-Mart can't offer consumers a discount for using Chip-and-PIN nor a special checkout lane—something that worked wonders for RFID's EZPass during its launch mode, offering consumers lower prices coupled with faster checkout—because it sees that as a violation of its card agreement to treat all card customers equally, Henry said.
The lower card pricing would indeed almost certainly be a violation, but the dedicated checkout lanes probably would not. Still, it's academic; those checkout lanes would likely prove too expensive in the beginning because almost no one would be able to use them.
This is a classic chicken-and-egg problem: How do you incent people to get something that almost no one has? If you offer something compelling for only those who have the card, it works well. But it needs to be something that costs you nothing—or virtually nothing—until a significant number of people get that item. Keeping a lane open only for Chip-and-PIN holders will be a rarely used huge waste of personnel until the marketshare increases sharply.
So what could retail chains offer consumers to get them to pressure issuing banks to make the move? Not much, other than the vague notion of increased security. That approach suffers from two problems.
The first—and much more important—issue is simple apathy. American credit card consumers do not care about security because they see zero liability as protecting them from fraud, which is generally a very valid belief. For debit card users, though, the situation is much different. There is a very strong and truthful argument that debit card customers are very much at risk at mag-stripe cards, an area where zero-liability protections are much weaker.
Even if the banks do ultimately offer reimbursement, a compromised consumer may have bounced lots of checks and suffered major damage to his reputation, in addition to being unable to pay bills, in the meantime. A temporary credit on a credit card avoids all of that.
But it's almost impossible for retailers—especially Wal-Mart—to make that kind of a security argument to consumers, even for debit cards. That's the second key problem. To do so would require them to attack the security of cards that they accept today and that represent the overwhelming majority of their sales. Retailers can't argue that Chip-and-PIN is so much safer without telegraphing that the current cards are not safe. Not a wise move.Without consumer pressure on the issuing banks, it's unlikely the brands and the banks will make the move to EMV on their own. PCI could force the change, but the brands still have huge control over PCI so that's not likely to happen against the will of the brands. Wal-Mart's lobbyists are trying to push Congress and federal regulators to get involved because, in a process of elimination, that's probably the best shot to get Chip-and-PIN action any time soon. "Regulation is one way," Henry said.
How likely is federal action? Well, there are two types of federal action: legislative (make it a law to adopt—or to strongly encourage—Chip-and-PIN) and administrative policy (such as a procedural change from Treasury or Commerce that would provide the same kind of incentive).
Oddly enough, Wal-Mart's Henry points to some recent legislative activity (the financial overhaul bill, just passed by the Senate and expected to be signed into law this summer) as perhaps giving the card brands some incentives to move to Chip-and-PIN. The rationale is that the new law will make it harder to increase interchange fees, which will mean that the brands might have to absorb more of the risk costs. That in turn, Henry argues, will make the brands more open to the more secure Chip-and-PIN approach.
Too many ifs and possibilities exist for the brands to be moved, though. First, the legislation could still be tweaked in committee. Second, even if the law reads pretty much as the bill does today, there are still plenty of agency interpretation points. In short, there's no way to know whether there truly would be any additional limits on fees to cover fraud costs, nor if there will even be such a need because today's fees already cover a generous amount of risk coverage.
With that much uncertainty, it's unlikely Visa et al would be moved much.
What about more direct legislation dealing with Chip-and-PIN? That also seems highly unlikely. It's not a consumer hot button, so there's no great political reason for the administration of a member of Congress to push the issue. Even retailers will be unlikely to spend their political capital on this type of issue.
But getting relevant agencies to gently offer more flexibility for financial transactions that move through Chip-and-PIN? That seems much more likely, especially if it's made in the context of national security. Such a step remains a bit of a reach, but not too much of one. One huge potential attack on the U.S. will be a cyber-attack on its economy. If the payment card networks are all Chip-and-PIN based, such an attack becomes slightly—admittedly only slightly—less easy.
Although no one at Visa would discuss this topic on the record, one source working with Visa offered an interesting thought. He said that Visa might be more open to an EMV-like effort if it was softened. "Why not Chip-and-not-PIN?" he asked.
That's a perplexing suggestion. The general consensus has been that the brands are resisting EMV mostly because they want to delay going through the expense of the technology transition for as long as possible. But if this suggestion indicates Visa's willingness to move to a chip approach—which is where almost all of the expense of the transition resides—why resist the PIN?
Surely in a new EMV environment all interchange would be subject to change, so it's not necessarily like today's world where signature means more money to the brands. Besides, virtually no one checks signatures anymore (not that they ever did, at least not in a meaningful and consistent way), so it seems silly to start a new system with signature.
Either way, given the comments from Wal-Mart's Henry about signature-based charges ("As far as we are concerned, signature is a waste of time. It has to be PIN or nothing"), that doesn't sound like an idea that will go too far with retailers.