Can’t Wait for the US to Migrate to EMV: The Musings of A Visitor

Can’t Wait for the US to Migrate to EMV: The Musings of A Visitor
Usually, during the Autumn season, I make a few trips to the United States for conferences and client visits. This year was no exception and I have recently come back from two trips to Las Vegas and San Antonio. EMV migration in the US was high on the agenda during both visits and I came back with two takeaways: 1) the US market is finally serious about EMV and preparations are going full steam ahead and 2) I am glad it is happening. All the data breaches at retailers, from Target to K-Mart Sears, have spooked the market and stirred it into action. Some of the major challenges, such as reconciling EMV with Durbin/ Reg II, have been resolved – on November 4, Vantiv announced it became the first US acquirer to successfully complete a debit EMV chip transaction compliant with Durbin. Most of the issuers are in the planning stages and beyond, even with debit. On September 30, Bank of America became the first major US bank to announce that all new debit cards with be EMV, while existing cards would be replaced at expiry. I am planning to soon publish a report on the US EMV migration, which will discuss what is happening in the market now and will address a number of questions we frequently get from clients, including some of the more advanced EMV topics, such as scripting, PIN management and multi-functional cards. In this blog I just wanted to share a personal story. Until the cards and terminals migrate, the fear of fraud at the US retailers is palpable, to the point where it is starting to impact consumer experience. During my brief shopping break I wanted to pay with my UK-issued chip card. As the amount was over $75, I was asked for a customer ID. I offered my UK driver’s license, which the cashier started diligently copying by hand onto the printed receipt. As it was a foreign license, he wasn’t sure which was what, so had to call his supervisor to check what exactly he should be copying. When he was done, I thought that would be the end of it, but unfortunately, I was mistaken. The cashier then took my card, placed the receipt on top it and started rubbing it with a pen to get the imprint of the embossed details on the card! Apparently, he had to do it because the amount was actually over $150… I could scarcely believe this was taking place in the 21st century… On a separate note, I must admit, 10 years of EMV in the UK made me deeply suspicious whenever at a restaurant I have to hand in my card and the waiter just runs away with it. In Europe, the waiter brings a handheld terminal to the table, I enter my PIN and the card never leaves my sight. I am not saying that this is an everyday experience for all US consumers these days. Perhaps I happened to go to a retailer with particularly strict anti-fraud policies, or they recognised a foreign card and wanted to take extra precautions, or I was simply unlucky. But I did not enjoy the experience. This is also not a smug boast how “we have it better here in Europe.” I actually think that the US is a hotbed of innovation and creative solutions emerging from the US such as Apple Pay are pointing to the future of what lies ahead for many of us. However, EMV will help with the “here and now.” Of course, there will be a learning curve for the US consumers as they get used to new chip cards, and there will be teething challenges during the migration, but it will be worth it for the market as a whole. And as a regular visitor, I just can’t wait for the US to migrate to EMV.

Trusting a Retailer with your Payment Credentials

Trusting a Retailer with your Payment Credentials
For some time now I have been talking about importance of payment acceptance in the digital world. I have been arguing that, by implication, in the war of digital wallets, there can be no single winner; the contexts in which consumers need to pay have become so diverse, that no single solution can hope to cover all bases. As a result, we are seeing the proliferation of open digital wallets. We are also observing the emergence of apps developed by retailers, restaurants and other service companies which focus on adding a digital layer to their primary service (i.e. shopping, serving food, hailing a taxi, etc.) with payment capabilities embedded within the app. I call this “contextual payments”; the concept is discussed in more detail in my upcoming annual report on Top Trends in Retail Payments. There are different ways how a service app (e.g. retailer’s app) can call on payments capabilities. One of the simplest ways is to ask the customer to provide and store their payment credentials (e.g. card, bank account, etc.) at the time of registration – think of Amazon and their “one-click” purchasing. In this case, a customer has to trust the service provider that their payment credentials will be stored safely and securely. That trust has just had a few big knocks. In December, Target, a large retailer in the US announced a data breach, and the latest estimates are that over 100 million customers have been affected. This was followed by a smaller-scale data breach announcement from Neiman Marcus, and apparently, there are a few other retailers that haven’t gone public yet. Debates are going on now about the impact on the industry and the effectiveness and relevance of EMV, PCI and other measures in┬áreducing the risk of such attacks. These debates are obviously important, but another issue fundamental to the success of mobile payments is the trust that customers have (or don’t) in various third parties asking for their payment credentials. I know people who refuse to open a PayPal account, as they are not willing to trust the company with their cards details, let alone bank account numbers. News from Target, Neiman Marcus and others can only do further damage to that level of trust. No wonder banks and schemes have started work on tokenization standards; tokenization by itself won’t be the answer to all the problems, but it’s a step in the right direction. The big question is what it will take to convince customers to trust mobile payments and companies that enable them.

Some Facts About Data Breach at Global Payments

Some Facts About Data Breach at Global Payments
Last Friday, the press began reporting about a major data breach at Global Payments, a large US card processor. As always in the early stages of such events, there were plenty of rumours and speculation with various sources reporting stolen card numbers to be as low as 50,000 or as high as 10 million. This morning, as I write this, Global Payments is holding a conference call to provide us all with more information. So, this is what we have directly from the company:
  • Up to 1.5m cards records “may” have been affected;
  • The incident is contained to North America only;
  • Only Track 2 data has been taken (not Track 1 data and not customer name, address, etc.);
  • Visa removed Global Payments from a PCI compliance list;
  • The incident does not involve any merchants, ISOs or customers and occurred on some “local servers” at Global Payments;
  • Due to the ongoing federal investigation, the company can’t be specific about timelines, but did confirm that “about 3 weeks ago” it discovered that some card data “may have been taken” and immediately contacted federal law enforcement agencies and the schemes;
  • Customers are “encouraged to be vigilant”. Also, the company is setting up an information site for consumers which should be operational later today: http://www.2012infosecurityupdate.com/
The trading of Global Payments shares was suspended on Friday and the full impact on the company remains to be difficult to estimate at this stage. However, the executives on the call remained positive and stressed that the company:
  • Continues to process all card transactions, including Visa;
  • Is working with the schemes and other parties to address the situation; “~100 people are working on this”;
  • Intends to get its ROC (Record of Compliance) back “as soon as it is humanly possible”;
  • Will continue with its planned investments in other areas, but also will “spend even more on security” going forward;
  • Expects to come out stronger and more experienced as a result, and believes that their customers will recognise this.
Data breaches are unpleasant, dangerous and costly. They are also a fact of life. In our most recent payment trends report, we called retail payments security as an important focus area for 2012. As commerce environment gets more complex (online, offline, mobile, etc.) and as access points to payments proliferate, security issues are only getting more complex. What are your thoughts on how best to ensure payments security in the digital age?