US EMV Migration: Looking for the Silver Lining in the Clouds

US EMV Migration: Looking for the Silver Lining in the Clouds

It would be easy to assume that the migration to EMV in the US has gone terribly. The press is full of stories about slow transactions, inconsistent customer experiences and slow merchant adoption. Whilst not living this day-to-day, I also experienced this frustration first-hand on my trips to the US earlier this year; I wrote about it in a previous blog.

And yet, while the end customer experience clearly must improve, real progress has been made. Back in June, Visa reported "over 300 million chip cards in market and 1.2 million merchant locations." In August, MasterCard announced that "80 percent of its U.S. consumer credit cards have chips" and reported seeing "1.7 million chip-active merchant locations on its network, representing nearly 30 percent of the U.S. merchant population and a 374 percent increase in chip terminal adoption since October 1, 2015." Of course, these numbers would be far more impressive if the liability shift was happening in October of this year rather than last. However, EMV migration does not happen overnight, and in the market as complex and diverse as the US, it was always expected to take many years, especially considering the early reluctance and skepticism of the industry, and the additional complications in debit.

One of the challenges for merchants is getting their new EMV terminals certified, which can take a long time, especially when there is a backlog of demand. To alleviate the problem, in June both Visa and MasterCard have relaxed terminal certification requirements by reducing the number of tests, giving acquirers more freedom and responsibility in the certification process, allowing standard configurations and providing more resources to value-added resellers (VARs).

Also, recognising that it's not always the merchants' fault that they are behind with EMV implementation, both networks introduced measures to minimize chargeback costs to merchants who have not yet transitioned to EMV. For example, MasterCard has "checks and blocks to ensure that chargebacks follow the liability shift guidelines", such as not allowing chargebacks on fraudulent ATM and fuel transactions, where the liability shift has not yet taken place. Visa has taken a step further and announced that from July 22, Visa would "block all U.S. counterfeit fraud chargebacks under $25", while from October 2016  "issuers will also be limited to charging back 10 fraudulent counterfeit transactions per account."

Of course, there is a risk that rather than incentivising merchants to speed up EMV adoption, these changes to the network chargeback policies will reduce the pressure on merchants to migrate. Verifone, one of the largest POS companies, has reported lower revenues for Q316, partly as a result of "lingering EMV adoption issues", and has stated that their "outlook for Q4 now assumes a significantly slower EMV rollout." Not surprisingly, Paul Galant, CEO of Verifone, has emphasised the company's "relentless execution" on "the long-term vision for Verifone to transform from a box shipper to a services provider."

Nobody is under illusion that EMV migration in the US will be over any time soon. However, we must recognise that real progress is being made. Changes introduced by the networks, as well as new liability shift dates, such as for MasterCard ATM transactions coming into effect in October this year, should help keep the momentum going. And while the consumer adoption of various contactless pays, such as Apple Pay and others, has yet to "set the world on fire", perhaps they will end up giving another reason for merchants to invest into chip terminals? After all, for the optimists amongst us, every cloud has a silver lining.

The diversity of payments in the US

The diversity of payments in the US

As a payments geek, I am always curious about payment experiences in various parts of the world. In the last month I had a couple of trips to the US – to New York and to New Orleans – and they just reminded me how diverse the US payments environment is. And I am only talking about the physical POS; I haven't really ordered anything online or in-app while I was there.

First, a few observations around EMV. As I live in the UK, all my cards are Chip and PIN, and the US market has been migrating to EMV for a while now. Of course, the migration can't happen overnight – some merchants have already upgraded their terminals, but many haven't yet. Also, there is no mandate in the US to use offline PIN, so "chip and signature" EMV cards are common amongst the US issuers. As an end-user, I experienced a full gamut of payment scenarios:

  • Majority of merchants would simply take my card, swipe it and give it back to me straight away. Not one of them checked if my card is even signed, let alone if the signatures matched…
  • On a few occassions, I was asked to insert the card into an EMV terminal and enter my PIN. And then we waited. And waited more. And a bit more. I knew EMV transactions take longer in the US, but I didn't realise just how much longer… Not surprisingly, the networks had to do something about it and have announced software updates (e.g. Visa's Quick Chip for EMV and MasterCard's M/Chip Fast) to speed up transaction processing.
  • Not a single eating establishment I visited had a handheld EMV terminal. All of them just took my card and disappeared for a while in the "back of the room" – a practice that sends shivers down the spine for most Europeans 🙂
  • On at least one occassion, I entered the PIN, yet the salesperson was still looking for a signature box on the receipt and wanted me to sign it. I had to explain that PIN replaces the need for signature; of course, these things will disappear once merchants learn more about the EMV cards.

A number of merchants in New Orleans had a Clover POS station. It looked really sleek on retailer desks and transactions seemed fast and easy. I asked a couple of them what they thought of it, and they all said they were very happy with the device, its looks and ease of use.

As a side note, American Express cards seem to be far more widely accepted in the US. In Europe, I got into a habit to double check at new places if they take Amex; in the US, that seems unnecessary.

Of course, it's no longer just cards. US was the first market in the world to see the launch of Apple Pay, Android Pay and a number of other digital wallets. The challenge for many of these wallets is the lack of places where they can be used, as contactless terminals remain relatively rare, albeit growing. However, when they can be used, they work very well. The biggest advantage that I can see as the UK user of Apple Pay is that in the US I can use Apple Pay for any transaction, whatever the amount (as long as my issuer is happy to authorise it). I had no problem paying for a taxi ride from New York's JFK airport to downtown by Apple Pay ($70+ fare with the tip). In the UK, Apple Pay and Android Pay (which has just launched this week) are subject to the same contactless card transaction limits and can only be used for transactions of £30 or less. Again, we expect this to change, as contactless terminals get upgraded.

I was also intrigued to see a PayPal acceptance badge at one of the POS terminals. I asked the cashier if it was a popular payment method amongst their customers. The cashier said that it seemed new to him, and that he personally had yet to see anyone trying to use it. I must admit, I am a fan of the PayPal wallet and use it whenever I can, but nearly all of my transactions are online/ via a mobile app. This time, I only noticed the PayPal sign after I already started paying by card, so can't quite report on the actual experience…

And yet, cash remains hard to beat, with many places only accepting cash. I refrained from visiting any of the dodgier establishments on New Orleans' Bourbon Street, but I didn't even had to in order to experience the power of cash. Most sellers in the French Market clearly prefer cash; getting into (jazz) Preservation Hall is "cash only" at the door, and while not every place has the sign as artistic as the one in the picture below, "cash only, one drink minimum" was a common mantra of many bars with live music.

cash only

Clearly, there is a lot of payments innovation in the US. Various wallets and innovations in POS contribute to the diversity of end user experiences. Such diversity is a good thing and if anything, it will only increase, as customers will have increasingly more ways to pay. And as the migration to EMV continues, the undesireable kind of diversity should reduce as well.

The paradox of digital payments

The paradox of digital payments
At Celent we run a couple of Banking research panels – one on Branch transformation and another on Digital – where any US-based bank or credit union can participate in surveys we administer on a regular basis. Last week we published the report with findings of our survey we conducted in November 2015 on Digital Payments. 42 institutions participated and answered our questions on:
  • How important are digital payments in the context of other priorities?
  • What has been the industry’s experience with digital payments?
  • Where is the industry in its EMV migration journey?
The survey results highlighted the paradox of digital payments:
  • Nearly everyone thinks that digital payments are important, but only 13% view it as strategic priority, aim to lead and invest accordingly. 63% aim to be fast followers and another 23% only invest to stay on par with peers.
  • 71% of participants agree that financial institutions (FIs) should offer branded digital payments (e.g. own digital wallet), but they are more likely to participate in third party wallets, such as Apple Pay, Android Pay and others, than to invest into their own HCE wallets – 46% have no plans for HCE.
So, what should the FIs do in digital payments? Accept that “payments are disappearing” and focus on ensuring that their payment credentials are available for customers to use wherever they want them or fight back with their own branded wallets? Does it have to be an “either/ or” choice? Can they/ should they do both? What are your thoughts? P.S. Our panels are open to any FI in the US – Celent clients and non-clients – and we share the results report with all respondents. If you’re a banker and would like to participate in future Digital Panels, please contact info@celent.com.

Practice what you preach?

Practice what you preach?
This is the next – I have a terrible feeling its not the last though – of seeing the cards world through the eyes of a consumer. The story so far is contained in three previous posts, with the last reporting that my card details were skimmed (we assume) in the US. This post however looks at the experience at home. As a consumer, we often get warnings from our banks about phishing attacks – we will never do this, our emails will look like this, etc. Then consider what a daily average inbox looks like – full of identical emails from fraudsters, often better written, and better laid out. Furthermore, banks only focus on emails and outbound calls. I’m possibly wrong, but I’m fairly sure never had the same warnings about text messages, tweets etc. Consider then these channels and how many spam messages you get on a daily basis. (It’s probably ok though, as all the PPI claims I’m told I have should more than compensate me for all the recent accidents I’m alleged to have been in!) Saturday afternoon I received this text: fraud Note that it comes from a mobile number, and texts from my card provider have their details in the text. I deleted it, assuming it was spam, and that if I replied I’d be signed up to some premium rate text service…again. Something made me pause, so I rang my card company, using the number that I already had. And I was right to do so, as it was from them. Thats why I’ve blurred the full number – this is an active line that they are using, but don’t advertise They seemed surprised that I was querying the method, yet when I asked how many people responded to texts, they seemed less certain (to be fair, it was a call center operator!). As a consumer, I appreciate the attempt to make it as seamless and easy as possible. Yet it contradicts the advice we’re given. It would be very simple to text people randomly and ask them personal detail to confirm who they are or to log into a man-in-the-middle website. It feels a little chicken and egg. Consumers need educating. Explaining that the layers of security are providing them protection. At the same time, banks need to think about how consumers will – or should – view their messaging. Given the nature of the message, and the reputational issues, I wonder whether it’s time for the banks collectively to find a solution. Detecting fraud and managing it could be a competitive differentiator – or it could prove far more powerful to do collectively. Across providers, across channels, across products. Best practice across the industry surely has got to benefit everyone long term?  

I didn’t leave my heart in San Francisco…

I didn’t leave my heart in San Francisco…
…but something far more valuable. So for this post to make sense, you ought to read my last 2 posts, about my experience of using my credit card in the US. The first talked about the customer experience, and how varied it was. Some of the quirks were allegedly to improve security, yet offered no perceivable additional security. When asked, the retailers I spoke to saw EMV as offering no better security and a worse customer experience. The second was noting that many of the threads around card fraud led to the US – either cards being skimmed there, or card details from around the world ending up in the US, where just the mag stripe is required. Saturday morning I got a call on my mobile. I’ll write another post later about this and how banks tell you to be careful about highly professional looking phishing scams… and then contact you in ways that look like amateur phishing scams! The point of the call was… to say my cards details have being skimmed as they assumed I hadn’t spent a lot of money in person at an art shop in India. Actually, given I had been using my PIN in a terminal 5 miles from house, in a shop I go in most Saturdays about 20mins before that transaction, I was rather shocked by the fact that they’d authorised it anyway even it was highly unlikely it was me. And guess what? “have you had to swipe your card recently? That’s probably where they got the details” Yes, reader – in almost all certainly, stolen whilst I was in the US. If only they had full EMV, then this almost certainly wouldn’t have happened.

What do we want? EMV! Where do we want it? Over there!

What do we want? EMV! Where do we want it? Over there!
In my last post, I talked about the experience of using my credit card in the US, and how just inconsistent it feels. Some of it was undoubtedly tied to security – using photo ID or entering zip codes – though I’m far from convinced that they provided any security at all. In some conversations we’ve had, there has been a feeling that US fraud is actually manageable at an industry level – a belief that they are in line or better than in many other countries. Yet the recent figures from Nilson seem to paint a very different picture. Whilst accounting for 21.4% or $6.187 trillion of total volume last year, the US accounted for 48.2% or $7.86 billion of gross losses worldwide on plastic cards. Zil has – and will! – discuss the implementation of EMV at length with anyone, so I won’t discuss that here. What struck me was how ineffective the checks were currently. As a consumer (rather than a payments geek) it struck me:
  • Asking for zip code as authorisation seems pointless – if I’ve stolen a purse or wallet with cards in, I’m likely to have either the zip code already or have enough info to find it within seconds on the internet
  • Asking for a signature, yet not even checking it seems odd. Perhaps I have an honest face or perhaps the risk didn’t warrant the effort
  • Photo ID, at least for non-US, seems pointless. How many people can spot fake ID, or know what a, say, Latvian national ID card looks like?
Another thought that strikes me is that the figures probably hide some other issues too. Traditionally, a third of UK card fraud takes place overseas (in 2014, £150m of £479m). And given that most other countries have EMV, of that, the majority takes place in the US – it has been ranked the country with the highest losses every year for as long as I can find records for. I suspect the figure above does not include this. The volume of fraud then that could be cut by EMV in the US would seem to be even higher. Whilst I know it’s not that simple, the US “accounts” for over 5% of UK card fraud. Full EMV in the US wouldn’t reduced this to zero – but equally, even if it halved it in the top 10 countries which lose most to the US, the reduction in fraud would easily be in excess of £100m a year. Visitors to the US aren’t just wanting the experience to improve, they’re wanting to stop paying for fraud that takes place in the US as well.  

Global acceptance doesn’t mean global experience

Global acceptance doesn’t mean global experience
Zil wrote almost a year ago about his experience using a foreign card in the US. I’m just back from an extended stay in the US, and was really struck by how inconsistent the experience is for a consumer. Consider these variations I experienced, in just one day!
  • Check in at a hotel – swipe the card, pre-authorising a charge of $150 a day, no signature, no receipt
  • Pay at gas pump – different price for credit and cash, pre-authorised, required to enter zip code registered for card
  • Paying at till – card swiped, photo id, no signature, no receipt
  • Paying at till – card swiped, photo id, no signature, receipt only available by email
  • Paying at till – card swiped, no photo id, signature, standard receipt
  • Paying at table – card taken away out of sight, signature required, but no check on whether payment has been made before leaving the restaurant
And in no instance was the signature looked at, raising the question of what is the point of signing?! In one place I accidentally caught the enter button on the electronic pad before signing, and off it went, technically signed but with no signature – even that wasn’t challenged. Over the course of three weeks, there were several variations even on these options. Nor did they (arguably) relate to the cost or risk of the transaction – the lowest transaction (<$10) had the most thorough checks, but the restaurants (the most expensive, and where, ahem, you’re already in receipt of goods!) the least. To add to the confusion, it was almost funny to see the consternation that we split the bill with friends – x on this card, y on that please – something that is standard at least in the UK, but at least one restaurant claimed was both technically impossible and illegal. Compare this to the UK, and most other countries I travel to – you either tap (though rarely) or enter your pin, and in either case the card never leaves your sight. So – just two experiences arguably vs the US multitude. Being a geek (and with no shame, embarrassing my friends and family!), I asked, in just about the most unscientific survey ever, how they felt about EMV. Some hadn’t heard about it. Those who had felt it was going to put people off using cards because it was more difficult. To those of us in the rest of the world, this seems bizarre, particularly those of us who have gone through the experiences in the US. Then again, it’s understandable – human nature is often worried about any change and about the unknown. In addition to the messages about security benefits, we shouldn’t forget about the change management piece of the puzzle, and certainly not about taking the opportunity to see how the change could lead to improvements, particularly in customer experience.      

Apple’s earnings call: an encouraging story about Apple Pay

Apple’s earnings call: an encouraging story about Apple Pay
Yesterday Apple announced its results for Q1 2015: revenue of $74.6 billion, profit of $18 billion over the three months, apparently the largest quarterly corporate earnings of all time. While these numbers are hugely impressive, of course, the payments industry was looking for any hints of Apple Pay performance. This is what we learned:
    • On enabling consumers:
      • Apple sold over 74 million units of phones, mostly iPhone 6/ 6+, which is ~9 million more than expected by the investment analysts. This matters to Apple Pay, as the new phone is a prerequisite to be able to use Apple Pay. This is a global figure, but it still means that there are millions, if not tens of millions of new phones in the US where Apple Pay has been first launched.
      • 750 banks and credit unions have signed up with Apple Pay. Of course, as we discussed in our earlier blog, the number of FIs actually already supporting Apple Pay is much smaller – 54, but the momentum is clearly there. Furthermore, the participating institutions represent over 90% of credit card transaction volumes.
    • On enabling merchants:
      • Tim Cook, Apple CEO admitted he was “positively shocked” at how many merchants were already supporting Apple Pay and revealed that POS suppliers were reporting “unprecedented demand” from merchants. Undoubtedly, the ongoing EMV migration is helping stimulate that demand for new terminals.
      • USA Technologies announced a nationwide rollout of new acceptance points for Apple Pay. This will add about 200,000 acceptance points, “bringing the advanced mobile payments service to owners and operators of coffee brewers, vending machines, kiosks, laundry equipment, parking pay stations and other self-serve appliances.”
    • On actual usage:
      • Apparently, Apple Pay is responsible for $2 out of $3 spent on Visa, MasterCard and American Express contactless transactions. While the specific statistics were not revealed, and two thirds of not much is still very little, Apple certainly demonstrated ability to acquire market share in a short period time from competitors such as Google Wallet and Softcard.
      • Apple Pay represents nearly 80% of mobile payment transactions at Panera Bread, while Whole Foods Market had seen an increase in mobile payments by more than 400% since the launch of Apple Pay.
    • On evolution and future plans:
      • Tim Cook acknowledged the opportunities around both in store and in app use cases of Apple Pay and that market specifics will determine which will be more important in any given geography.
      • As expected, Apple Pay will be expanding internationally. The management acknowledged that each market is different and will require “heavy lifting to scale,” but confirmed they were ready to tackle the challenge.
Tim Cook concluded that 2015 will be the year of Apple Pay. This might be debatable, but Apple Pay certainly had a very encouraging start. This also further validates Celent’s perspective we articulated in the latest edition of our Top Trends in Retail Payments report, which was published yesterday and is available to our clients.

Getting m-POS ready for EMV in the US

Getting m-POS ready for EMV in the US
As we highlighted in our recent report The Update on EMV Migration in the US: Leaving the Station and Building up Steam, the US market is finally making a strong progress towards EMV. While many of the barriers we discussed in the past have been dismantled, there are still challenges that remain. One such challenge is the upgrade to m-POS platforms. Square has created an entirely new market a few years ago with a simple ‘dongle’ that a merchant could connect to his smartphone’s or tablet’s headphone socket and start accepting cards. The customer would swipe the card, sign on the phone and that would be it. Now Square and its many competitors have to bring out new devices that support EMV cards. That also means a change for merchants, and they will have options. Square announced its new device in November last year. Unlike most of m-POS solutions in Europe, it will not support chip and PIN, but will be a standalone chip card reader and will support signature as the cardholder verification method. It will start shipping in spring, but will not be free – merchants will have to pay $29 for the mobile chip card reader and $39 for the accessory to Square Stand. Earlier this month PayPal Here also announced that it will be bringing its EMV reader already available in the UK and other markets to the US. And in addition to iOS and Android, it will support Microsoft Surface Pro 3, and other devices running Windows 8.1. First Data’s Clover has launched Clover Mobile, a mobile and EMV compatible version of its Clover m-POS platform. Unlike Square’s readers, Clover Mobile also supports NFC transactions, including Apple Pay. And then there is Poynt, launched at last year’s Money2020. Poynt is described as “a future-proof device that accepts magnetic stripe, EMV, NFC, Bluetooth and QR code payment technologies. You are ready to accept your customers’ favorite payment methods: Apple Pay, chip-and-pin, mobile apps, and whatever else the future brings.” Of course, there are other options, above solutions are just a few examples. The challenge for merchants is deciding if and when to upgrade the readers and whether to stick with their existing provider. As always, risk-based assessment will be key. For example, whenever I am in Vegas, I try to visit a small shop that sells vinyl records, which accepts card payments via Square. If I were the owner, I would look to upgrade to an EMV reader as soon as possible – while it’s not a coffee shop in terms of frequency of transactions, most payments are tens and hundreds of dollars. On the other hand, a local dry cleaner who already knows most of its customers will be less compelled to upgrade. Clearly, not everyone will be ready by the liability shift deadline in October, but merchants with the risky profile should make sure they are.

Can’t Wait for the US to Migrate to EMV: The Musings of A Visitor

Can’t Wait for the US to Migrate to EMV: The Musings of A Visitor
Usually, during the Autumn season, I make a few trips to the United States for conferences and client visits. This year was no exception and I have recently come back from two trips to Las Vegas and San Antonio. EMV migration in the US was high on the agenda during both visits and I came back with two takeaways: 1) the US market is finally serious about EMV and preparations are going full steam ahead and 2) I am glad it is happening. All the data breaches at retailers, from Target to K-Mart Sears, have spooked the market and stirred it into action. Some of the major challenges, such as reconciling EMV with Durbin/ Reg II, have been resolved – on November 4, Vantiv announced it became the first US acquirer to successfully complete a debit EMV chip transaction compliant with Durbin. Most of the issuers are in the planning stages and beyond, even with debit. On September 30, Bank of America became the first major US bank to announce that all new debit cards with be EMV, while existing cards would be replaced at expiry. I am planning to soon publish a report on the US EMV migration, which will discuss what is happening in the market now and will address a number of questions we frequently get from clients, including some of the more advanced EMV topics, such as scripting, PIN management and multi-functional cards. In this blog I just wanted to share a personal story. Until the cards and terminals migrate, the fear of fraud at the US retailers is palpable, to the point where it is starting to impact consumer experience. During my brief shopping break I wanted to pay with my UK-issued chip card. As the amount was over $75, I was asked for a customer ID. I offered my UK driver’s license, which the cashier started diligently copying by hand onto the printed receipt. As it was a foreign license, he wasn’t sure which was what, so had to call his supervisor to check what exactly he should be copying. When he was done, I thought that would be the end of it, but unfortunately, I was mistaken. The cashier then took my card, placed the receipt on top it and started rubbing it with a pen to get the imprint of the embossed details on the card! Apparently, he had to do it because the amount was actually over $150… I could scarcely believe this was taking place in the 21st century… On a separate note, I must admit, 10 years of EMV in the UK made me deeply suspicious whenever at a restaurant I have to hand in my card and the waiter just runs away with it. In Europe, the waiter brings a handheld terminal to the table, I enter my PIN and the card never leaves my sight. I am not saying that this is an everyday experience for all US consumers these days. Perhaps I happened to go to a retailer with particularly strict anti-fraud policies, or they recognised a foreign card and wanted to take extra precautions, or I was simply unlucky. But I did not enjoy the experience. This is also not a smug boast how “we have it better here in Europe.” I actually think that the US is a hotbed of innovation and creative solutions emerging from the US such as Apple Pay are pointing to the future of what lies ahead for many of us. However, EMV will help with the “here and now.” Of course, there will be a learning curve for the US consumers as they get used to new chip cards, and there will be teething challenges during the migration, but it will be worth it for the market as a whole. And as a regular visitor, I just can’t wait for the US to migrate to EMV.