MasterCard Pushing EMV PIN. Visa? Not So MuchWritten by Evan Schuman
MasterCard’s Monday (Jan. 30) rollout of its roadmap for EMV in the U.S. set it on the opposite side of payment security from Visa, with MasterCard pushing for EMV with PIN and Visa arguing that PIN isn’t necessary. MasterCard is backing up its preference with some serious fraud-dollar forgiveness. Oddly enough, the much-smaller MasterCard has trumped—or, more precisely, nullified—Visa’s position, at least as far as retailers are concerned.
Given that greater-than-99-percent of Visa retailers in the U.S. also accept MasterCard, chains must go along with whichever brand has the more strict requirements. Typically, that’s been Visa, but not this time. On EMV-related PCI relaxations, however, the two brands opted to adopt identical policies.
The calendar part of the timetables are pretty similar, too, with both brands insisting that acquirers be able to handle EMV transactions by April 2013. It’s the post-fraud promises where the two diverge. Visa’s position can best be described as PIN optional, where the brand argues that PIN won’t be needed in the U.S. and that implementing it might serve to slow down consumer acceptance by layering on another behavior change.
Put another way, Visa is arguing that the current EMV chip is so much more secure than magstripe cards today that the small additional level of security delivered by a PIN doesn’t make that much of a difference. And if that small difference causes a slowdown in the card’s acceptance, it may not make ultimate sense for retailers.
MasterCard this week made it explicit that it considers PIN to be the more secure approach and that it will back up that position with dollars. (Clearly, Chip-and-PIN is more secure than chip-and-nothing-else. But I digress.) MasterCard describes a liability hierarchy, with issuers and retailers on sort of a payment seesaw.
If the issuers are considered to be using the less secure approach—which MasterCard defines as anything other than PIN—then they have to absorb the costs of post-fraud cards being reissued, in addition to the direct costs of the crimes. If issuers and retailers are using the same approach, the costs still stay with the issuer. But if the retailer is using the less-secure approach, then it has to pay the fraud bills.
For the record, both brands have the same core position, which is that they are not requiring any retailer to do anything. But they can certainly telegraph their preferences and use money to persuade. “Merchants are free to adopt any technology that they want,” such as adopting EMV or choosing to stay with magstripe, said Colin McGrath, the MasterCard VP for U.S. market development. “We’re not going to dictate a particular cardholder verification approach.”
That said, here comes the carrot and the stick. “If the retailer opts to go for PIN and the issuer is only pushing signature,” McGrath said, “if fraud were to occur, the issuer would be responsible for that fraud.”
Both brands are using the same entry benchmark, that 75 percent of a chain’s payment transactions must be processed through an EMV terminal that supports both contactless and contact. The E-Commerce and mobile implications are unclear. Such transactions today are typically limited to the card number, an expiration date and a CVV, with no practical way to access the chip data. The only way to do that would be with an EMV reader attachment for a desktop/laptop/mobile device, which is certainly not the typical arrangement for most U.S. E-Commerce and M-Commerce transactions today.
Therefore, if a chain has enough online transactions, it might not be possible to process 75 percent of transactions through an EMV reader. Presumably, the intent is to encourage 75 percent of in-store transactions being processed through such EMV-friendly terminals.
If the retailer is pushing 75 percent of its transactions through an acceptable EMV terminal, MasterCard is promising to cut cost recovery in half by October 2013. Two years later (October 2015), MasterCard will make the reductions 100 percent.
Why not make it 100 percent as soon as the retailer hits the percentage of transactions?