This is page 2 of:
Is Bluetooth, *Gasp,* A Viable Mobile Checkout Alternative?
Depending on where the chain has stores, that may or may not be a compelling argument. But it’s certainly something to consider.
The other is the percentage game that the brands have laid out. MasterCard’s plan—which is almost identical to Visa’s plan—speaks of Account Data Compromise relief to start in October 2013 and kick in fully two years later. The carrot is that it will shift the cost of data breaches,
including the cost of reimbursing issuers for distributing new cards and the cost of unauthorized transactions, to the issuers. But that will only happen if the chains use EMV contactless-and-contact terminals for 75 percent of all in-store transactions.
That’s where the stats get interesting. Today, mobile in-store transactions are irrelevant numerically, because they are not likely to materially impact the overall number of transactions. In other words, even if zero percent of in-store mobile transactions were done through non-EMV-compliant devices, it’s unlikely to make any major chain miss its 75 percent goal—assuming it would have otherwise made it through countertop card swipes.
Then again, mobile card swipes (both sleds and separate Bluetooth-connected devices) are relatively easy to swap out. And the small number of in-store mobile purchases is likely to become not so small by the end of 2013 and into 2014. So does it make sense to use EMV-compliant devices now?
For the moment, it’s an academic question, because there are simply very few—if any—major-chain-ready EMV-compatible mobile devices available for the U.S. market. Adyen makes that point well. The company acknowledges the U.S. market, having offices in Boston and San Francisco, and yet even it is not willing to even offer the product for sale in the U.S.—except as a response to a special retailer-initiated request.
Square, one of the biggest and most active mobile payment players in the U.S., does not support EMV and hasn’t said if it ever will.
Given the need for enterprise-level support for these payment devices, it probably makes the most sense for chains to wait for a major player—such as Square—to start supporting EMV. It’s not a very risky strategy, because those firms will almost certainly start offering it as soon as EMV marketshare in the U.S. becomes significant.
The only wrinkle will be those percentages. If general mobile in-store payments start to soar and using a non-EMV device for mobile makes a difference if a chain qualifies for the card brand incentives, chains might be in the bizarre position of wanting to have an EMV-compliant device even though they have no intention of using it for any EMV cards.
This illogical situation is due to the brand rules that say a chain must push 75 percent of its transactions through an EMV-friendly device, while saying nothing about whether any of those transactions actually use EMV. There’s a good reason why the brands did that: They want to have the infrastructure in place first, before trying to cause any EMV cards to happen.
Although Bluetooth is hardly the first choice of security execs, the Adyen approach seems to do encryption properly, claiming PCI PTS V3.0 compliance and—more critically—SRED validation. Of course, the application’s security (or lack of same) would trump the device. But at least Adyen seems to be getting the device security right, which is more than most have done.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
