US shifts to EMV as Obama and Apple weigh in
The US is finally adopting EMV after an eventful 12 months in which barriers have been overcome. Merchant reluctance is diminishing, good progress is being made, and the ‘EMV train’ is now picking up speed, according to a new report by analyst firm Celent.
Historically, the US faced a series of obstacles to EMV adoption, including merchant reluctance to invest in the technology, issuer doubts about the business case, regulatory stumbling blocks over the US Reg II requirements and a lack of standards. However, the December report, Update on EMV Migration in the US, suggests that most of these obstacles have been addressed over the course of 2014. The push factors identified by Celent included multiple data breaches at merchants, rising issuer focus on customer comfort, at industry way forward for debit cards, reconciling EMV and US Reg II requirements, the launch of Apple Pay and an emerging agreement between issuers on standards.
According to the 2014 Debit Issuer Study, 86% of the US debit issuers were planning to start issuing EMV cards in 2014-2015, with most efforts focused on 2015. The EMV Migration Forum forecasts that 4.5 million terminals will have been installed by the end of 2014, and over 46% of US merchant terminals will be enabled for EMV by the end of 2015. In October 2014, President Obama signed an executive order to use EMV for all government cards. It is estimated that 100 million EMV chip cards will have been issued by the end of 2014. In September, Bank of America announced that all new debit cards will be EMV.
“The US EMV train has finally left the station and is building up steam,” said Zilvinas Bareisis, senior analyst at Celent’s banking practice and author of the report. “If you are an issuer and are yet to get on board, now is the time.”
However, the report also warned that the October 2015 data of liability shift remains firmly in place, meaning that merchants may face a race against time to get ready before the deadline. Preparations include not only terminal replacement, but also testing and certification for new systems – all of which will cost merchants. Acquirers are advised to focus on highest risk sectors such as retail, supermarket and pharmaceutical stores and prioritise these first.
A serious of major data breaches at merchants over the last 12 months may have played a significant role in overcoming merchant EMV resistance. In December 2013, 40 million debit and credit cards as well as the personal information of 70 million individuals were compromised by a massive data breach at US Target stores. The incident led 84% of financial institutions to reissue all exposed cards in response, a process that cost $60 million for Target and $200 million for banks. Furthermore, there were similar hacking, malware or card fraud breaches at Neiman Marcus, Home Depot and K-Mart, as well as 37 financial services providers including Chase, American Express, Bank of the West, Mt. Gox and others. According to Celent, the resulting financial and reputational losses combined with political pressure provided a big push factor in favour of adopting EMV.
Meanwhile, although the business case for issuers has not significantly improved since 2013, Celent argues that customer comfort has begun to outweigh economic concerns. In particular, although an EMV contact card can cost £2.25 to $2.25 just for the plastic and chip and a dollar more for contactless cards, the issuers are starting to feel they have to be seen to be moving ahead of EMV. For example, one large bank in the Debit Issuer Study said that despite the significant increase in expense, “it’s no longer an economic decision though, it’s about customer comfort”. It is estimated that 70% of cards will be EMV by 2016.
Regulation has also been a major sticking point. In the US, there are 18 different debit networks. Under Reg II, all US issuers must participate in at least two unaffiliated debit networks. The idea is to support competition and promote choice. However, the downside is that because of the way the rules work, every card needs to have an EMV Application ID – a specific reference number registered with ISO and used in terminal-card interaction. But when a card interacts with a terminal, a decision has to be made which AID to use – and adding support for more than one application on a chip adds cost and administrative overheads. In essence, the rules make EMV more expensive than it would otherwise be.
In response, the EMV Migration Forum and the PIN debit networks having been trying to work out the answer. The EMF recommended that a single common US debit AID per card should be the only option, and major merchants have now stated that they would not accept a card with more than one common US debit AID. MasterCard and Visa proposed allowed access to their common US debit AID option to other debit networks. Under this solution, MasterCard cards would use the M-Chip4 Application and the Maestro AID and Visa cards would use the VSDC Application and the VISA US AID – and all others can enter individual licencing agreements with MasterCard and Visa to use one of these two routes.
However, the Secure Remote Payment Council, which represents the PIN Debit Network, expressed concerns that the MasterCard/Visa proposal would limit the licencing term of the technology and control the functionality available to the competing networks, undermining their ability to compete. Instead, the Council put forward an alternative common AID solution in which there would be equal access to EMV chip technology, shared governance for both POS and ATM, with interoperable implementation, standardised testing and certification, preservation of existing cryptography procedures, support for all CVMs and access to the full technology feature set for Chip and Pin technology. The proposed that the Common US Debit Aid on every card would be owned by a consortium of all US debit networks, including MasterCard and Visa, and that it would use the single application on the card. The consortium would also be the entity licencing the use of the applications rather than the individual networks.
According to Celent, during 2014 most of the key debit networks signed AID licence agreements with Vis and MasterCard. The two companies paved the way by licencing their respective technology to each other in July last year. First Data’s Star was the first network to break away from DNA and signed a licence agreement with Visa in February, followed by MasterCard in April. Others followed, and Celent believes that the US debit EMV conundrum has now been resolved.
Other factors helping to drive EMV adoption have been the US launch of Apple Pay in October, which Celent points out relies on the same EMV transaction specifications and the same terminals that would be needed to support EMV cards, and the industry shift towards online authentication and authorisation for cards, with most credit cards supporting signature as default CVM.