Almost 20 years ago, VISA USA brought a group of banks together to talk about payments security, chip-based payments cards, and EMV, the then-evolving European standard for chip cards. I was in attendance because my bank was a member of VISA's board. After hours of presentation and debate, the consensus was that EMV would be a waste of time, effort, and money.
My opinion has not changed since then.
At best, EMV is a transitional technology that has been superseded by more sophisticated, more capable, and less expensive alternatives. It looks good in comparison to magstripe cards — a 45-year-old technology with no capacity for further upgrades — but every option looks good by that standard. In comparison to more modern options, EMV looks expensive, inflexible, difficult to adapt, and obsolete.
Just The Facts, Please
EMV cards will reduce card-present fraud. They are harder to clone than magstripe cards and their security protocol is more effective than a simple signature. However, the list of what EMV won’t do is far longer:
It won’t cut fraud as much as it did in Europe. Underlying fraud detection systems are already doing much of that job in America. We rejected EMV in the ’90s in part because we were already investing heavily in real-time transaction monitoring systems. As a result, American fraud rates are still much lower than European fraud rates were.
It won’t cut card-not-present fraud. The chips only work in proximity to a reader, so for online, phone-based, or remote transactions, EMV cards are no more secure than magstripe cards. In Europe, fraudsters changed their focus and card-not-present fraud increased. A similar shift is predicted for the United States. That is unlikely to happen because our large-scale, systems-based fraud analysis regime is effective whether a card is present or not.
It won’t prevent massive data breaches. Like magstripe cards, EMV cards require merchants to capture and retain high-risk cardholder data. In other words, the card might be more secure but the data isn’t. Home Depot just surpassed Target as the largest confirmed retailer data breach, and the list of compromised merchants ranges from Neiman-Marcus to SuperValu.
It won’t provide consumers any new utility. At BAI’s Retail Payments Conference last spring, it was estimated that there are more than 200 applications in development based on more than 20 underlying technology platforms. EMV alternatives such as tokenization, cellular communication, or NFC offer more than security and the ability to operate remotely (card-not-present). They also offer things like a choice of payment options, access to various marketing initiatives, and personal financial management tools.
This is a retrograde step — replacing a 45-year old technology with 30-year old technology and calling it progress.
So Why Are We Doing This?
Why, then, has EMV become inexorable? In a (hyphenated) word, Wal-Mart. EMV probably won’t reduce fraud much on a systemic basis, but it will shift liability for it. Instead of prices going up on Wal-Mart products to pay for fraud, they will go up on financial services. It might not benefit the average credit union member, or the economy as a whole, but it is sure good for Wal-Mart’s lower-prices differentiation strategy. And it’s a real nuisance to the average credit union.
There are also huge economies of scale in implementation. Just as it will cost smaller credit unions more to implement EMV than large banks, it will also cost small merchants more than it will cost Wal-Mart. It has turned slivers of back-end cost savings into nearly $1 million in revenue per minute, and it knows a competitive advantage when it sees one.
It might be too late to stop EMV, but it is not too late to be heard. EMV is bad for credit union members, both as consumers and as owners of their financial cooperative.