The debate is hotting up - as the USA is both pursuing an EMV CHIP&PIN direction at 'local bank' level driven by customers, but also allowing the international payment card schemes to drive an unusual nuance of a strategy. This is well described by a debate that we have reproduced from Linked-in here:
EMV Migration in the US – an Update (BAB Opinion Article, February 2012)


Recently I’ve had the opportunity to interview several senior US bankers and retailers about migration to EMV chip in the States. The feedback has been very interesting but also rather disturbing. Nearly everyone now accepts that migration will occur, sooner or later, one way or another. But there is no obvious consensus on what form it will take, when it will happen, or who will drive it. A great deal of confusion and uncertainty is evident, and in this climate it is not surprising that most banks and issuers are reluctant to invest proactively in the new technology and prefer to adopt a wait and see positioning.

This is a pity since there is a great opportunity for the US to complete the global chip project by embracing EMV rapidly and comprehensively, using the lessons learned from other countries to include added-value features such as remote chip authentication, contactless payment, and multi-account or multi-function cards from the outset.

Three issues seem to me to be worth highlighting as areas of confusion and concern which need early clarification and resolution.

The first is the issue of cardholder verification. Most in the European payments community would I imagine agree that a key benefit of EMV chip is that it facilitates PIN verification, which is, of course, much more secure than signature verification. That is why, in the UK for example, the migration project was dubbed “Chip and PIN”, and thanks to a high profile “Safety in Numbers” campaign coordinated by APACS, the switch from signature to PIN happened quickly and relatively painlessly. My impression is that few consumers or merchants in the UK now regret the passing of signature verification. Merchants, in particular, gain from a faster, cleaner checkout process and a payment guarantee which is no longer contingent on obtaining and checking the signature. This message does not appear to be widely accepted in the US, with many expecting a migration to chip and signature.

A second issue raised by most interviewees was that of mobile payments, with several citing the possibility that the US might in some way “leapfrog” EMV chip technology altogether and move straight to some more “advanced” form of payment; hence the case for wait and see. I personally remain resolutely sceptical about the prospects for mobile NFC payments. But in any case, there seems to be a fundamental confusion here. Mobile NFC payments are not in any sense an alternative to EMV chip but are rather enabled by it. The main reason why mobile NFC payments are feasible at all is because the SIM card in the handset and the chip on the card act in an equivalent manner without major changes to the rest of the payments infrastructure – terminals, networks, banks, brands, card schemes and their rules.

A third issue is the lack in the US of any central coordinating body such as APACS in the UK or equivalent bodies in most other countries which have successfully migrated. If anything, centrally coordinated direction is even more important for the US card payments industry because of its complexity and fragmentation, but with no sign that the Fed will adopt this role, it falls to the card schemes to lead this industry. While Visa took the initiative with its announcement last August (see Bulletin 292) its stance on chip and signature and mobile NFC, subsequently re-emphasised, has in some senses contributed to the confusion described above. Most recently, MasterCard has made a similar announcement, apparently taking the same broad line, although there is a notable lack of detail. If this is leadership, I fear the worst!

*** Nick Collin, Banking Automation Bulletin, February 2012 ***

STEPHANE CZARNOCKI • @Nick – you raise a valid point with the lack of a coordination body in the US, it may explain the situation of deadlock regarding the migration to EMV chip and PIN solutions.

Note that Visa’s requirement (or is it just a recommendation ?) for acquirers to support the field DE 55 may remove a major obstacle to the deployment of chip contact in the US NFC is indeed a particular way of doing of an EMV transaction, thus in no way a replacement of EMV. It is supposed to be more "elegan "by avoiding to insert a card in a slot. And by allowing an interaction between terminal and a mobile, it paves the way to using the mobile as a payment card. This is likely a reason for the hype. But..

When NFC was launched, EMV defined only an NFC protocol for the “magstripe” implementation with the dynamic CVC. In parallel Visa and MasterCard developed separately their Paywave and Paypass solutions, based on a downgraded chip contact application. By and large, it meant that a terminal had to support at least 3 protocols, and a chip application two of them.

EMV later defined a protocol allowing a common way to select the application, then another protocol to allow two interactions between the card and the terminal.

Shall the merchants invest in terminals supporting those NFC protocols just because cardholders like to pay in a cool way ? This is why I do not understand the” irrational exuberance” for NFC EMV.

When reading you, I feel some comfort in not being alone.

Alan Sambridge • Gentlemen, Having just come back from a fact-finding tour of the US, I can echo Nick's comments completely. Only those banks with a high ratio of International travellers will invest in EMV. Add the lack of ATM infrastructure for chip scripts i.e. PIN unblock, this will force the US along the road of Chip and Sig - Something is better than nothing.

The misconception is that NFC will "leap-frog" is highest in their minds, but also add to this the lack of forward planning - There is none. Focus is on return to profit, minimal investment and a two year return cycle. You can't blame the banks for that. They want to repay the US Govt. asap.

What will be interesting is the direction of Canada and Mexico. With the US now the highest area of card fraud loss ( technically, are the European Banks subsidising the US retailers out of recession ?), no action will be taken, until US banks start to hurt financially ( liability shift is the only tool). Look out for CanaMex fraud migrating to the US and let's see what pressure they can add. We need all the help we can get !

Finally, in terms of education on EMV in the US - There is none. Review any official conference and you'll find EMV in the graveyard slot, on the last day, not the main focus. And that's for the professionals. There is a long way to go to get the wheels to turn, even slowly.

Bill Trueman • Great piece Nick - and I hesitate to add to it as one could not beat the clarity. But I do want to add points that relate even more to fraud.

1. When there is fraud (or dispute) there will be chargeback voucher requests etc., which will be so much harder for merchants where signature is the CVM (for the merchants).

2. In talking to merchants and in every report that I have read or seen, merchants find PIN as a CVM easier, quicker and practical and removes the need to check, find vouchers, keep vouchers, file vouchers etc.

3. There is a supposition that fraud control will move entirely to the issuer, who will manage it from transaction screening monitoring because all transactions will be on line. It is foolhardy to suspect that the whole anti-fraud effort will be moved to the issuer controls, and that the issuer (in all cases globally) will protect the acquirer and merchants even when the liability is entirely with the merchant. Issuers don't act that way.

4. There is the assumption (above) that ALL transactions will be on-line because that is the way that it is always done (in the USA). This is rather parochial, as there are a lot of off-line merchants - and let's not even start on UPTs and how they will prevent fraud in a sig CVM environment.

5. "Only a small number of US people travel outside the US to off-line environments" - is cited as a rationale for going on-line only with sig-CVM . This is a fair point, but I know a lot of Americans that do travel. Indeed, most of the Americans I know, is because they do travel - here. And they will be the profitable customers who don't want to apply for new cards just to travel - and possibly change bank in the process.

6. Leap-frogging technology for NFC - Nick's comments cannot be added to, but it is hard to resist commenting. What utter, utter ....... Yes the NFC needs the EMV platform and then what will be the transport for a CVM and what is the new technology leaping CVM that will be adopted. Maybe a star-trek or Blake's-7 transported to check the passport at the POS. Silly of us not to think of that one eh?

7. The argument of widespread PIN use, leading to compromises that will cause a loss of integrity in ATM cash withdrawals sounds plausible at first glance - and 'hands up' when I was ignorant I used to think this too. But the ATM can validate the token (card), so after this it will be down to the transaction screening to identify the fraudsters - surely that is the follow-on logic? Call me cynical, but the reason that we need to protect the integrity of these specific (ATM) acquired transactions is that they are the only transactions that the same issuers acquire themselves - and of course the transaction screening is not good enough if they are taking the risk themselves. But generally speaking the ATMs are protected from abuse with low daily withdraw limits (not imposed upon merchants). So they are at the least risk from major fraud attack (due to limits) and the easiest to transaction screen. But above all let's remember where a large proportion of the PIN compromises take place - even in a CHIP and PIN environment, it is through (or at) ATMs!!!!!!!!!

8. Did I also read that the strategy is also to adopt AVS at UPTs to protect these transactions in an on-line environment. Huh?

OK and TWO PREDICTIONS BASED UPON REAL-LIFE EXPERIENCES and BEHAVIOURS

1. In a CHIP with no CVM environment - what will happen to fraud? Well, it will of course have to be WITH the card (as well as driven to the CNP sector). So if it HAS TO BE WITH THE CARD, this new strategy will drive fraudsters back to stealing the cards, mail intercepts and robbery. And at gunpoint. And if at gunpoint, one might as well demand the PIN with menaces too - to get cash from the ATM. So, a strategy that WILL drive more bodily crime. Why, oh why would the US want to protect issuers in this way by endangering the cardholders so seriously?

2. You read it here first (Trueman with an 'e' in the middle): In the US, Americas will travel, maybe to the Olympics even, and after a summer of USA based hurt, American consumer groups and merchants may well help to drive a U-Turn in direction. Let's see.

Douglas ("Dougal") Lawson (douglawson@btinternet.com) • I have a lot of difficulty understanding the business justification in the USA for refusing to adopt EMV.

I was taught that ethical decision makers select solutions based on the best interests of their shareholders, owners and customers.

Since the EMV solution is obviously the best choice, it should be embraced by the financial institutions as quickly as possible, else the decision makers are acting irrationally and technically, their shareholders and owners would be entitled to take legal action the decision makers for a breach of their duty of care.

Bill Trueman • Dougal - yes, I (and I am sure 9/10 others) would agree with your moral/ethical stance, but of course this is not what happens out there. For two reasons:

1. Some priorities take precsedence over others, and in most cases the needs of the shareholders, outweighs those of the other stakeholders (like customers) when there is conflict. The Ford-pinto-memo case of course is an example of the type of legal action that at the extreme, drive extreme stupidity out of these ties of commercial decisions; and we may well see some parallels (i.e. the muggings scenarios that drive a scheme and market reversal in the near future. However, I am sure that the reviews will be reversed before it gets that point.

2. Stupidity intervenes as the decision-makers do not understand the details.

Which applies here? Probably a degree of both.

So a good point here Dougal - but you may want to re-read Nick's initial note as I am not sure that you have captured the full essence of the debate - even though your point is equally valid to the issue as it is to the slightly different interpretation that you have made of the EMV situation here.

The US HAS opted to adopt EMV 'fully'. But their plan is to do so without PIN as a CVM, but choosing to rely upon signature as the CVM. Which is where the problems all lie.

The answer is probably for us to all applaud the decision to go with EMV (finally), but to lobby them towards another CVM other than Sig - as this is the daft part of the strategy. It will change. But when? Hopefully before the Ford-Pinto-Memo disaster scenario arrives - because the memo is now in the public domain here in this discussion group!