Chip Cards – The Good, The Bad, The Ugly

Background

EMV-chipcardpicProfessionally, I’ve only been involved in the Payments industry peripherally. However, as any industry observer would note this industry has changed drastically over the last decade or so. This stands to reason of course as all things digital have evolved. Once upon a time, a merchant would pass a variety of checks, get themselves a merchant account and could then take credit cards as payment methods. Varying rules applied – and still do – for those at retail, (card present transactions), and those taking payments remotely, (card not present transactions), be they Internet, Mail Order, Phone, or whatever. On the Consumer side, things have always been easier. Unless your credit rating is wholly in the dumper, just about everyone wants to get their plastic in your hands. (Or more recently get you signed up for some form of digital wallet payment using traditional banking systems as a back end. And then there’s the nascent adoption curve of Bitcoin.)

Anyway… as go Payments, so goes Fraud. Pretty much anywhere along the value chain the evil doers will sniff about looking for any vulnerability where they can extract some lucre and disappear into The Matrix. The latest salvo in the Payment Fraud Ams Race has been EMV chip cards. The EMV standard, (with EMV standing for Europay, MasterCard and Visa who developed it), is targeted at a few issues, but primarily at Card Present Transactions such as retail. (See the Wikipedia Article linked just above for more details on the effort’s goals and objectives.)

While EMV may have been around for awhile in a variety of countries, it’s only now extending more fully across the U.S.

The Good

  • EMV appears to work well. Because the cards use a chip and potentially a PIN, (though the PIN isn’t always necessary), it’s more challenging – if possible at all – for typical fraudsters to replicate cards. With the chips, new transactions numbers are created at every transaction. This is in contrast to the older magnetic strip technology where you could copy the strip and use it over and over; at least until a card is reported stolen and is entered into the issuer system. CreditCards.com reports…

In May 2016, chip-enabled merchants saw a 47 percent drop in counterfeit fraud compared to a year earlier, according to Visa. Similarly, MasterCard has recorded a 54 percent decrease in counterfeit fraud costs among its EMV-ready merchants from April 2015 to April 2016. Conversely, MasterCard has also seen a 77 percent increase in counterfeit card fraud year-over-year among merchants who have not yet moved to EMV or are in the process of doing so.

  • According to a Strawcheck Group report, EMV readiness among U.S. merchants will approach saturation in the next couple of years.

The Bad

  • According to PYMNTs.com, the prophesied move of fraud from offline to online has in fact come to pass and is growing. According to their research, over 215% since last year. While it’s reasonable to assume not every fraudster with their traditional offline tools has the capability to just switch to online, it’s also reasonable to believe that any that can – seeing their existing schemes dry up – will at least try.
  • For Merchants: While Consumers might not know, pay attention to, or care, one effect is to shift liability for fraud to merchants. This is because before EMV when a merchant ran a fraudulent transaction, it would be the bank that would be on the hook for costs. Since October 2015, however, when a consumer, (thief in this case), uses a fraudulent chip card and the merchant is not using an EMV reader, the bank might not be liable. It may still be a sticky situation, but the idea here is whomever is using the least secure tech should be at fault.

The Ugly

  • EMV is slower. This hurts Consumers and Retail Merchants.
    • Consumers: There’s little worse – in my opinion – then being stuck behind the old lady at checkout paying with exact change who doesn’t even take her change purse out of her purse until she’s damn good and ready. But that’s a minor nit I just felt compelled to mention. Anyway, for cards, it used to be: Swipe. Sign. Done. Now, even as you sort out whether you have to swipe or insert, once you insert, the transaction just takes longer.One reason for slowness is the initial confusion as to whether to swipe or insert and how to use the new technology. This will alleviate over time.The other reason is it’s a longer wait for the terminal. Things could be worse where PINs also have to be entered. While it may only take a handful of seconds for the process to occur, the perceived time lag can be worse. Technology providers are trying to decrease the actual time, but this will take… well… time.
    • Merchants: Checkout has always been a potential bottleneck. It’s not only online shopping carts that get abandoned. And long lines at any retail establishment can be an incentive to shop elsewhere when there are other local options of equal price / quality.
  • The slowness of EMV may push consumer and merchants towards other advanced payment methods such as those provided via NFC via Smart Wallets or whatever. This may be a good thing in the long term. But for now, it’s yet another adoption curve everyone will have to wait for while it spools up in the marketplace.

Lessons for Product Management?

  • Here’s one bad lesson. When you’re powerful enough as a company or industry to shove something down the throat of the marketplace, you can. It would be nice if we lived in a world with no fraud, but we don’t, and unfortunately, this is one way to mitigate retail fraud. It costs merchants in gear, time and training. And now consumers with a few more seconds. Not a big deal. But collectively it’s probably a lot. Let’s see. In 2012, according the Federal Reserve. there were 73.9 billion credit card transactions. So even if EMV takes just one second longer, that’s like hundreds of millions of lost hours. That’s what consumers are forced to provide to ourselves and the industry to combat fraud with this method. Can you think of a lot of industries or products that could get away with forcing people to do this?
  • Let’s talk basic User Experience: Forget about formal research for a moment. Just look at your own experience as you get pushed to the chip cards. Are the readers easy and obvious as to how to use? During transition, do merchants clearly show you whether you have to swipe or insert? (Some seem to be getting little paper cards to shove into the chip reader or swipe portion to indicate how to use the dual purpose terminals.) Could the terminals have been designed better? If not, could simple, clear educational materials have been designed better and co-located with terminals?
  • If you’re a digital seller, your immediate lesson is you’d better get more sophisticated with your fraud detection. As you do so, it’s likely you’ll end up with more false positives. That is, you’ll see a valid consumer as a potential fraudster and reject a transaction or need for that customer to take additional steps. This just begs for transaction abandonment among these customers. You’ll likely want to account for new UI / UX flows that handle this process better than you do now – if you even bother right now – if you see your bad / rejected transactions creeping up to levels not seen before.

Bottom Line: Payments and the entire checkout / transaction process will – like so many other things – be getting more complex one way or the other. The overriding goal must be simplicity for the consumer. You’ll need to dive into your numbers to determine if you have issues here. If you do, hard choices will need to be made regarding how you want to take your pain. Accept higher losses for overall ease of use and take the hit on overall bottom line and profit margins? Pay for more sophisticated fraud technology and services? Expend product craft efforts to mitigate abandonment for potential false positives of valid consumer transactions? Like it or not, more fraud will be headed towards digital. The only question is what are you going to do about it?

Leave a Reply

Your email address will not be published. Required fields are marked *