Merchants are increasingly frustrated over how the EMV deployment has interfered with their legally guaranteed options for PIN debit transaction routing and authorization — and since the government gave merchants this right, the Merchant Advisory Group is appealing to the government to take a look at how things have played out.
The MAG has reached out to the Federal Financial Institution Examination Council to complain that some debit card issuers are violating rules set through the Durbin amendment, which calls for merchants to have at least two networks to choose from for debit transactions. If the FFIEC agrees, it could step in and force banks to once again change the way they handle payment card security.
The group is asking the FFIEC, a group of federal examiners, to look into allegations that the merchants were unable to verify on their own. The MAG can provide more specific information through its members or partners if the FFIEC requests it, said Mark Horwedel, CEO of the MAG. Horwedel did not want to share further details until he is clear about which direction the FFIEC may take.
Among other concerns, the merchants are telling FFIEC investigators that some debit card issuers are failing to provide a PIN debit network option on tokenized purchases, failing to authorize PINless debit purchases routed to PIN debit networks, and failing to support Internet debit transactions accompanied by PINs.
As a result of these issues, fewer transactions might be going to independent networks; instead, they are continuing to move along the major card network rails or are being denied outright, and both of those alternatives cost merchants more money, Horwedel said.
"Given my background in banking and undergoing FFIEC audits when operating a network in the past, I believe they take these things seriously and I expect them to get back to us seeking information on the alleged violators," Horwedel said.
The FFIEC has the power to move the industry on matters of security. Back in 2005, the agency required banks to improve security beyond the static username-and-password system that was commonplace at the time. The obvious response at the time would have been to deploy one-time password tokens, but many banks instead chose software-based solutions such as challenge questions or device-identifying cookies and Flash objects. In 2011, the FFIEC weighed in again, determining that these approaches were insufficient.
In those instances, the FFIEC succeeded in getting banks to adopt stronger security but did not mandate a specific approach. Thus, even if the FFIEC validates the MAG's concerns, it may not push for the exact approach the group wants.
The merchant group turned to the FFIEC option because previous attempts to "socialize this with the networks and vendor community" did not result in meaningful conversations or solutions, Horwedel said. "It's all really a result of being so frustrated, and I'm not sure what to expect."
One organization MAG can count on to be in its corner is Atlanta-based Acculynk, a payments technology provider specializing in PIN technology for mobile and e-commerce merchants' domestic debit transactions. Acculynk, which is connected to all of the U.S. debit networks, is finding that not all issuers support its technology or routing to an independent network.
"A tremendous opportunity exists for merchants after the Durbin ruling for a least-cost option to a debit transaction, but it really is not as widely supported by the issuers as you would expect," said Nandan Sheth, president and chief operating officer of Acculynk.
On average, Acculynk estimates that between 60% and 70% of issuers do not support alternative routing capabilities in which an existing debit card in the online channel can be routed to an alternative network, Sheth said.
As a result, many debit signature, or PINless, transactions are moving to other networks, even though independent debit networks can handle such transactions, Sheth added.
That's the basis for Walmart's recent lawsuit against Visa regarding debit transaction routing.
In the case of the Walmart lawsuit and other issues related to debit transaction routing, Visa has been consistent in saying its focus remains on consumer choice in payment method and that its merchant clients be able to handle all of those choices at the point of sale.
"We are putting a lot of pressure on issuers in working with organizations like MAG, and we are starting to see more issuers adopting this second method of routing because Durbin requires it," Sheth said.
While it is a good idea to get the FFIEC involved, because it basically operates as an auditor making sure banks comply with regulations, it would ultimately be the Federal Trade Commission that would force banks to play by the Durbin, or Reg II, rules, said Terry Dooley, executive vice president and chief information officer for the Shazam PIN debit network.
Shazam has not encountered many issuers that are not complying with Durbin by offering two networks for routing, Dooley said, but he noted that cards may have two access routes, as mandated, but those two networks may not support 100% of transaction types available.
"Accepting all transaction types is not part of the law, but it is part of industry competition, which is why you see more support for transaction types out there now," Dooley said.
An issuer may fail to authorize PINless debit transactions that were routed to PIN debit networks because they don't want to accept transactions that don't come from their own applications, Dooley said.
"You have some e-commerce transactions, or Internet PIN transactions and some P2P transactions that issuers would deny because they are not coming from access points that they want," he added. "That's not really a Reg II violation, it's more just trying to limit who can participate in the ecosystem to a certain extent."
The debit networks have pushed their own agenda in alerting merchants that acquirers may be setting up point of sale terminals with screen prompts that would cause consumers to most often choose Visa or MasterCard routing, rather than one of the independent networks that support what the industry refers to as the common application identifier, or AID.
"It's really all being geared around how the acquirers are implementing the routing choices," Dooley said. "If you look at it from a macro level, short of a European card being presented for use, there is no reason for a merchant in the U.S. to ever choose anything other than the common AID."
By making that choice, the merchant can count on PIN, signature, or no CVM transactions to be processed by issuers ready to handle those transactions, with the option to send to Visa or MasterCard or any of the other debit networks, Dooley added.
Acculynk's Sheth suspects an underlying reason as to why questions remain about routing options and transaction acceptance — mainly that the card networks would have much to lose.
"If 100% of issuers would support these transactions that MAG is questioning, then 90% to 95% of those transactions, based on pricing structure, would route away from Visa and MasterCard," Sheth said. "And that's a big, big number."