MasterCard Worldwide didn’t come right out and say it, but the card brand is encouraging U.S. issuers and merchants to embrace chip-and-PIN technology as part of a switch to EMV smart card security in the next three years.
In a move many industry observers were awaiting, MasterCard on Jan. 30 announced its U.S. roadmap for EMV conversion, including a shift in fraud liability starting in 2015 to the party in the payment process providing the least security.
The MasterCard announcement came nearly five months after Visa Inc. revealed its plan for issuer and merchant conversion to the more secure smart card technology.
MasterCard’s approach to the EMV provides flexibility for both issuers and merchants to decide whether chip-and-PIN or chip-and-signature is best for their market, Craig Vosburg, MasterCard group executive for U.S. market development, tells ISO&Agent Weekly. In addition, the MasterCard plan promotes the idea that future technology may prove to be even more secure, Vosburg says.
MasterCard has established a “liability hierarchy” to rate, from least to most secure, the different card-acceptance methods based on the interplay between the card and the acceptance device–whether it is a point-of-sale terminal or a phone, Vosburg says. Under the system, the magnetic stripe card would be least secure and the chip-and-PIN the most secure, Vosburg notes. Chip-and-signature’s security rating falls between those two, he adds.
“We are trying to avoid an approach where we are requiring or mandating, but rather one with flexibility but an understanding of the implications,” Vosburg says.
Those implications would come into play during a fraud incident. The party–the issuer or merchant–offering the least secure method would be held liable for a fraudulent transaction under the MasterCard plan.
This is welcome news to merchant organizations that have made preference for chip-and-PIN clear while awaiting MasterCard’s stance on the issue. The Minneapolis-based Merchant Advisory Group this month called for industry consensus on an EMV roadmap but emphasized its support for chip-and-PIN.
MasterCard’s stance on liability shift indicates the card brand intends to “move the needle to chip-and-PIN instead of chip-and-signature,” Mark Horwedel, CEO of the Merchant Advisory Group, tells ISO&Agent Weekly. “If the merchant has chip-and-PIN capabilities, but the issuer has only chip-and-signature, the liability falls to the issuer, or vice versa,” he says.
If a consumer loses a chip-and-signature card, someone else could still use it, at least for one transaction, Horwedel notes. “But if someone finds a lost chip-and-PIN card, they can’t use it without knowing the PIN,” he adds.
With regard to Payment Card Industry data-security standard compliance, the MasterCard plan offers compliance testing and fee relief based on account-data volume, Vosburg says. A merchant running 75% of card transactions through an EMV terminal with both contact and contactless capabilities by 2013 would receive 50% relief on PCI testing. By 2015, a merchant running 95% of his transactions through an EMV terminal would receive 100% relief, he adds.
“The merchant has the ability to make the choice to invest in the most secure equipment and to protect themselves to the greatest extent,” Vosburg says.
Randy Vanderhoof, executive director of the Smart Card Alliance, a New Jersey-based not-for profit association that advocates use of smart cards, tells ISO&Agent Weekly his organization is encouraged by MasterCard’s approach.
“MasterCard is very clear about advocating industry collaboration for merchants and issuers to make these decisions together,” Vanderhoof says.
Having MasterCard publicly on board with an EMV-migration timetable in the U.S. “aligns the roadmap toward the next generation of payments very well,” he adds.
MasterCard’s plan allows issuers, processors, merchants and consumers to know what to expect from EMV chip technology–be it contact, contactless or mobile, Vanderhoof suggests.
Mostly, Vanderhoof is impressed that MasterCard leverages EMV specifications with an eye toward standardizing a security platform but that also looks beyond what is replicated with EMV in Europe and Canada with the acknowledgement toward future technology, such as mobile wallets.
“It addresses the questions of what does the U.S. really need, not just from a fraud-protection standpoint but from a consumer-experience standpoint,” Vanderhoof says. “When all of the PCI compliance testing is done, it is still important to know how the consumer interacts with the different payment methods into the future.”
Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup, believes MasterCard was “more forthright” than Visa in its announcement about a EMV moving the country to the next generation of technology.
Visa leaned more toward EMV as a data-protection mechanism in its initial announcement, with no indication about moving forward and being open to new technologies, Riley adds.
“For now, the merchants’ key issue should be, why is this being funded on the merchant side?” Riley suggests. “The merchants should be saying, ‘we have to pay for these new terminals, so what do we get out of it?’”
The MasterCard EMV roadmap makes no mention of potential interchange rate relief based on transaction volume or technology conversions.
Vosburg contends it will remain difficult to develop EMV plans that create a complete consensus in the industry, but the MasterCard deadlines “create some degree of alignment” to the EMV timetable because they closely match Visa’s.
It was important for MasterCard to create “an industry timeline, rather than a network timeline,” he says.