TL;DR: Visa and MasterCard's Rules for EMV Explained
Visa's rules for card acceptance exceed 800 pages — plus supplements — and MasterCard's are nearly 300 pages. But even though the card networks have explained their expectations in painstaking detail, the difference between strict rules and mere guidelines is much blurrier when finally given to the merchant.
Part of the issue is that the card networks leave a lot open to the preference of the consumer, merchant, acquirer and other parties. To the merchant and consumer, the day-to-day practice of paying with an EMV card — and in particular, whether it uses a PIN — can vary wildly from one implementation to the next.
"There are a lot of different ways in which a terminal can be configured and Visa offers flexibility and choice in how it can be done," said Stephanie Ericksen, vice president of risk products at Visa. "It is largely up to the terminal manufacturer, acquirer and merchant in determining how it is configured."
The liability structures leave issuers and merchants options. These are not mandates, but an issuer or merchant deciding to ignore them stands to lose money to fraudulent transactions. The end result leaves merchants feeling they have little choice in the matter, despite the decision still being in their hands.
Problems can arise because merchants will only on occasion get direct notifications from card networks regarding new guidelines or changes in rules, said Mark Horwedel, CEO of the Merchant Advisory Group, and an advocate of chip-and-PIN authentication.
"If they think it is something very favorable to merchants, we may see it directly, but generally, all of the rules or information come to the merchants from the acquirers," Horwedel said.
Such a communication tree can make it difficult for all merchants to understand rules and concepts in the same manner, Horwedel said.
And that's where things get muddy.
The fact that Visa and MasterCard have such lengthy rules documents makes it necessary for merchants to rely on the interpretations of acquirers and independent sales organizations, said merchant acquirer consultant and industry researcher Paul Martaus. “I don’t want to be disrespectful of the industry, but that’s what you are dealing with in this situation,” Martaus said. “No one can ask about a rule and have someone easily point it out to them in the rules document.”
As such, sometimes network recommendations or guidelines get thrown into the same conversation, even though they are not strict rules, Martaus said.
The framing of the liability shift has always been the clearest indication of where Visa or MasterCard stand on the authorization process for EMV transactions. Issuers and merchants have a choice of whether to support signature or PIN security, but that choice has different consequences based on which brand's card is being used:
- Visa, as well as Accel, China UnionPay, NYCE and Star Network did not apply lost or stolen fraud to the liability shift, effectively keeping those types of chargebacks with the card issuer and placing no weight on whether the card uses a PIN.
- MasterCard crafted its liability structure to encourage PIN as a needed layer of security for lost and stolen fraud, thus complementing the chip that thwarts counterfeit fraud.
- Discover chose the wording of the party “that has the less secure EMV technology” will generally bear the liability for lost, stolen or counterfeit fraud. As such, it asserted its support for chip-and-PIN over chip-and-signature.
- American Express went the same route as Discover in putting its emphasis on recommending the strongest security measures and, in turn, making lost and stolen fraud part of the liability shift as a way to encourage issuers and merchants to handle PIN debit transactions.
In its educational efforts, Visa also advocated for signature authentication as being easier to implement in the U.S. and more in line with how consumers are accustomed to paying.
Making Way for Mobile
Visa's liability structure also gave merchants an incentive to add Near Field Communication contactless readers at the point of sale at the same time as converting to EMV chip acceptance. Visa wanted its merchants to be prepared for all payment types, saying it was encouraging merchant choice on authorization and routing, as well as consumer choice on payment method.
"Our position has been consistent because we know more technology is becoming available and people will be paying with cards, phones and watches," Ericksen said. "Moving to chip shouldn't change anything about cardholder's choice and expectation about them being able to decide about how they want to pay at the POS, and it's the same thing with signature or PIN."
But when an issuer decides to issue only chip-and-signature cards, it takes that choice away from the consumer, merchant and everyone else involved in handling that transaction. This means that merchants that chose to support PIN authentication won't get the full security benefit of this decision when handed a chip-and-signature card.
This is no small matter to merchants, as evidenced by Walmart's most recent lawsuit against Visa.
The retailer claims that Visa is forcing it to accept signature authorization on PIN-enabled cards if the cardholder forgets the PIN or doesn't want to use it. Walmart says it wants PIN as the most secure method and should be able to decline transactions that have the technology but the cardholder is not using it. Walmart is also concerned that if more signature transactions route to Visa, it will be more costly for the retailer because of higher interchange rates on signature card transactions.
Though Ericksen could not comment about the specific claims in the Walmart lawsuit, she did say that, in general, Visa sees the situation as one in which the retailer wants to potentially take away the consumer right to choose.
"Whether it is PIN or signature, cardholders don't want to relinquish that right," Ericksen said. Recent Visa research revealed that 9 of 10 Visa cardholders want it to be their choice to sign or enter a PIN, Ericksen added.
Almost half of those surveyed indicated they were concerned about entering a PIN in a store environment, for fear someone could steal it and drain their account at an ATM, Ericksen said.
MasterCard doesn't put cardholder choice in the forefront in the same manner. It has based its stance on the Durbin amendment's requirement that merchants have a choice of routing options for debit transactions.
"Our position, primarily on debit, is that every U.S. debit card bound by the Durbin routing requirement has to have a PIN," said Chiro Aikat, senior vice president of product delivery — EMV for MasterCard. "That is the standard we worked on through EMV Migration Forum and in an agreement with the industry. In the EMV world, the consumer experience can be the same, if the merchant so chooses in pre-selecting the common utility with a PIN pad that prompts a cardholder to enter a PIN."
Merchants pushing for PIN are essentially saying they don't want to get hit with chargebacks on transactions made through stolen or lost EMV cards.
With MasterCard transactions, that choice aligns with its rules that shift liability based on which entity used the highest form of security. For example, a cardholder presenting a PIN-enabled MasterCard at a merchant not accepting PIN would place the fraud liability on the merchant rather than the issuer.
But Visa does not hold merchants liable for lost and stolen card fraud, regardless of the authentication method used.
"From a PIN perspective, there is no incentive from Visa to do anything related to PIN or signature in terms of merchant liability," Ericksen said. "It's only about EMV and counterfeit fraud, and that chip on its own protects the merchant from any liability."
The Routing Issue
The concern of debit networks in how the terminal screen is prompted to ask a cardholder to choose Visa, MasterCard or "U.S. Debit" — representing the cheapest routing option for merchants — when making a debit transaction is an issue that merchants should be able to resolve through their acquirers and what the software is set up to do, the card brands say. The independent networks fear that most consumers would simply choose a brand they were familiar with, while not really knowing that the U.S. Debit label refers to the common application identifier (AID) used by the nation's independent debit networks.
Visa guidelines for card acceptance require the merchant to clearly label Visa when presenting a choice for consumers and also routing to Visa if the consumer chooses the network. It does, however, allow a merchant “to steer” a cardholder to another network as long as it does not omit information or mislead the cardholder in doing so.
It has nothing to do with card network rules, but the emerging EMV application selection specification is built to allow multiple card applications, Ericksen added.
"Some markets have both debit and credit on the same card, and the consumer can pick by having those app labels displayed to them."
MasterCard has no rules in place regarding terminal prompts, but the card brand informs issuers to choose what they want those labels to say, Aikat said.
"They may want their brand name on those labels instead of saying MasterCard," Aikat said. "They can use U.S. Debit for the common AID label because it is the closest you can get to calling it what it is, as it is for the other debit networks in the U.S."
MasterCard has mostly been hoping to break the "bad mold" of just presenting cardholders with PIN or no PIN, or credit or debit choices, mainly because all of the networks can handle multiple authorization methods, Aikat said.
Traditionally, choosing the common AID would mean a PIN transaction and choosing the global AID would mean signature, Aikat said. "But we have issuers where the global AID has PIN as well, and we have networks saying they are no longer accepting PIN."
At the same time, the common AID can support signature and those transactions that qualify for no cardholder verification method at all, Aikat added.
As more U.S. consumers get used to entering a PIN at the point of sale for debit and even credit cards in the future, merchants and the card brands may not be at odds over what authorization method to support, Aikat said.
"At some point in time, we can make it that debit consumers should know their PIN and use it," he said. "It really is about the consumer experience at the POS, and as more get used to the idea of PIN, we can continue to have that conversation with merchants [on authentication and routing]."