Recent large-scale data breaches—specifically Target and Neiman Marcus—have brought new attention to the issue of the U.S. shifting to EMV (often deployed as Chip and PIN), a payment approach that replaces the magnetic strip with a chip and is has been deployed for years in much of Europe as well as Canada and Mexico. The arguments in favor of EMV—as opposed to mobile—are unrealistic, as became clear during U.S. Senate testimony on Tuesday (Feb. 4). Given EMV's struggles, mobile payment is now becoming crucial. Can the industry get its act together? (Answer: Of course it can't, but let's be hopeful and pretend that the adults will take over.)
Some quick background on EMV. Officially standing for Europay MasterCard Visa, there are two security facts about EMV that everyone agrees on. First, that EMV is a lot more secure than magstripe. And secondly, that EMV is not really all that bloody secure. Oh, and it also effectively shuts down card cloning, which is a big problem in the U.S..
The argument against U.S. EMV is that it's an older technology and that, if the U.S. retail community is going to sustain a huge expensive and painful payment change, it really should be for something much more secure than EMV. In the background, there sits mobile, with the unlimited potential for truly radical payment change, delivering transactions infinitely more secure than mobile and also delivering a wide range of needed services that leverage the nature of mobile.
The problem with mobile is that it forces a behavior change on consumers and no player—not retailers, the card brands, payment processors, banks, handset manufacturers, mobile OS firms, mobile payment vendors, security companies, etc.—has shown a willingness to step up and pay the piper. That's why mobile trials happen with no marketing support and no associate training, which clearly will deliver lackluster results.
Therefore, with mobile payment going nowhere and data breach frequency soaring, U.S. retailers are being pressured to move to EMV. With that, let's go back to this week's Senate testimony.
Neiman Marcus CIO Michael Kingston argued to the panel that there's a domino aspect to EMV adoption. If just one chain—or even all of retail—embraces it, it's not enough. The entire payment community needs to make the move simultaneously. What good is Macy's accepting EMV when no shoppers have them—because their banks haven't shipped them? Flipped, the question becomes: Why should the banks pay to create the more expensive chip cards and ship them when their consumer customers have no U.S. places that will accept them?
"The issue that we're talking about here is that there are lots of different technologies available," Kingston told the Senate panel, according to HealthInfoSecurity. "Consumers don't have a lot of these cards. None of my cards have chips on them. While it's an option, it's something that hasn't been adopted. All of the actors need to be able to adopt these technologies at the same time. Consumers need to, financial institutions need to and the private sector as well needs to."
Target CFO John Mulligan, testifying before the same Senate subcommittee, sang a similar Kumbayah tune as did Kingston, but with a very practical difference. A couple of years ago, Target had trialed EMV, but the trial failed. Why? Hardly any customers tried to use it. Cue the same "lack of industry" support as the reason.
"To prevent this from happening again," he told the Senators, according to Computerworld, "none of us can go it alone. We need to do this together."
The reality is that it is going to take years to get the players to make EMV happening in the U.S., but which time EMV will be further behind the security cutting edge. Mobile payments are the only way out. If the industry is going to get together on any new payment approach, it needs to be mobile.