As work was winding down on a recent Friday afternoon, an Executive Order came down from the President of the United States, nearly knocking me out of my chair. This year has been so bad for merchant data breaches, with more likely in the margins, that the president felt the need to ensure that the government would offer itself as a more safe and secure place to do business with, by advancing the timeframes to be EMV-compliant at government points of sale.
The chip card standard, where the magnetic stripe in a face-to-face transaction will be phased out and replaced with a SIM-card looking chip built into your credit and debit card, should serve to increase the security of payments in card present transactions. This is the leadership that I've been looking for, where the government has required something faster than the private market has, for the collective benefit of the financial system.
Opponents (yes, there are, I hear from some at least weekly!) have been saying that chip cards will be too expensive, the technology is not comprehensive enough to really secure plastic payments, and that we don't need the change.
Moving through these concerns in reverse order:
We don't need the change: Let's break this down a bit. In the last calendar year, we have had two of the most significant merchant data breaches on record affecting over 96MM cardholders. Additionally, there continues to be a steady flow of not-so-insignificant payment card breaches and as a result, various calls for moving back to cash and/or widespread adoption of newly emerging technologies to maintain payment security (and contrary to popular belief, not everyone wants a new iPhone 6 with Apple Pay).
The technology is not comprehensive enough: Yes, fine. It's not a silver bullet. What is? The capacity for this development to dramatically increase the security of card present payments at POS will ultimately reduce the frequency and volume of merchant data breaches that include payment data. I sometimes hear from security professionals that some of the card data is sent in clear text within an EMV transaction, that the technology doesn't do enough to protect the payment information. To this, I usually respond with the following: UK card present fraud declined by 75 percent after implementation. We will get to the additional security technologies on the card not present side shortly, with the next step, tokenization, which is already on the march.
It's too expensive: This one is particularly ill-founded. Let's ask some high-profile merchants who were compromised last year how fast they would trade their data breach for a POS terminal conversion project. At a cost of nearly $200 per record in the U.S. (Poneman Study), merchant data breaches cost the affected retailer a lot more than they may think in indirect costs. Further, the new POS devices themselves come in at prices just below that. OK, yes, there is a lot more to it, but my point is that it's a small price to pay to get on the train.
So, it's an easy case to make, right? I have one more for you, and it will come in as an anecdote. Every fraud manager I know has had at least one situation where they declined someone special with a fraud rule, and eventually got into a mess over it. For me, it was the CEO of a credit union I was consulting with years ago. He was declined over the weekend for a card at the very institution he managed, and it embarrassed him in front of his friends.
Everything I had done with them was then called into question and all work scrutinized. Eventually, he was made more confident in his fraud program after all the facts and metrics were laid out on the table, but there was a heightened visibility into the strategies after that. It was wise for the CEO to hear us out, understand why his decline was valid and appreciate the benefits of our strategies.The same scenario was put forth to the CEO of the United States, who was declined at a restaurant with his wife. Apparently, he rarely used the card, and a strategy caught up with him. The president ultimately decided that the problem was not the strategy, the problem was the rampant abuse of our merchants, banks and their cardholders. His progressive perspective on the matter leads me to the belief that this shift in policy will begin to change others' perspectives in the coming year.