[Originally published on LinkedIn November 4th, 2014]
1. ‘Will EMV at ATMs be ‘ready’ in the United States before the liability deadlines?’
Maybe. The domestic liability shifts (remember that the liability shift for inter-regional Maestro ATM transactions actually went into effect on April 19, 2014) for MasterCard are scheduled for October 2016. Visa’s liability shift for all transactions is slated for October 2017. That is still 23 and 35 months away respectively. So that being said, maybe at the FI ATM deployer level, probably not at the ISO/IAD level. At least not at the penetration that we would all like to see. Why? Well first the ISO/IADs are already, and have been for a while, whining about the impact of EMV to their bottom line and how they want someone else to pay for it. Secondly, lest we not forget who were the last holdouts when it came to 3DES deployment and compliance. Regardless, ISO/AIDs will not be the only ones left on the dance floor when the music stops. I have no doubt that there will be some small FIs who don’t make the deadlines and some larger $10B+ that linger on due to the fact that many of them are spending 2015 migrating to Windows 7 since they paid for the 1-year support extension. Having been to four different industry conferences since signing our statement of work in October 2013 to complete our W7 migration [completed in June 2014], I know too many colleagues who just recently signed for or started the project work on their W7 migration. That said many of them may use the timing of W7 in 2015 to also upgrade all their ATMs to EMV capability if they already haven’t. Not to mention the impact that the number of POS terminals in this country, which is exponentially higher than the 420K+ ATMs in the United States, might have on EMV resources.
We shall see what happens over the next 23 months.
2. ‘Who will win….Apple Pay or MCX?’
I don’t know…you got a quarter we can flip? Honestly…I think it will land on its side at a stalemate…in the short term. The lash back from consumers after the Rite Aid, CVS, Walmart posturing last week that saw these merchants cut off the NFC-nose on the payments face to protect their investment, and their gamble to bypass the brand networks, may have a lot to do with how this moves from here on out. I am no apologist for Apple, nor a cheerleader for them. I have an iPhone due to the fact that I love iTunes, so do my kids, and the Droid I had for a short stint was hacked by an improperly vetted online app in 2012. Apple Pay has been followed by a slew of contracts to sign from Issuing Processors, Apple, and the Brands…they are all getting their cut. But anyone who believes that Walmart, Rite Aid and CVS are blocking NFC under “consideration of what is best for their company and their consumer” is also buying swampland in Florida. Durbin didn’t reduce prices for consumers, and cutting Brands out with MCX will undoubtedly due as much for the consumers checkbook as Durbin did…nothing.
Here’s a wild thought [I know it won’t happen but just think of the impact]….what if Apple released an app for Apple Pay that would allow Droid/Windows based smart phones to access and use the Apple Pay environment? And then added incentives for those that ran the app on an iPhone? Granted I don’t see the Apple market share of the devices growing past 50% due to ups and downs of a fical and reactionary customer base, but imagine the impact to MCX and any other payment platform if anyone could use Apple Pay with just about any card or payment stream. Apple could still have potential access to 100% of mobile device payments even if Apple didn’t manufacture the device.
But back to reality.
One thing is clear though. The group that will definitely lose and lose fast on a TKO, is the one that suffers another public data breach of ANY kind. The trust factor with consumers is a critical juncture. When emails are hacked, and cards are attacked, cash remains king. Job security for the ATM deployers will remain a reality as long as they stay vigilant with security as well.
3. ‘Will Mobile Cash Access or Mobile Merchant Payments [whether they be NFC, QR codes, etc.] move us past EMV and negate the need? Can’t we just wait?’
No. And No. I know I said this was the 5 things I know we don’t know…but this is just about a given, unless someone figures away around the complexity and disaster of telling all your loyal, already fraud gun-shy cardholders that they MUST be able to use a smart phone only to safely access cash at ATMs and payments at merchant POS before October 2017. Um, good luck with that. You’re not going to be able to get cardholders off of plastic fast enough. Though you’d think with the current trend of breaches causing card reissues they might be ‘ready’ to jump off plastic for good. And yet much like NSF fees and mortgage resells, they seem to almost be immune to it. Today is election day…while the public screams about the Executive Branch or the Congress, and they will complain, and gripe about lack of faith in the government, what’s the percentage of voter turnout today? Exactly.
While EMV on the debit side in post-Durbin America with the new universal AID is “untested”, it is still easier to comprehend the deployment of EMV at ATM/Merchant POS over the next two years than it is conceivable to have a ubiquitous [smack me for using this current buzz word] mobile platform to use at all these touch points in a deployment timeframe close to or shorter than EMV liability will hit your pocketbook. Whether it be ACT CEO Cathy Johnston, or MasterCard’s EMV swami Max Belin , they will tell you that you can’t try to play the ‘risk game’ with the move to EMV. “Don’t play the numbers…the bad guys will figure out your EMV soft spots quickly, and you will lose big,” said Alvaro Cordoba, Citibank LATAM at ATM&Mobile Summit 2014. Plus, you still have to accommodate for your clients and members using EMV abroad. And remember, abroad does not just mean far flung Singapore and Belgium. Try traveling from the United States and paying for anything in Canada or Brazil right now with a non-EMV debit or credit card. Hope you brought some cash with you.
4. ‘How will we ever lessen the impact of these fraud and operational attacks?’
That’s the number one question on the minds of those of us in charge of operating and securing the ‘machine’ behind the scenes. Yes we are looking at Apple Pay, MCA, one-2-one marketing at the ATMs, and the interaction of the mobile, payments, & ATM channel. But security is and will be the keynote to start every morning at work for the foreseeable future. Though honestly we have a better chance of solving the aforementioned than positively answering the question I was asked by an executive at the ATM&Mobile Summit in September, “Will these attacks ever stop, much less slow down?”
Again, “No.” It’s too lucrative, too many of the ring leaders and top profiteers from these scams and attacks (a) make too much money from it and (b) live out of the reach of Western law enforcement for there to be a ceasing to the activities. We’ve left too many gaps in the fences,so they will keep coming till we plug them all…and then they’ll bring the ladders to go over the walls. You can get caught as the head of one of these scams that causes $Millions in card processing losses, and at best you might serve 5-years…if they can find you…if they can catch you…if they can extradite you.
Will we ever mitigate the risk and losses to the level where it’s more of an annoyance such as check fraud? And doesn’t make for sensationalized international headlines? No one is sure of that.
What we can do, and must do is get the obese, video game playing lump off the couch and get him into a crossfit class. The global, but most specifically the United States, card & payments system needs to take it on the chin for 18 to 24 months and revamp itself: Tokenization, AES Encryption, EMV Cryptographic Protocols, Dual Authentication, and P2P Encryption. EMV is barely a stop gap with magstripe in play in the US till at least 2017/2018. EMV with magstripe is tantamount to your wife asking for a privacy fence so she can sunbath in the backyard, and she comes home to find you installed a chain-link fence. Not very effective.
Whatever the form of payment we must make the penetration of the POS terminals, the pipeline between each processing node, the data being passed along, and the identification of the users so worthless to the fraudster that they stop attacking the digital channel with the ease and frequency that they do so now.
In addition, severe, irrevocable financial penalties must be imposed by the Brands, or as a last resort by the government, against any merchant, FI, or processor whose documented negligence leads to a data breach and/or financial losses and/or identity theft.
Will any of this happen? Who knows, the ‘Big Boxes’ are still too busy trying to sue Visa and MasterCard for an additional $5B in “damages” for “interchange fixing” dragging out an argument none of the consumers believe anyways, and rolling out a new payments platform that took less than six months to get hacked.
Really…? “Damages”? You poor, poor souls. How will you ever pay your bills? How about we sue you for price fixing…or better yet price gouging for foreign made products? But I digress.
5. What the bloody hell is “omnichannel”? Does anyone REALLY know what they are saying when they throw that out there?’
I was about ready to punch myself in the face for using the term ubiquitous, a buzzword that went viral the week the Apple Pay hit while I was at the ATM&Mobile Summit in DC. You couldn’t get through a single speaker or 1-hour presentation without it being said.
Ubiquitous (adj): present, appearing, or found everywhere.
Omnichannel (noun): Ummmm…not sure, I found five different spellings and none of them had a Webster’s Dictionary entry. Omni-channel? Omni channel?
Don’t get me wrong, I understand the concept those that use this term are trying to get across. “Omnichannel is about true continuity of your experience.” Errrr….
Again, I think we can all agree that we understand that we started with the “multi-channel” concept in allowing our clients/customers/members to interact with and/or learn about our companies and products via ‘multiple’ digital and physical delivery channels: branches, TV, radio, internet, mobile, ATMs, and yes even….the mail.
And we all understand the operational need and marketing logic behind the reality or perception of a unified platform for the digital delivery channels so that the same experience, offerings, and timeliness is obtained for the product and services we are presenting, while not bogging down the backend with dozens of different vendors and software systems that require twice as much time and resources to connect to one another fluidly.
So that brings us back to the “omnichannel” and the desire to have a payments platform that the consumer perceives as “ubiquitous”.
Consumer, “I don’t want to think about my payment, except for the few times I want to switch between fund sources (ACH to bank account, credit card, debit card). I want to be able to use one mode/device for payments. I want it easy to set up, simple to use, reliable, secure, and accepted everywhere for everything, as well as knowing what I want and rewarding me for loyalties to brands.”
Well gee-whiz…..is that all?
Developing an ‘omnichannel’ experience cannot happen in a bubble. Believe it or not competitors will have to shake hands to some extent to ever accomplish such a utopian consumer environment. Some reports and descriptions of the interaction between the MCX players give rise to such a concept. But by the looks of how MCX and Apple Pay are going to war, does this REALLY have any chance of ever happening at an industry and global level. Yes, and no.
I say yes because we already had a sense of something like this genuinly happening the day Visa and MasterCard (July 2013) came out together and stated, ‘Okay, we are going to agree to a common AID for EMV in the US so we can get this EMV show on the road.’ That single move started an avalanche of movement and contract agreements with all the major processors and networks falling in line within less than 10 months. Before that a half dozen small ‘EMV groups’ had kicked off with overlapping membership as they all jockeyed to see whom would make ‘the decision’ that would allow EMV to move forward. They all fell apart, and the borders disappeared greatly after the VISA-MC announcement. So it can happen.
Will it happen with merchant POS? That is anyone’s guess. Right now the ‘Brands’ have made their allegiances and so have the ‘Big Boxes’ of the “consortium” [the nickname still makes me think of international mobsters] that is MCX. Unless something happens, like the aforementioned dream of Apple Pay being available on non-Apple devices, it will be a long road before you can have an “omnichannel” that works effectively within your organization much less with the rest of the world.
Going to be an interesting 35 months to be sure!
Cruachan Consulting Services, LLC 