EMV – LooseBolts

I had an interesting conversation this week with a good friend of mine who works at one of the big Internet companies. We hadn’t talked in a good while so it turned out to be a wide ranging conversation that meandered back and forth from our mutual experiences building globally scaled technology platforms, past companies, current companies, to the possibility of getting together soon for beers when we happened to be in the same part of the world at the same time. It ultimately landed on the topic of EMV and some of the unique challenges in the Payments space. While the questions were initially focused on consumer experiences, it quickly devolved (as they always do with my friends) into a technology and business conversation.

One of my most substantial learnings moving from ‘Big Internet’ to the Payments and Fintech space is that the Internet guys do not have a lock on scale or its challenges. I used to live in that world of hubris where all the tough and hard challenges were exclusively found, created, and solved within a hundred miles of the Pacific Ocean shoreline. That is not to say that they do not solve those things, its just not as exclusive as they believe. Reality has a way of kicking you in the pants. I know it did mine.

Whether it be geo-diversity in infrastructure or software platforms the need for global reach and footprint balanced against localization is not only important in an ever-shrinking world, its mandatory. This is especially true in Fintech. One does not get to focus singly on Business to Business Scenarios or Business to Consumer scenarios separately, you have to focus on both. Throw in country by country regulatory requirements around privacy, commerce, data access, taxation, industry and customer oversight and governance and you end up with a giant three dimensional jigsaw puzzle of international complexity. All of that is before you get to really hard stuff… interfacing with the customers and merchants. Now our jigsaw puzzle has reached the 4th dimension and I am pretty sure quantum mechanics and spooky action at a distance come into play in there somewhere.

‘Hey Mike, Why isn’t everyone moved over to the Chip and Pin (or EMV) in the United States yet?’. The inference was that somehow the Banks, companies like mine, and others were not doing enough to protect the consumer. To really answer his question I had to first talk about the complexity of the Point of Sale and merchant eco-system that exists between his purchase of a slice of pizza and its ultimate funds settlement to his bank. It may seem straightforward to folks who do not understand all of the pieces, but it can actually be pretty complex.

The ends are pretty simple –on one side you have the consumer interfacing with the merchant. On the other is the bank or credit card provider where the funds are ultimately provided. Most people conceptually understand those two parts. However the parts in the middle get a little tangled up.

The merchant may get its payments servicing from any one of a different number of types of businesses. The first way would be through a direct payment processor like FirstData, a second could be through an independent sales organization (or ISO) who can have relationships with a single or multiple payment processors, a third way could be through merchant’s banking partner directly who in turn has relationships with a payment processor, another way would be through an Integrated Software Vendor (or ISV) who adds additional software capabilities before it hits a payment processor. In these examples the ISO, ISV, and Banking partner still interface at some point with a payment processor before connecting to the Credit Card Associations (or schemes ) like American Express, Discover, Mastercard, or Visa, and then ultimately the bank. The path any particular transaction could take could cross many different providers. Depending on the route and merchant up, there could be some significant distance between the consumer end and the settlement end on the bank. Additionally the question of who owns the full transaction path gets fuzzy as all of these players intersect with each other in the transaction flow.

In trying to answer the question about EMV adoption the solution could be complex. In many cases the ISO and the ISV may have additional software in the mix that is not EMV compliant and the merchant must wait for their service to be compliant before they can adopt. In many cases the point of sale device they use may not be EMV compliant either and they are waiting on their business partner to provide one that is. Then of course there is normal human apathy or a lack of desire to spend the money to upgrade on the merchants behalf. All of these things play a part.

While many focus on the added security for the consumer with the EMV cards, the impact on the merchant is slightly different. It reality represents a shift in liability away from the banks and credit card companies to the merchants themselves. If a merchant does not adopt the technology, any fraud related activity from their store will be their responsibility and will need to take the loss rather than the bank. Some merchants feel like they are willing to take that risk given their customer and product mix. The last category are merchants, who like most consumers, don’t understand the complexity nor do they want to and generally ignore it.

While great strides have been made to drive EMV adoption, we are sitting woefully short of the adoption to those folks listed in the categories above. I call these folks the ‘Just-Out-Of-Reachables’ and they have been a hard nut to crack for the industry at large. It has tried for multiple years to prepare, communicate and execute for this. To be fair these interactions have not stopped commerce, and have only put the individual merchants at risk for fraud for the most part.

There is however a potentially more fatal issue on the horizon that will stop transactions and could directly impact the merchants and consumers alike. While somewhat technical in nature it has to do with a move from SHA1 to SHA2 hash certificates. Many solutions in the marketplace were initially written with the SHA1 security specifications and dependencies. Over time that certificate has proven to be less secure and the industry at large has been told to migrate to SHA2 certificates. While many of the big players have made the jump from a technology perspective to the SHA2 standard, the issue significantly overlaps and shares the same challenges with reaching out and solving for the ‘Just-Out-Of-Reachables’. Only in this case, once the SHA1 certificates expire, their point of sale systems will stop working altogether. Working with the browser forums has resulted in some firms getting small extensions to SHA1 certificate expirations, but it has not been uniformly consistent with some firms getting differing lengths of extensions, and some none at all. Its a real issue for the industry at large and we should start to see these impacts over the next few months.

It will be interesting to see how this plays out especially given the potential public exposure of it.

\Mm

I was recently in a checkout line at a local retailer politely waiting my turn when a very common experience occurred in front of me. Let me set the scene:

The cashier begins scanning the grocery items of the person in front of me. The customer walks up to the card reader on the point of sale device and swipes the card. It doesn’t work.

Cashier: Is that a chip card?

Customer: Yes. Why isn’t it working?

Cashier: You have to wait for me to finish ringing everything up when up have the chip card.

Customer: I liked it better when I could just swipe. It sped things up a lot.

Cashier: I know it.

(The cashier continues scanning the rest of the groceries until all were accounted for).

Cashier: That will be $86.16

Customer: Ok (puts card in the reader).

Cashier: Its not in all the way. Push it until it clicks.

Customer: Ugh.. Ok. (pushes it in a little more).

Customer: Ok it says Dont Remove your card.

Cashier: Ok we just have to wait a few.

Customer: Why would they replace something that was so fast before with something so terribly slow.

(Transaction clears)

Cashier: Ok all set. Go ahead and remove your card.

Customer: I hate these new cards.

Cashier: I know it.

Lets face it. The customer experience around the move in the United States to EMV or Chip & Pin thus far has been ugly for the average American consumer. We are a society of near instant gratification. We have come to expect it. My friends in Europe and abroad have been used to this type of interaction on payments for some time but here in the States, the SWIPE is firmly encoded into muscle memory. Its natural. Its unnatural to do anything else.

At some level most Americans have a passing understanding that the EMV card is more secure and prevents fraud. That’s about where it ends. In another interaction I witnessed a man making a purchase exclaimed, “I hate this Insert card thing. I know its more secure, but that’s my banks problem”.

In either case I was not about to go into the intricacies of the shift of liability for fraud from the banking institutions to the merchant. That ultimately it was the grocery store (and not the banks) that would need to worry about the fraud and security if they did not upgrade their point of sale devices to EMV. I just wanted to buy a gallon of milk, six ears of corn on the cob, and a few packets of gravy dust. Just how my wife turns that dust into delicious gravy is still a mystery but that is not important here.

For those of you who do not know what an EMV card is, the Wikipedia entry defines it thusly:

EMV is a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them. EMV cards are smart cards (also called chip cards or IC cards) that store their data on integrated circuits in addition to magnetic stripes (for backward compatibility). These include cards that must be physically inserted (or “dipped”) into a reader and contactless cards that can be read over a short distance using radio-frequency identification (RFID) technology. Payment cards that comply with the EMV standard are often called Chip and PIN or Chip and Signature cards, depending on the authentication methods employed by the card issuer.

EMV stands for Europay, MasterCard, and Visa, the three companies that originally created the standard.

The shift in the underlying technology is definitely a big one. Its all the stuff I care about as a technology professional. Its the stuff that the consumer never sees or has an inkling is going on. I get interested and excited in the fact that the packet payload of a transaction increased significantly going from Non-EMV to EMV even moreso If there is encryption or other security products in the mix on the transaction, increasing the packet size larger. I love the challenge that those larger packets create on the global payment network, the network sizing and global capacity planning. I am enthralled by the changes in how those transactions are then routed, checked and authorized. All of these things could / can/ and do contribute to the transaction time per “dip”. It is these technological equivalents of the arcane black arts, wizardry, rain-dances, and human sacrifices performed in the back-end that capture my attention. For most however, it all nets out to “Why does this take so long?”

It is in that non-technical, physical, customer service experience that the value of Digital Wallets will finally begin to experience its time of greatest adoption.

Digital Wallets like Apple Pay, Samsung Pay, Google Pay, and other “x-pay” technologies have been out there for awhile. Their ultimate adoption in the marketplace hasn’t really been all that significant (although it is growing slowly). Mostly because it has not really hit mainstream yet. Sure the technology geeks like me have them installed. So do the Hipsters who want to show their “tech-cred” by getting their No Whip, Half-calf, skinny lattes without putting down their phones and retrieving their wallets (which coincidently are almost always carefully hidden within their perfectly groomed beards like Captain Caveman).

To hit the mainstream, something is going to have to agitate the average consumer so much that it starts to drive the change. I believe that change is on the horizon. In fact, I may even know the date. October 1, 2017. That date is the deadline where all gas pumps in the United States must become EMV compliant. There is a good chance the petrol industry will seek a delay (after all – can you imagine the scale of the issue of replacing every gas pump in the country?) . They were given two extra years to make the conversion but it will likely be a logistical nightmare compounded by the fact that many gas stations are not owned by the gas companies at all, but are franchises owned by local business people.

My personal prediction is that most folks will not want to go through the Stick and Click method at the pumps. Swiping has become muscle memory for just about every American. Its so universal here that people use the swipe hand gesture to signal a waiter that they are ready to close out their tab. Its raw. Its physical. Its quick and easy. Our desire for near instant gratification will push us to something else. Having your credit card information on your phone, and the ability to “in a swipe like motion” move your phone at the pump for payment will be much easier. It will feel like what they have always done. All of technical wizardry that I perform will still take place, but it will do so device to device, behind the scenes. It may even be just as slow but you will not have to remove your credit card and leave it exposed in a machine while you dart your eyes awkwardly around the gas station while the pump displays the message “DO NOT REMOVE YOUR CARD” for all the world to see.

To some degree this speaks to our innate human resistance to change. Perhaps even a bit of laziness at a societal level. But I am sticking to my prediction that these two items will be linked. I guess in the end only time will tell.

Now if you will excuse me-I am headed off to enjoy my dinner and the magical gravy juice that was literally produced from dust.

\Mm

ABOUT MICHAEL MANOS

Often described as "a scale technology leader with a masochistic thirst for difficult problems," Mike is currently the Chief Technology Officer at First Data, using technology and his own particular brand of chaos to drive the turn-around of one of the worlds largest Payment and #Fintech companies.

He previously led Technology efforts in the successful turn-around and technology modernization at AOL before its eventual purchase by Verizon. At Microsoft, he led the creation and largest expansion of technology infrastructure in the company's history building out a global technology platform and data center footprint in support of the Online, internal and Azure Cloud Platform. With other Senior Technology Roles including technology leadership roles at Walt Disney, Nokia, and a host leadership and board memberships of start-ups, he has enjoyed a career full of terrifying moments and monsters.

He holds multiple Cloud and Technology based patents and is an active voice in the cloud, data center, and large scale Internet technology communites.

Tag: EMV

Spooky Action Issues Ahead for the Just-out-of-Reachables

Prediction: Digital Wallets (#Apple Pay,#SamsungPay,#GooglePay) Find their KillerApp at the Gas Pumps