I had an interesting conversation this week with a good friend of mine who works at one of the big Internet companies. We hadn’t talked in a good while so it turned out to be a wide ranging conversation that meandered back and forth from our mutual experiences building globally scaled technology platforms, past companies, current companies, to the possibility of getting together soon for beers when we happened to be in the same part of the world at the same time. It ultimately landed on the topic of EMV and some of the unique challenges in the Payments space. While the questions were initially focused on consumer experiences, it quickly devolved (as they always do with my friends) into a technology and business conversation.
One of my most substantial learnings moving from ‘Big Internet’ to the Payments and Fintech space is that the Internet guys do not have a lock on scale or its challenges. I used to live in that world of hubris where all the tough and hard challenges were exclusively found, created, and solved within a hundred miles of the Pacific Ocean shoreline. That is not to say that they do not solve those things, its just not as exclusive as they believe. Reality has a way of kicking you in the pants. I know it did mine.
Whether it be geo-diversity in infrastructure or software platforms the need for global reach and footprint balanced against localization is not only important in an ever-shrinking world, its mandatory. This is especially true in Fintech. One does not get to focus singly on Business to Business Scenarios or Business to Consumer scenarios separately, you have to focus on both. Throw in country by country regulatory requirements around privacy, commerce, data access, taxation, industry and customer oversight and governance and you end up with a giant three dimensional jigsaw puzzle of international complexity. All of that is before you get to really hard stuff… interfacing with the customers and merchants. Now our jigsaw puzzle has reached the 4th dimension and I am pretty sure quantum mechanics and spooky action at a distance come into play in there somewhere.
‘Hey Mike, Why isn’t everyone moved over to the Chip and Pin (or EMV) in the United States yet?’. The inference was that somehow the Banks, companies like mine, and others were not doing enough to protect the consumer. To really answer his question I had to first talk about the complexity of the Point of Sale and merchant eco-system that exists between his purchase of a slice of pizza and its ultimate funds settlement to his bank. It may seem straightforward to folks who do not understand all of the pieces, but it can actually be pretty complex.
The ends are pretty simple –on one side you have the consumer interfacing with the merchant. On the other is the bank or credit card provider where the funds are ultimately provided. Most people conceptually understand those two parts. However the parts in the middle get a little tangled up.
The merchant may get its payments servicing from any one of a different number of types of businesses. The first way would be through a direct payment processor like FirstData, a second could be through an independent sales organization (or ISO) who can have relationships with a single or multiple payment processors, a third way could be through merchant’s banking partner directly who in turn has relationships with a payment processor, another way would be through an Integrated Software Vendor (or ISV) who adds additional software capabilities before it hits a payment processor. In these examples the ISO, ISV, and Banking partner still interface at some point with a payment processor before connecting to the Credit Card Associations (or schemes ) like American Express, Discover, Mastercard, or Visa, and then ultimately the bank. The path any particular transaction could take could cross many different providers. Depending on the route and merchant up, there could be some significant distance between the consumer end and the settlement end on the bank. Additionally the question of who owns the full transaction path gets fuzzy as all of these players intersect with each other in the transaction flow.
In trying to answer the question about EMV adoption the solution could be complex. In many cases the ISO and the ISV may have additional software in the mix that is not EMV compliant and the merchant must wait for their service to be compliant before they can adopt. In many cases the point of sale device they use may not be EMV compliant either and they are waiting on their business partner to provide one that is. Then of course there is normal human apathy or a lack of desire to spend the money to upgrade on the merchants behalf. All of these things play a part.
While many focus on the added security for the consumer with the EMV cards, the impact on the merchant is slightly different. It reality represents a shift in liability away from the banks and credit card companies to the merchants themselves. If a merchant does not adopt the technology, any fraud related activity from their store will be their responsibility and will need to take the loss rather than the bank. Some merchants feel like they are willing to take that risk given their customer and product mix. The last category are merchants, who like most consumers, don’t understand the complexity nor do they want to and generally ignore it.
While great strides have been made to drive EMV adoption, we are sitting woefully short of the adoption to those folks listed in the categories above. I call these folks the ‘Just-Out-Of-Reachables’ and they have been a hard nut to crack for the industry at large. It has tried for multiple years to prepare, communicate and execute for this. To be fair these interactions have not stopped commerce, and have only put the individual merchants at risk for fraud for the most part.
There is however a potentially more fatal issue on the horizon that will stop transactions and could directly impact the merchants and consumers alike. While somewhat technical in nature it has to do with a move from SHA1 to SHA2 hash certificates. Many solutions in the marketplace were initially written with the SHA1 security specifications and dependencies. Over time that certificate has proven to be less secure and the industry at large has been told to migrate to SHA2 certificates. While many of the big players have made the jump from a technology perspective to the SHA2 standard, the issue significantly overlaps and shares the same challenges with reaching out and solving for the ‘Just-Out-Of-Reachables’. Only in this case, once the SHA1 certificates expire, their point of sale systems will stop working altogether. Working with the browser forums has resulted in some firms getting small extensions to SHA1 certificate expirations, but it has not been uniformly consistent with some firms getting differing lengths of extensions, and some none at all. Its a real issue for the industry at large and we should start to see these impacts over the next few months.
It will be interesting to see how this plays out especially given the potential public exposure of it.