EMVCo Good or Evil

https://www.securepaymentspartnership.com/wp-content/uploads/2019/12/Payment_Insecurity_Final.pdf

In 1993, I was asked by the then CEO of Europay International to establish a relationship with Mastercard, and Visa focused on developing the specifications necessary to assure the interoperability of chip card-based security for credit and debit payment cards. The result published in 1996 was the “EMV Integrated Circuit Card Specifications for Payment Systems.”

From these humble beginnings, EMVCo has emerged as a key organization in managing the standards behind card payment systems.  In the white paper Payment Insecurity, commissioned by the Secure Payment Partnership, the author reminds us of the difference between standards managed by an open body and those tightly controlled by an exclusive group of competitors. One wonders if the owners of EMVCo will listen and strive to open up their membership or continue to use this entity to protect their proprietary interests.

In the introduction, the author speaks of a series of questions he intends to address.  The first question of the paper

Is EMVCo furthering the entire U.S. payments industry or simply protecting Visa and Mastercard’s market share? page 5

begs the question, why limit the discussion to the USA?

This American only focus is driven by the desires of the Unaffiliated Debit Networks and a set of merchants.  The paper ignores fundamental and, yes, anti-competitive elements of the EMV specification – the AID or the Application Identifier.  It was and is directly related to the Brand responsible for the underlining technology incorporated into the Chip.

I then read the following complaint and am driven to ask how the consumer interpreted the prior Debit versus Credit prompts.

Visa’s response to this solution was to require merchants to display to consumers a choice between “Visa Debit” and “U.S.
Debit” at checkout. – page 13

In essence, what Visa required was simple, the terminal should comply with the EMV specification for “application selection,” key and inherent in the multi-application design of EMV and the underlining ISO 7816.

Moving further into the document in Section 6.1, the author attempts to document the history leading to the creation of EMVCo.  As one of the founding members, the author’s sources were not involved and did not understand the history.

First, only France had a smart card solution designed to address Credit and Debit card fraud.  They referred to their implementation as B Zero Prime.

Second, the UK in 1995 was driven by Visa to embrace an earlier version of the Visa specifications adapted to the unique requirements of the UK market and branded UKIS.  UKIS and the unique UK requirements are responsible for changing many of the shall’s in the EMV 2.0 version of the specifications to should’s in the EMV 3.0 version.  This accommodation was the result of legacy limitation within the X25 network the United Kingdom depended on for card authorizations.

To further identify issues with his record of history, the statement on page 22

EMVCo developed standards for chip cards that could work with credit, debit and stored-value cards

It is fair to suggest EMV attempted to incorporate Stored-Value cards in the specification.  But as a result of the competitive realities of Europay’s Clip, Mastercard’s Mondex, and Visa Visa Cash stored value solutions, they agreed to exclude stored value cards from the specifications.

It then goes on to suggest EMV compromised and offered a Signature option.  There was not a compromise; it was intentional.  The goal, afford the Issuer the ability to determine, by Cardholder, which cardholder verification method they could be configured for.  One need was to address issues of the disabled, e.g., the Blind.

Debit Routing as a result of the Durbin amendment.  One might wonder why EMV did not consider this idea of multiple networks associated with a card.

EMVCo was unable and unwilling to resolve the lack of a debit AID because EMV was never designed for the U.S. market.

I sense that there is another front coming out of the Debit Networks seeking to argue the anti-competitive nature of EMV.  The paper, link below, draws me to wonder about the argumentation surrounding “Application Selection.”  Please let’s get back to basics – the “AID=Brand=Payment Scheme” drives “Routing.”

On page 13, it argues consumer confusion.   I would argue it ignores the past.  The EMV default user prompts of “Visa Debit” and “US Debit” are no more confusing than the historic “Credit,” and “Debit” prompts.  I would argue consumer confusion already existed.  The EMV specification for Application Selection simply afforded the Issuer the ability to provide more descriptive prompts by employing the “Application Preferred Name” instead of the default “Application Label.”

This whole fight surrounding EMV and Payment Security is really a fight about the future of Card Payments.  On one face, they argue the Payment Networks did not assure the security of the card payments to protect revenue. On the other hand, they argue EMVCo is a closed standards organization designed to protect and assure the interests of its shareholders, without consideration for the other stakeholders in the payment, e.g., the merchant.

In the end, the argument comes down to the role, definition, and control.   How we structure the underlining payment transaction is what we need to talk about.  Who provides the mechanism, guarantee, and support for a particular mechanism decides the rules.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.