Electronic Payments: Do The Right Thing
I woke up this morning to an urgent message on my mobile phone that American Express had detected two possible fraudulent transactions with my account, both to dot-com sites. This has happened before (in fact, two other times in the last 12 months), and American Express has really good fraud detection capabilities, so I guess I shouldn’t really care. But I do – after all, this is just the kind of thing that RSR opines about.
Putting this into some context, my little crisis is just another example of the looming threat of CNP (“Card Not Present”) fraud. And that in turn brings up the issue of “chip and signature” vs. “chip and PIN”. Every retailer in America should know that most of the world outside of the U.S. uses chip-and-PIN for electronic payments, while America is still in the process of rolling out chip-and-signature (my American Express card happens to be a “chip and signature” card).
VISA is ready to declare victory on the EMV (“Euro, Mastercard, VISA”) card rollout, and has been on an all-out blitz to the media and industry analyst groups (like RSR) touting post-EMV fraud reduction statistics. VISA’s stats are indeed excellent:
“The U.S. chip rollout is already having an impact on counterfeit fraud, the number one cause of in-store payment fraud today.
- At chip-enabled merchants in the US, counterfeit fraud dropped 26 percent in January compared to a year earlier.”
But what those stats glide over is the other side of the story. Industry watchers (including RSR) have predicted that implementation of EMV in stores would push fraudsters towards CNP fraud. And that turned out to be true. In April, website pymnts.com reported that:
“Since the cutover to EMV in October, fraudsters have moved their business online. And we can tell you just how much.
The Global Fraud Index, a PYMNTS and Forter collaboration, shows that online fraud attacks have jumped by 11 percent since the shift…The culprit? Botnets. Eighty-three (83) percent of domestic attacks have utilized botnets, while less than 50 percent of European attacks and less than 40 percent of attacks around the rest of the world deployed them.”
This is one of those circumstances where prognosticators would be happy to be wrong – but alas! the realities of the post-rollout environment are exactly as predicted.
The Heart Of The Matter
The big question being debated nowadays is, “Who is responsible for the risks associated with taking electronic equivalents of cash?” I’m not at risk for the two fraudulent transactions ID’ed by American Express, because American Express protects me - I’m just inconvenienced. But when fraud does occur, who pays for it? VISA, Mastercard, et al have been accused by some pretty big retailers that they have unfairly shifted that risk onto retailers via the high transaction fees that they charge.
Transaction fees became such a big issue that the U.S. Congress intervened in 2011 by passing the Durban Amendment, which put a cap on what the payment networks should charge for debit transactions – which should have lower risk than credit transactions. This legislation was generally hailed by the Retail industry, but in March of 2016, the NRF (“National Retail Federation”) issued a statement saying,
“A cap on debit card swipe fees enacted by the Federal Reserve five years ago has helped reduce costs for retailers and consumers but is still higher than intended by Congress and should be lowered, the National Retail Federation said today.
‘In most cases, 24 cents per transaction represents a significant savings over the prior non-competitive pricing,’ NRF Senior Vice President and General Counsel Mallory Duncan said. ‘However, it is still substantially higher than issuers’ incremental costs.’”
Nonetheless, the payments industry has friends in high places, and so we should probably not have been surprised to hear that just last week, outgoing retiring U.S. Rep. Randy Neugebauer (R-TX) introduced legislation that would repeal the Durbin Amendment and the debit swipe fee reforms. I can’t imagine that that will go anywhere, but in today’s political climate, who knows?
At the heart of the matter is still that pesky question, “who pays for the risk?” But I’d like to ask an even more basic question: instead of arguing about spreading the risk out via fees, why aren’t we as an industry doing all we can to minimize that risk in the first place?
That’s the right argument to have, and may be the one that caused Home Depot last week to file an antitrust lawsuit against VISA and Mastercard, arguing that the payment networks sought to block implementation of chip-and-PIN, instead forcing the implementation of chip-and-signature. In the lawsuit, H-D stated:
"Visa and MasterCard know perfectly well that a signature alone, without the additional step of requiring a PIN, provides virtually no protection against many types of payment card fraud… While chip-and-PIN authentication is proven to be more secure, it is less profitable for Visa, MasterCard, and their member banks and it provides a greater threat to their market dominance… For years, Visa and MasterCard have been more concerned with protecting their own inflated profits and their dominant market positions than with the security of payment cards used by American consumers and the health of the United States economy."
Just for the record, let’s remember (1) why signatures were used in the first place – they are a holdover from the days when retailers kept boxes of paper credit receipts in their warehouses for years to protect against fraudsters claiming that they had never bought such-and-such an item using their card; (2) that I have yet to see an instance when a checkout clerk compares the signature on the back of my card against the electronic signature I just entered on a payment device to validate the card I just used for payment – and I’ll bet you haven’t either. The plain truth is that the idea of using a signature to validate a payment is pure and utter nonsense.
The only thing a chip-and-signature card has going for it over its predecessor, the mag-stripe card, is that it is more difficult to counterfeit. Don’t count on that being the case for too long.
And that doesn’t even begin to address CNP fraud! One of the good things about chip-and-PIN is that it works as well online as in the store.
Do The Right Thing
Once in a while, businesses need to get their eyes off of cost benefit analyses, and just do the right thing. I was thinking about professional ethics and “the right thing” in the context of “shrink”. My brother applied for a job to be a district manager at a very large deep discount chain, and he mentioned to me that the interviewer (a current DM) claimed that the company puts up with an outrageously high shrink rate (I can’t tell you the number – but it’s shocking), because that’s cheaper in their estimation than having enough staff in-store to monitor the selling floor. Furthermore, the interviewer said that he was confident that it is employees who are ripping off the stores, “because we pay ‘em rock-bottom wages and there’s no loyalty.” That cavalier attitude on the part of the business (if it’s true) is plain… unethical.
If the industry knows how to fix a problem, then it should fix it. The same holds true of electronic payments and security as it does for the retailer with obscene levels of shrink. We know how electronic payment card security should be fixed. So as an ecosystem of merchants, payment networks, and banks, we should do the right thing, and fix it. Implement chip-and-PIN, and stop messing around.