Amidst the furore surrounding the launch of Apple Pay in the USA, more news of data breaches in the US broke over the last few weeks as Staples joined the ranks of well-known retailers facing similar breaches including Home Depot, Sally Beauty, Dairy Queen, Supervalu, Michael’s and Target. The situation has now grabbed the attention of President Obama who signed an executive order on Friday 17th October to improve security for government credit and debit cards by ensuring they use Chip and PIN technology.
"Last year . . . more than 100 million Americans had information that was compromised in data breaches in some of our largest companies,” said Obama, “The idea that somebody halfway around the world could run up thousands of dollars in charges in your name just because they stole your number or because you swiped your card at the wrong place at the wrong time—that’s infuriating.”
The White House issued a statement which called on Congress to pass data breach and cybersecurity legislation: “The current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.”
The EMV Solution
So will EMV be the ‘magic bullet’ that resolves the problems facing US retailers and take the attention of cyber criminals around the world away from their customer’s data?
Visa and MasterCard’s timing for EMV adoption are fairly similar with the main deadline set at October 1st 2015. Counterfeit card liability will shift to acquirers on this date for card-present POS transactions where the merchant does not have an EMV enabled POS device (transactions at automated fuel dispenser have until October 2017). Both Visa and MasterCard also offer incentives so that if Merchants are processing the majority (95%) of their transactions on EMV devices, then the merchant can avoid fines for data breaches. There are similar benefits for EMV adopters with regard to PCI DSS reporting: although merchants must comply with PCI regulation, they’re relieved of the burden of completing yearly assessments and audits. This may, in many cases, offset the cost of replacing payment terminals, currently estimated as costing merchants more than $2.5 billion collectively.
Deadlines aside, how likely is it that US retailers are going to move to EMV with any degree of urgency? Despite the numerous data breaches, potential losses financially and to reputation, costs of replacing terminals and replacing cards are so high that there is likely to be some dragging of feet. There are also strong indications that while there are plans to introduce EMV cards, there is likely to be a period of Chip & signature before card issuers move to Chip and PIN.
Against this background, the launch of Apple Pay, and competing ‘mobile wallet’ solutions like PayPal and Google Wallet, which take advantage of NFC contactless payments, have the potential to leapfrog traditional card payments in the US marketplace by offering higher security and less risk of fraud and identity theft.
Apple Pay is offering what appears to be highly secure transactions, including tokenization and biometric finger print identification.
Two potential issues for Apple Pay are:
- the recent theft of data from iCloud which may confuse the consumer into thinking Apple Pay is not secure: in fact, transactions are more secure than magnetic stripe card payment, and due to the biometric identification, are more secure than Chip and signature transactions too.
- CurrentC, the payment solution being put together by a retailer consortium which has led to Apple Pay being rejected and NFC terminals switched off in some high profile retailers like Rite Aid in recent weeks. However, CurrentC has suffered a data breach of its own and press has been mixed on the technology behind the payment system.
So, mobile payments, dependent on how these messages are communicated to the public in the US, have huge potential for growth, especially against a background of data theft stories which have been hitting the headlines month on month since last Christmas.
In Europe and the rest of the world the advantages are less clear when EMV Chip and PIN transactions are already the norm for most locations. However, it will be interesting watching what happens both in the US and in Europe, where Apple Pay launches in 2015.