December 10, 2019
Study shows credit card industry ignores security innovations
A new study conducted for the Secure Payments Partnership coalition shows that the U.S. credit card industry has failed to establish adequate security standards and that a neutral third party should be put in charge, the National Retail Federation (NRF) said.
“Millions of Americans have experienced credit card fraud and that’s unacceptable,” Stephanie Martz, senior vice president and general counsel for NRF said. “Our payments system should be the strongest and most secure in the world, but we won’t get there unless we change the way we set security standards. This study shows that the card industry has repeatedly ignored innovations that could have given us a more secure system, and that cannot be allowed to continue. NRF remains committed to continuing our work with the card companies to find lasting solutions that will protect businesses and consumers alike.”
SPP released Payment Insecurity: How Visa and Mastercard Use Standard-Setting to Restrict Competition and Thwart Payment Innovation , an in-depth study of EMVCo, an organization owned by the world’s six largest payment card companies that sets technical specifications for credit, debit and other payment cards. Conducted by the Retail Payments Global Consulting Group industry research firm, the report highlights a systemic pattern of decision-making by EMVCo that has put in place standards with diminished security that have led to increased fraud risk. Doing so has helped those card companies dominate the payments market, according to the report.
The 55-page paper concludes that the leadership of EMVCo has prioritized card companies’ market share over security, driven up costs for businesses and consumers and left the United States with a fraud-prone payment system that lags behind security standards in international markets. EMVCo claims to produce only technical “specifications” needed to ensure interoperability, but those specifications become de facto standards with implications far beyond technical compatibility. Because EMVCo is run by the major card companies, it is not an appropriate organization to develop standards with such widespread impact on the U.S. payments system, the paper says.
The report recommended that standards-setting be shifted from EMVco to a neutral national or international standard-setting body. The report shows:
- Visa and MasterCard dominate EMVCo and ensure that it sets standards they can use to beat competitors.
- EMVCo bolstered Visa’s 20-year-plus battle against allowing retailers to process transactions through competitors’ debit networks, resulting in the implementation of less-secure chip-and-signature EMV cards in the United States rather than the chip-and-PIN cards used in most of the rest of the world.
- EMVCo adopted expensive, complex and difficult-to-implement technology such as near-field communication because it prevents competitors from entering the mobile payments market.
- EMVCo adopted an anticompetitive tokenization standard that discriminates against debit networks and non-card forms of payment.
- EMVCo ignored the work of other organizations such as the Fast Identity Online Alliance and World Wide Web Consortium in developing open standards for authentication that would have allowed competitors into the system.
- EMVCo has introduced the Secure Remote Commerce standard, which purports to become a new integrated checkout platform for online payments but could make it difficult to route transactions through competitors’ debit networks, create higher dependence on the card companies and increase merchants’ payment processing costs.
EMVCo and the card companies have routinely dismissed innovations and new standards to maintain their dominance, according to the study. The paper highlights how EMVCo says its specifications promote “compatibility,” “interoperability” and “secure transactions” but contradicts these concepts with its own practices.