Study: Credit Card Industry Has Ignored Security Innovations
SPP released “Payment Insecurity: How Visa and Mastercard Use Standard-Setting to Restrict Competition and Thwart Payment Innovation[CS1] ,” a study of EMVCo, an organization owned by the world’s six largest payment card companies that sets technical specifications for credit, debit and other payment cards. Conducted by the Retail Payments Global Consulting Group industry research firm, the report highlights a systemic pattern of decision-making by EMVCo that has put in place standards with diminished security that have led to increased fraud risk. Doing so has helped those card companies dominate the payments market, according to the report.
The paper concludes that the leadership of EMVCo has prioritized card companies’ market share over security, driven up costs for businesses and consumers and left the United States with a fraud-prone payment system that lags behind security standards in international markets. EMVCo claims to produce only technical “specifications” needed to ensure interoperability, but those specifications become de facto standards with implications far beyond technical compatibility. Because EMVCo is run by the major card companies, it is not an appropriate organization to develop standards with such widespread impact on the U.S. payments system, the paper says.
The report recommended that standards-setting be shifted from EMVco to a neutral national or international standard-setting body. The report shows:
- Visa and MasterCard dominate EMVCo and ensure that it sets standards they can use to beat competitors.
- EMVCo bolstered Visa’s 20-year-plus battle against allowing retailers to process transactions through competitors’ debit networks, resulting in the implementation of less-secure chip-and-signature EMV cards in the United States rather than the chip-and-PIN cards used in most of the rest of the world.
- EMVCo adopted expensive, complex and difficult-to-implement technology such as near-field communication because it prevents competitors from entering the mobile payments market.
- EMVCo adopted an anticompetitive tokenization standard that discriminates against debit networks and non-card forms of payment.
- EMVCo ignored the work of other organizations such as the Fast Identity Online Alliance and World Wide Web Consortium in developing open standards for authentication that would have allowed competitors into the system.
- EMVCo has introduced the Secure Remote Commerce standard, which purports to become a new integrated checkout platform for online payments but could make it difficult to route transactions through competitors’ debit networks, create higher dependence on the card companies and increase merchants’ payment processing costs.