Does Visa’s Migration Deal Truly ‘Ignite’ Chip Payments?

I’m always leery when the “industry applauds” any new initiative, particularly when that initiative comes from an 800-hundred-pound credit card gorilla. Simply, industry “applauds” a new initiative only when it puts more money in industry’s pockets.

As such, a blog by Visa caught my eye. “Industry Applauds Visa’s Decision to Speed Up Acceptance of EMV Contact and Chip Technology in US” (which could be the longest blog headline in history) chirps about “industry analysts and experts” lauding the new migration deal to encourage merchants to change their card terminals for chip transactions that Visa announced on Monday. Does Visa deserve the applause?

To review, Visa on Monday essentially said three things:

1. Merchants need to swap out their mag-stripe processing terminals for dual-interface versions that allow for contact and contactless chip transactions by Oct. 1, 2015 — and if they don’t …
2. Visa will shift the liability for counterfeit fraud, but not lost-and-stolen fraud or internet fraud, to the merchant from the issuer; and 
3. Card processors must upgrade their systems for EMV contact and contactless chip transactions by April 1, 2013.

In exchange for buying more expensive terminals, Visa is making a deal. Visa is giving merchants a pass on PCI audits, assuming the merchants meet certain standards, such as that it was not a victim of a data breach (which would be unlikely if the merchant were undertaking annual PCI audits — but I digress). The PCI audits cost $225,000 to $500,000 per year. The dual-processing terminals cost around $30 more than the mag stripe-only variety. If the merchant has approximately fewer than 7,500 terminals, the Visa deal saves the merchant money. I can hear the applause now.

But what’s really going on here? Let’s lay out some facts:

• Card terminal vendors are already shifting to dual-interface by phasing our mag stripe-only terminals, and for good reason: dual-interface terminals cost more. So Visa’s deal is probably not going to be the “ignition point” to spark EMV technology in the US, or at least it probably isn’t going to be the sole “ignition point” — maybe the Visa deal is a match in the matchbox that sets EMV ablaze (I’m starting to dislike this “ignition” analogy);
• The transfer of counterfeit fraud to the merchant is some harsh medicine. Visa would not disclose the dollar amount of the liability, but even if it is small, its transfer is a gun to merchants’ heads;
• There’s more than a little benefit to Visa in this. The dual-interface will play right into Visa’s mobile wallet (hear that, Google?) and that is no small thing, when you consider the estimates for the potential value of seizing the mobile consumer wallet;
• Letting merchants ditch the PCI audit is a BIG deal. There’s a reason why there is a full-fledged audit required as part of PCI compliance — because being PCI compliant is no small matter. I find it surprising that Visa would ditch a security requirement to advance EMV adoption under the banner of EMV offering better security. Couldn’t Visa have found another way to incentivize (read: horse trade) merchants to adopt dual-interface terminals? From what I understand, Visa is expecting merchants to remain PCI compliant without the audit because of the headline risk to the merchant from a security breach. I guess. But for an industry that has been so victimized by security breaches and has been so intent on resolving those security foibles, this relaxing of standards seems lame to me.

In the end, however, the transfer of the liability should force merchants to act by 2015. Yes, consumers will benefit from this. Yes, the shift to EMV will foster mobile payments adoption. But should we be applauding Visa for this? Maybe with one hand.