Payment Insecurity V0.1 (2 Columns)-c2 · in furtherance of private companies’ preferences alone, the public benefit of the standards will be reduced, or even eliminated. EMVCo

Payment Insecur i ty How V i sa and Mas te r ca rd Use S tanda rd Se t t i ng to Re s t r i c t Compet i t i on and Thwar t Payment s I nnova t ion

Copy r i gh t © 2019 Re ta i l P aymen t s G loba l Consu l t i n g , L . L . C . A l l r i gh t s r e se r ved .

Payment Insecurity How Visa and Mastercard Use Standard-Setting to Restrict Competition

and Thwart Payment Innovation René M. Pelegero

President and Managing Director December 2019

An Investigative White Paper ABSTRACT:

Howstandardsareproducedisacriticalconsiderationinmoderneconomies.Ifdecisionsaboutstandardscreationaremadeinfurtheranceofprivatecompanies’preferencesalone,thepublicbenefitofthestandardswillbereduced,oreveneliminated.EMVCo is an organization owned by the world’s six largest payment card companies that has positioned itself as therepresentativeoftheglobalpaymentsindustry.Theorganizationassertsthatitproducestechnical“specifications”neededtoensure interoperability, but those specifications become de facto standards with implications far beyond technicalcompatibility.Infact,EMVCohasacollusiverelationshipwithitsowners.Thispapershowsasystemicpatternbythecardcompanies to use EMVCo to develop anticompetitive standards that protect the interests of its owners and preemptcompetitioninthemarketthatcouldlowercostsandimprovesecurityforbusinessesandconsumersalike.

Thispaperistheresultofanin-depthexaminationofeachofthemajorareasforwhichEMVCoisresponsiblefordefiningstandards,includingchip-basedcreditanddebitcards,tokenizationofpaymentdata,near-fieldcommunicationforcardsandmobile-device payments, and both the Three-Domain Secure and Secure Remote Commerce standards for online cardpayments.

RPGC concludes that EMVCo is not the appropriate organization to develop and implement payment specifications thatbecomede-factostandardsandstronglyrecommendthatthesestandardsbesetbyanindependentandestablishedopenstandards-settingbody.


Copy r i gh t © 2019 Re ta i l P aymen t s G loba l Consu l t i n g , L . L . C . Page - 2A l l r i gh t s r e se r ved

NOTICEOFCONFIDENTIALITY

Noportionof thisdocumentcanbecopiedor reproduced inanywaywithout theexpress consentandwrittenpermissionfromRetailPaymentsGlobalConsultingGroupLLC.



TABLEOFCONTENTS

PARTI—INTRODUCTION 5

1. ABOUTTHISWHITEPAPER 51.1 Background 51.2 Methodology 61.3 Organization 6

2. EXECUTIVESUMMARY 83. HISTORICALPRIMER 10

3.1 U.S.PaymentsFramework 103.2 TheNeedforStandards 103.3 NetworksCompeteforTransactionVolume 113.4 EMVCo’sRoleinSupportingCardCompanies’RecaptureofVolume 13

4. WHATISASTANDARD? 144.1 OpenStandards-SettingOrganizations 144.2 EMVCo:fromConsortiumSpecificationstoDeFactoStandards 154.3 ComparingEMVCowithOpenStandards-SettingBodies 15

5. THEEVOLUTIONOFEMVCOFROM2007TO2019 175.1 EMVCoOrganizationandDecisionMaking 175.2 EMVCoStaffing 185.3 Conclusions 19

PARTII—STANDARDSREVIEW 21

6. EMVCHIPANDPIN(ORSIGNATURE) 216.1 BackgroundonChipCardsandRiskManagement 216.2 IntroductionofChipCardsintheUnitedStatesDelayedbyLackofBusinessCase 226.3 VisaandMastercardCompetewithDebitNetworks 226.4 VisaLaunchesItsEMVMigrationPlan 236.5 EMVPreventingMerchantChoicesinDebitCardRouting 246.6 EMVCoFailureswithEMVChipCards 25

8. NEAR-FIELDCOMMUNICATION 268.1 Background 268.2 EMVCoEnteringMobilePayments 268.3 EMVCoSelectsNFCforMobilePayments 278.4 EMVCoNFCSpecificationComplicatesMerchantChoicesinDebitCardRouting 278.5 NFC:ATooltoPreventCompetition 288.6 EMVCo’sNFCStandardDrawbacks 298.7 EMVCo’sQRCodeStandards 308.8 EMVCo’sNFCSpecificationandApplePay 308.9 EMVCoFailureswithNFC 31

9. TOKENIZATION 329.1 Background 329.2 Standards-SettingOrganizationsDevelopingOpenTokenizationStandards 329.3 IndustryCallsforOpenStandards 339.4 ApplePay’sRoleinTokenization 339.5 EMVCoTakesOwnershipofCardCompanies’Tokenization 349.6 EMVCoTokenizationFramework1.0Deficiencies 369.7 EMVCoTokenizationFramework2.0UpdatesandRemainingDeficiencies 379.8 NetworkTokensIntroduceChallengestoMerchantDebitCardRoutingChoices 379.9 EMVCoFailureswithTokenization 38



PARTIII—CONCERNSWITHNEWSTANDARDS 39

10. 3-DSECUREVERSION2.0 3910.1 Background 3910.2 Evolutionfrom3DS1.0to2.0 3910.3 3DS2.0Pre-emptingCompetition 4010.4 3DS2.0PositionedasaStrongCustomerAuthenticationStandard 4010.5 EMVCoIgnoresAuthenticationStandardsfromOtherStandards-SettingBodies 4110.6 IndustryConcernswith3DS2.0 4210.7 Conclusion 43

12. SECUREREMOTECOMMERCE 4412.1 Background 4412.2 GameofButtons 4412.3 SRCUserExperience 4712.4 EMVCoSRCStandardComponents 4812.5 IssueswiththeDevelopmentofSRCStandard 4812.6 IndustryConcernswithSRCStandard 4912.7 Conclusion 51

PARTIV—CONCLUSIONS 52

13. CONCLUSIONS 5213.1 IsEMVCoProtectingVisa’sandMastercard’sMarketShare? 5213.2 IsEMVCoCapableofDevelopingStandardsinAreasBeyonditsOriginalCharter? 5213.3 IstheU.S.PaymentsIndustry’sCompetitiveLandscapeBeingHurtbyAllowingEMVCotoSetStandards? 53



PARTI—INTRODUCTION

1. ABOUTTHISWHITEPAPER

Retail Payments Global Consulting Group wasengaged by the Secure Payments Partnership tostudy and determine whether the U.S. paymentsindustryisbest-servedbyEMVCoasthestandards-settingorganizationforconsumerpayments.

SPP* represents and advocates on behalf ofindustries that span the payments system, rangingfrom retailers to the financial services industry. Inkeepingwithitsmission,SPPcommissionedRPGCtoresearch whether the standards set by EMVCounfairlyadvancecardcompanies’dominanceintheUnitedStates.†ThisresearchalsoexaminedwhetherEMVCo standards deliver the most secure andefficient payment experiences for U.S. consumersandmerchants.

The objective of this white paper is to educatereaders on the critical role EMVCo plays in howpayments are conducted in the United States andhow EMVCo impacts the economic, security andcompetitiveaspectsoftheU.S.paymentslandscape.The audience for this paper includes merchants,paymentserviceproviders,consumerprotectionandadvocacyorganizations, policymakers and all otherpayments industryparticipants concernedwith thewelfare and competitiveness of the U.S. paymentssystem.

This research intends to answer the following fourquestions:

• Is EMVCo furthering the entire U.S.paymentsindustryorsimplyprotectingVisaandMastercard’smarketshare?

*SPPfoundingmembersincludetheFoodMarketingInstitute,

NationalRetailFederation,NationalAssociationofConvenienceStores,NationalGrocersAssociation,FirstData’sSTARNetwork,andSHAZAM.SPPadvancespoliciesthatdrivestate-of-the-arttechnologies,competition,andcollaborationtocontinuallyimprovethenation'spaymentinfrastructure,meettheevolvingneedsofcommerce,andprovidebusinessesandconsumerswithconvenience,flexibility,andsecurityinpaymentoptions.

• Is EMVCo capable to develop standards inareas beyond its original charter and arethese standards delivering more efficientandsecurepayments?

• Is theU.S.payments industry’scompetitivelandscapebeinghurtbyallowingEMVCotoestablish broad payment standards andshouldthisworkbeperformedbytrueopenstandards-settingbodies?

1.1 Background

EMVCo was established in 1999 by Europay (nowpartofMastercard),VisaandMastercardasaglobaltechnicalbodychargedwithsettinginteroperabilitystandards forchipcardsandchip terminals.‡Sincethen,EMVCo’sownershiphasgrowntoincludefouradditional card companies – American Express,Discover, Japan’s JCB and China’s Union Pay – butVisa and Mastercard remain the most influentialowners.

EMVCo expanded its scope in 2007 with thepublicationofawhitepaper inwhichitannouncedits intention to define standards for the mobilecontactlesspayments’infrastructure.EMVCofurtherexpandeditscharterin2013to“facilitateworldwideinteroperability andacceptanceof securepaymenttransactions by managing and evolving the EMVspecifications and related testing processes.”1 Indoingso,EMVCo–anorganizationaccountableonlytoitsowners–appointeditselfthearbiterofU.S.andglobalpaymentstandards.

Cardpaymentshaveexperiencedexplosive growthin theUnitedStatesover the last tenyears. Asof

†Henceforth,thetermcardcompanieswillbeusedtoidentifythesixEMVCoowners:VisaInc.,MastercardIncorporated,TheAmericanExpressCompany,DiscoverFinancialServices,Inc.,JCBCo.Ltd,andUnionPayInternational,

‡In2002,EuropayInternationalmergedwithMastercardInternationaltoformMastercard,Inc.TodaythecombinedcompanyisknownasMastercardIncorporated.



2017,debitandcreditcardpaymentsaccountedfor54% of all U.S. consumer purchase payments bycountand55%byvalue,dwarfingevencash(at35%and15%respectively),accordingtoareportfromtheFederalReserveBankofAtlanta.2 Thesamereportstatesthatcardpaymentsareseeingrobustgrowth,increasing10.1%bynumberand8.4%byvaluefrom2016 to 2017. Those increases represent anacceleration in overall card payment growthwhencomparedwith the previously reported 2015-2016and2012-2015periods.*3

Therefore, a study of the organization setting thestandards for the payment industry is timely andappropriate. It is timely because of the dominantpositionofthecardcompaniesoverthissectoroftheeconomy. It is appropriate because standardscontributetopublicwelfarebyimprovingeconomicefficiency – ensuring compatibility andinteroperability.Anystandardsthatgiveadvantageto certain companies over their competitors are avalid concern as this impacts the welfare andcompetitivenessoftheU.S.paymentssystem.

1.2 Methodology

This paper synthesizes a year of research andanalysisontheevolutionandoperationsofEMVCo.Itsconclusionsarederivedfromanin-depthreviewofthreeareasforwhichEMVCoisnowresponsible:EMV chip cards, Near Field Communications (NFC)and Tokenization. This paper further looks atupcoming standards such as 3-D Secure 2.0 andSecureRemoteCommerce(SRC)which,althoughnotyetfullydeployed,havethepotentialtosignificantlyalter theU.S. payments landscapeandhave raisedmany questions and concerns among the U.S.merchantcommunity.†

A very important editorial note: EMVCo calls theiroutputs specifications. Although we acknowledgeEMVCo’sdesiretocalltheirproductsspecifications,we will use the term standards to refer to thembecause the manner these specifications areimplemented, using rules established by the card

*Forthe2012-2015periodcardpaymentsgrew7.7%bynumberand

6.5%byvolumeand,forthe2015-2016period,theygrew7.8%bynumberand6.3%byvalue

companies,makesthemdefactostandards.BecausetheentireU.S.industrymustinvestandcomplywiththese specifications, EMVCo specifications,developed jointly with the card brands in anorchestratedstrategy,areeffectivelystandards.

The approach used for this research was twofold:First, using publicly available sources and insightsfrom industryexperts,wereviewedeachstandard,notingwhereandhowEMVCocouldhaveproducedmoreopenandinclusivestandardsthatwouldhavebenefited the overall U.S. payments system. Next,our network of industry experts identified eventsand other developments that may have broughtcompetition to the card companies and mappedtheir timing to decisions made by the cardcompaniesandEMVCo.

1.3 Organization

Part I includes this introduction, an executivesummary, a review of standards and standards-setting organizations, and finally a high-leveloverview of EMVCo’s organization and itsspecificationdevelopmentprocesses.

Part II includes an in-depth review of each of thestandardsforwhichEMVCoiscurrentlyresponsible:EMV cards, NFC and tokenization. This in-depthreview covers the standard’s development process(totheextentthatit isdocumented),discussesthemarket context in which the standard wasdeveloped, explores alternative approaches thatwouldhavebetterservedthe largerU.S.paymentsindustry, and summarizes how each of thesestandards benefited the card companies at theexpenseofcompetitors,merchants,andconsumers.

Part III reviews recently introduced, but not fullyimplemented,standardssuchas3-DSecure2.0andSecure Remote Commerce that can significantlydisrupte-commerceandmobilecommerce.Wewilloutline the concerns that the U.S. paymentscommunityhaswithregardstothesestandardsandhowtheycannegativelyimpactthecompetitiveness

†Asofthetimeofthiswriting,3-DSecure2.0isslowlybeingadopted,primarilybyU.S.merchantssellingintoEuropeandSecureRemoteCommercehasbeeninstalledatasmallnumberofmerchantsunderthecommercialnameof“ClicktoPay”



of payment solutions in the fastest growingsegmentsoftheU.S.economy

PartIVdocumentsourconclusionsthatEMVCoisnotan appropriate organization to develop standardsthat have such a massive impact on the U.S.

payments industry. Our research spotlights thenature of EMVCo as a mechanism for the cardcompanies to collude on the delivery of standardsthat further their already entrenched marketdominance.



2. EXECUTIVESUMMARY

UnderstandingtheU.S.paymentsstructureandhowit has evolved reveals how the card companiescompete with other payment networks and howstandards have become competitiveweapons. Thecreationofstandardsisnotjustatechnicalmatter–politicsandmarketconditionsarehighly influentialintheprocess,andEMVCo’sownershipembeds itsownbusinesspreferencesintothestandards-settingprocess.BecausetheUnitedStateshasrelativelyfewregulationswithregardstopayments(comparedtoother countries), and there is no governmental orquasi-governmentalbodythatsetsbaselinesforhowpaymentsshouldoperate,EMVCooperatesasthedefactobodythatestablishessuchstandards.

Our research reveals an insidious pattern inwhichthecardcompaniesuseEMVCoasatooltomaximizetheir share of transaction volumes:when the cardcompaniesfeelthreatenedbycompetitivepressuresor economic challenges, they — or EMVCosupportingtheirstrategies—assumeresponsibilityfor the definition of a standard, which results intechnical specifications that only benefit the cardcompanies,nottheU.S.paymentsindustryatlarge.EMVCoisanarmoryforthecardcompanies’arsenalofstandardsthathavebeenrepeatedlybrandishedagainst competing payment methods and againstmerchants’ ability to route transactions throughunaffiliateddebitnetworks.*Thispaperwillshow:

• How EMVCo supported Visa’s 20-year-plusbattle against unaffiliated debit networks,resulting in the implementation of less-securechip-and-signatureEMVcardsintheUnited States rather than themore securechip-and-PINcardsusedelsewhere,limitingthe competition that Visa and Mastercardcouldfacefromthosenetworks.(Section6)

*Unaffiliateddebitnetworks,alsoknownasEFTnetworks,ATM

networksorPIN-basednetworks,includesnetworksthatwereestablishedinthe1970s-1980stomanageautomatedtellermachinesandwhichlaterexpandedintoprocessingtransactionsatthepointofsaleusingpersonalidentificationnumbersorPINs.TheseincludenetworkssuchasSTAR,NYCE,Pulse,andothers.

• How EMVCo (with support of the cardcompanies) adopted expensive, complexand difficult-to-implement technology suchasNFCbecauseitpreservedthestatusquoforthecardcompaniesandprotectedtheirmarketshare.(Section7)

• That EMVCo decided to establishtokenization standards that excluded non-card payments, ignoring thework of otherstandards-settingorganizations suchas theAmerican National Standards Institute orThe Clearing House. EMVCo pushed asidecallsforopenstandardsandinsteadissuedatokenization standard that discriminatesagainstunaffiliateddebitnetworks(Section8)

• How EMVCo ignored the work of otherstandards-settingorganizations suchas theFast Identity Online (FIDO) Alliance andWorld Wide Web Consortium (popularlyknownasW3C)thatweredevelopingopenauthenticationstandards forbothcardandnon-card systems. Instead, EMVCo isregressing to 3-D Secure, an old standardinherited from the card companies whichEMVCo is trying to position as a globalauthenticationstandard.3-DSecure2.0,asthisnewstandardisbeingcalled,islikelytointroducemuchfrictionduringthecheckoutprocessandcreateobstacles for routingofdebittransactionthroughunaffiliateddebitnetworks.(Section9)†

• That EMVCo has introduced the SecureRemote Commerce standard, whichpurports to become a new integratedcheckout platform for online payment.NeitherEMVConorthecardcompanieshavefully explained and justified the reason for

†TheFIDO(“FastIDentityOnline”)Allianceisanopenindustryassociationwithafocusedmission:authenticationstandardstohelpreducetheworld’sover-relianceonpasswords.TheWorldWideWebConsortium(W3C)isaninternationalcommunitywherememberorganizations,afull-timestaff,andthepublicworktogethertodevelopWebstandards,andwhichincludestheWebPaymentsWorkingGroupwhosecharteristomakepaymentseasierandmoresecureontheWeb.



this standard. Secure Remote Commercehas the potential to be leveraged ascompetitivepre-emptiontoolthatmaylimitparticipation from non-card companypaymentmethodsandtohindermerchants’ability to route transactions throughunaffiliateddebitnetworks,creatinghigherdependencies on the card companies andincreasing merchants’ payment processingcosts,aswellaspotentiallyviolatingfederallawfordebittransactions.(Section10)

The card companies claim to support openstandards. In 2013, Visa’s then-CEO Charlie Scharfrespondedtoindustrycallsformoreopenstandardsbysaying,“Thisisanareawhereeveryoneneedstowork closely together and it’s paramount that weensure transparency, security and integrity so thatthe integrityof thepayment system remains.…It’sgot to be standards-based, technology-agnostic. Itneedstoaddresstheneedsofeveryoneglobally,notjustintheUnitedStates”.4

Givenwhatwehavecometoknow,Scharf'swordshave proven to be disingenuous. EMVCo portraysitself as a technical specification developmentorganizationwith no enforcement power over thecardcompanies.Yet,thecardcompaniesareEMVCo.As will be shown in this paper, both EMVCo’sexecutivecommitteeanditsmanagementboardarecomposed of long-term card company employees.

Accordingly, it is of little surprise that all itsspecifications and ensuing de facto standards aredesignedtomeettheneedsofthecardcompaniesratherthantheU.S.paymentssystemasawhole.

EMVCostandardshelpthecardcompaniesmaintaintheir dominance in payment processing volume.Theypreemptthemarketbyassumingresponsibilityforotherstandards,evenseizingtheworkofmorequalified standards-setters as their own. EMVCoprovides credibility to the card companies’ publiccalls for global payment security standards, all thewhile directing EMVCo toward standards thatprovidethemwithunfairadvantages.

EMVCo uses the language of “compatibility,”“interoperability” and “secure transactions” buttheseconceptsarebeliedbyEMVCo’sownpractices.Thisrhetoric is invokedeventhoughEMVCoorthecard companies routinely preempt competingstandards and innovations in its quest tomaintainEMVCoowners’dominanceovertheindustry.

Thenextsection,Section3,isahistoricalprimerfornon-technicalreaderswhomightbeunfamiliarwiththegranularityofpaymentsindustrymaneuverings,botheconomicandpolitical.Peoplewhoarealreadyfamiliar with the evolution of the U.S. paymentsindustry since the1980smay choose to rejoin thispaperatSection4.



3. HISTORICALPRIMER

3.1 U.S.PaymentsFramework

Apaymentisanexchangeofvalue.Formostpeoplein the United States today, this is represented bymoney stored in checking or savings accounts atbanksorthroughbank-issuedcreditlinesintheformofcreditcards.*Banksgivetheircustomerspaymentinstruments in the form of checks, credit or debitcards,oruserIDsandpasswordsinordertoaccess

theirmoneyandcreditlines.Theseinstrumentshavenumbersorotheridentifierswhicharethepaymentcredentials exchangedbetweenpayers andpayeesto initiate a payment.† To function properly,paymentinstrumentsneedaclearingandsettlementmechanism – a payment network – to deliver therequiredinformationtotheappropriatepartiesandtransfer funds between payment senders andreceivers.

Depending on the instrument, payments areprocessed by accessing different networks. Forexample, credit cards access credit lines through

*Tobeclear,consumersandbusinessesalsohaveotherstoresof

valuesuchasretailercreditlines,storedvalueaccounts,etc.Thischapterisconcernedonlywithbankaccountsandbankcreditlines.

Visa,Mastercard,AmericanExpressandothercreditcardnetworks.DebitcardsandprepaidcardsaccesscheckingorsavingsaccountseitherthroughVisaandMastercard networks or through the manycompetingunaffiliateddebitnetworksthatoperateintheUnitedStatessuchasSTAR,NYCEandPulse.Checksandroutingnumbers/bankaccountnumbersaccess bank accounts through check clearingnetworksortheAutomatedClearingHousenetwork.

The network used to process the payment definesthe standards for accessing it, its cost and theregulations that govern the behavior of thetransaction.Thus,networkchoiceisveryimportantformerchantsandfinancialinstitutions.

3.2 TheNeedforStandards

Standards are needed for interoperability of bank-issued payment instruments among the networks.Forexample,checksneedastandardrepresentationofcheckinformationinamannerthatcanbereadby

†Forclarificationpurposes,thispaperusesthetermPaymentInstrumenttorefertothedeviceorformfactorthatcarriestheinformationallowingtheinitiationofapayment(e.g.acreditordebitcard,acheck,mobilephone)



other banks using automatedmachines.* Similarly,debitandcreditcardsneedstandardstobeacceptedby any automated teller machine or point-of-saledevice so their information can be transmittedacross multiple networks.† Thus, standards arecriticalindecidingwhocanparticipateinapaymentnetwork. This paper’s operating principle is thatstandardsthatexcludecertainpaymentinstrumentsor prevent participants from routing paymenttransactions ina low-costandefficientmannerarenotbeneficial totheU.S.payments industryand inthe case of debit transactions,may violate federallaw.Totheextentthatstandardsresultfromaclosedor collusive decision-making structure and excludesome participants or payment methods, thenantitrustlawandpolicymaybeimplicated.

3.3 NetworksCompeteforTransactionVolume

Paymentnetworks–includingthoserunbythecardcompanies and others – compete for transactionvolume.Themoretransactionsthatflowthroughanetwork, themoremoneyandprofits thenetwork

*U.S.banksbeganusingtheE-13BfontdevelopedbyAmerican

BankersAssociationforMagneticInkCharacterRecognitionorMICRin1958.ThiswasadoptedbytheAmericanNationalStandardsInstitute(ANSI)in1963.MICRenabledchecksmustmeetANSIstandardX9.27-1995andANSIX9.7-1990.

†Amongothers,paymentcardsmustcomplywithISO/IEC7813(propertiesoffinancialtransactioncards,suchasdebitorcreditcards)andISO8583(astandardforfinancialtransactionmessagingforsystemsthatexchangeelectronictransactionsinitiatedbycardholdersusingpaymentcards)

makes. Because transactions that flow throughcompeting networks do not typically generaterevenue for the card companies, maximizingtransaction volume is amatter of high priority forthem.

The choice of the network processing thesetransactions also has significant financialimplicationstomerchantsandcardissuers.Thefeepaid by merchants for accepting a payment card,sometimesreferredasthe“swipefee”bythemedia,is split into three components: the merchants’processor fees, thecardcompanies’processing feeand interchangewhich isusually the largestof thethreefeesthatgoestotheissuerofthecard.‡ Theinterchange that issuers get when a debit card isrouted through Visa and Mastercard is generallygreaterthanthe interchangefeetheyreceivefromtheunaffiliateddebitnetworks.Asaresult,thefeespaid by merchants are greater when a debit cardtransaction is routed through Visa andMastercardthanwhen the same transaction is routed throughtheunaffiliateddebitnetworks.§

‡Howinterchangeandissetisbeyondofthescopeofthispaper.ForamoredetailedexplanationofinterchangeandhownetworkpricingworkswerecommendDarrylE.Getterpaper“RegulationofDebitInterchangeFees”,CongressionalResearchService,May16,2017,https://fas.org/sgp/crs/misc/R41913.pdf

§ItshouldbenotedthatVisaandMastercardalsoacceptPINdebittransactionsthroughtheirInterlinkandMaestronetworks.However,thesenetworksareconsideredaffiliatedtoVisaandMastercardandtheydonotprovideasmuchpricingdifferentialtomerchantsasthenetworksconsideredtobenon-affiliated.



Tomaintainmarket share and transaction volume,thenetworksrunbythecardcompanieshistoricallyhavereliedonmassivemarketingefforts thathavemade Visa, Mastercard, American Express andDiscoverhouseholdnamesintheUnitedStatesandmostoftherestoftheworld.ServicessuchasPayPalalso lean heavily on brand recognition to competefortransactionvolume.

But the traditional competitors of the cardcompanies–theunaffiliateddebitnetworksaswellas non-card payment networks such as theAutomatedClearingHouseandpaper-basedsystems–typically compete without major marketingcampaigns. Furthermore, even though U.S. debitcards carry the brand of the debit networks, likeSTARorNYCE,overwhichtheycanfunction,VisaandMastercard require that their brands be featuredmore prominently on the cards. These practicesleave the names of unaffiliated debit networksvirtually unknown to most consumers, giving VisaandMastercardamindsharemonopoly.

Sincethe1990sthecardcompanies,primarilyVisa,have been engaged in an ongoing battle with theunaffiliateddebitnetworksfortransactionvolume.*Thecard companiesand thebanks that issue theircards prefer routing through Visa and Mastercardbecause it generates more revenue for them.Merchants have preferred routing through theunaffiliated debit networks because of their lowerprocessing fees. In addition, the unaffiliated debitnetworks offer the additional security option ofrequiring personal identification numbers, or PINs,toapproveatransaction,whiletheVisa/Mastercardnetworks historically offered only the less-securesignatureoption.

Many experts and industry observers have arguedthat a secret PIN is a more secure authenticationmethod than an easily forged and often-illegiblesignature, and studies have shown that PIN can *Visahasthelargestdebitvolumeofallthecardcompanies.

Mastercardhassmallermarketshareandalltheothernetworksarepredominantlycreditcardnetworksanddonotcompetefordebitvolume

†Duringthe1990s-2000s,manyVisaandMastercardIssuersranadvertisingcampaignscallingforcardholdersto“SkipthePIN,andWin!”Inordertogeneratemoreinterchangeincome,thesecampaignssacrificedpaymentssecurityforhigherrevenue.

substantially reduce fraud compared withsignature.5Whilethechipmakesitmoredifficulttocreate counterfeit payment cards, the NationalRetailFederationhasnotedthat itdoesnothingtoprevent the fraudulent use of lost or stolen cards.Enablingmerchants’option to require theuseofaPIN is necessary in order to realize the fulladvantagesofchipcardsashasbeendoneinmostothercountries.

Toincreasetheirshareofthegrowingdebitmarket,VisaandMastercardalongwithmanyoftheircard-issuing banks discouraged cardholders from usingPINs. This had the desired effect of increasingtransaction volume to Visa’s and Mastercard’ssignature-onlyprocessingnetworks.†Further,manyissuershad special routing arrangementswithVisaandMastercardthatforcedmerchantstoroutedebittransactions through Visa and Mastercard ratherthan through the less expensive and more securePIN-basedunaffiliateddebitnetworks.

In 2010, the U.S. Congress passed theWall StreetReform and Consumer Protection Act, whichincluded a provision, known as the DurbinAmendment, to address rising debit cardinterchangefees.Atthetime,debitcardinterchangewas a percentage of the transaction amount andnearlythesameascreditcardinterchange,withanaverage of about 1.5 percent of the value of thetransaction. The Durbin Amendment directed theFederal Reserve Bank to establish limits for debitinterchange.Theselimits,embodiedinRegulationII,cap debit interchange at 21 cents plus 1 cent forfraudprotectionplus0.05percentofthetransactionamount.Thecap,whichtookeffectin2011,meantthatmerchants – whowere previously charged asmuchas$1.50toprocessa$100transaction–wouldtypically pay about 25 cents regardless of theamountofatransaction.‡

‡Thiscaponlyappliestodebitcardsissuedbybankswithgreaterthan$10billioninassets.Thesecardsmakeupapproximately65percentofalldebitcardsintheUnitedStates.Smallerbanksandcreditunionsstillgetinterchangebasedonapercentageofthetransactionvalue,estimatedat1.16percentfor2018.



In addition to limiting the ability of Visa andMastercard to fix debit interchange fees, theAmendmentalsorequiredthateachdebitcardmustbe able to be processed over an unaffiliated debitnetworks–suchasNYCEorSTAR—inadditiontotheVisa/Mastercard networks. Under Durbin, theinterchange received by the issuer is the sameregardless of the debit network on which thetransaction was processed. However, theunaffiliated debit networks offer lower rates forotherprocessing-relatedfeesaswellastheoptionofmore secure PIN authentication resulting in lessfraud.* Network choice is both basic and vital tomerchants.

TheDurbinAmendmentwasamassiveblowforVisabecause it moved significant transaction volumeawayfromitsnetwork.Visawasundertremendouspressure from issuers and shareholders to regainthatvolume.

3.4 EMVCo’sRoleinSupportingCardCompanies’RecaptureofVolume

AfewmonthsbeforetheDurbinAmendmentwentintoeffect,Visaannounced itsplantorolloutchipcardsintheUnitedStates. Thisplan,theU.S.EMVMigrationPlan, stated that signaturewouldbe thepreferred cardholder verificationmethod (referredintheindustryas“CVM”).TheplanwasadoptedbytheothercardcompaniesshortlythereafterandwasendorsedbyEMVCoeventhoughitdeliveredalesssecure payment authentication method than PIN.EMVCo—despiteitsclaimedcommitmenttodeliverinteroperability andacceptanceof securepaymenttransactions — supported Visa’s decision forsignature authentication of purchases even asmerchants and other industry stakeholdersdemandedPIN.

The Durbin Amendment took effect as the cardcompanieswerebeginningtherolloutofEMV“chip”cards, which culminated in October 2015, whenmerchants were required to have chip readers in

*VisaandMastercardsupportPINtransactionsthroughtheirInterlink

andMaestronetworksbutthesearemoreexpensivetothemerchantsthantheunaffiliatednetwork.Eventoday,thepreferredchoicefortheVisaandMastercardistoroutedebittransactionsviatheirsignaturedebitnetworks

operationorfaceincreasedfraudresponsibility.Thechip card technical specifications established byEMVCo had embedded routing rules that, incombinationwithVisa’sandMastercard’soperatingrules,made it verydifficult formerchants to routedebitcardsthroughunaffiliateddebitnetworks,thusundermining theDurbinAmendment. Through thisdefault setting, Visa and Mastercard could retaintransaction volume that might otherwise haveshiftedtotheunaffiliateddebitnetworks.

Not surprisingly, EMVCo did little to address thisproblem.Instead,theEMVMigrationForum,across-industrygroup,cameupwithasolutionthatallowedmerchants to recognize and route debit cardsthrough unaffiliated networks. Visa’s response tothissolutionwastorequiremerchantstodisplaytoconsumersachoicebetween“VisaDebit”and“U.S.Debit” at checkout. Merchants opposed the Visarequirement because it gave consumers a choicebetweenanunknownnameandafamiliarnamewithgreaterconsumermindshare,likelypromptingmostconsumerstochoosetheVisanetwork(thistopicisdiscussedmorethoroughlyinSection6.5).

Later,mirroringitsattempttodirectpaymenttrafficthrough the chip-and-signature implementation,EMVCo introduced standards for tokenization thatalso created obstacles for routing debit cardtransactions through unaffiliated debit networks(Sections8).TheEMVCotokenizationstandardisnotbased on open standards. The standard does notallow tokenization interoperabilityamongdifferenttypes of networks and makes it difficult formerchants tochoosewhere tokenized transactionsare routed.Worse, noprovisionwasmade for thetokenization of bank accounts or any othercompetingpaymentmethod.Whiletheseexamplesareparticulartotokenization,theymerelyrepresenta small part of EMVCo’s pattern of boosting cardcompanies’ volumes while hindering that of theircompetitors at the expense of the security of theentirepaymentssystem.



4. WHATISASTANDARD?

According to the World Trade Organization, astandard is “a document established by consensusthatprovidesrules,guidelinesorcharacteristicsforactivities or their results.”6 The now-defunct U.S.Office of Technology Assessments issued a studycalled “Global Standards: Building Blocks for theFuture,” which said “how standards are set is amatterofsomeconcernbecausetheeconomicandsocialstakesinstandardsaresolarge.Thestandardsdevelopment process must be fair to prevent anysingle interest from dictating the outcome.”7

Economists see standards as contributing topublicwelfare by improving economic efficiency.8 Moststandards-setting organizations agree that toachieve these goals, all stakeholders shouldparticipateinthedevelopmentofthestandard,theprocessshouldbetransparentandthatinformationshouldbeopenlyshared.

EconomistEdwinMansfieldcallsstandards“impurepublic goods” and emphasizes why it is importantthat they be developed with a broad stakeholderinput:

Othergoods,likeeducationandstandards,areimpurepublicgoods.Thesecombineaspectsofbothpublicandprivategoods.Althoughtheyserveaprivatefunction,therearealsopublicbenefitsassociatedwiththem.Impurepublicgoodsmaybeproducedanddistributedinthemarketorcollectivelythroughgovernment.Howtheyareproducedisasocietalchoiceofsignificantconsequence[emphasisadded]….Ifdecisionsaboutimpurepublicgoodsaremadeinthemarket,onthebasisof[corporate]preferencesalone,thenthepublicbenefitsassociatedwiththemmaynotbeefficientlyproducedorequitablydistributed.9

AsMansfieldshows,privatelysetstandards impactpublicwellbeing.While there is nothing inherentlywrongwithprivateconsortiastandards,theycausesocietal harmwhen they becomeunfair or biased.Forthisreason,itisparamounttotheU.S.payments

industry that a recognized standard-setting bodyreplace the EMVCo which sets standards for thebenefitofthecardcompanies.

4.1 OpenStandards-SettingOrganizations

Therearemanybetter-suitedorganizationstowhichEMVCo’sworkcouldbemigrated.Infact,itislikelythat the U.S. payments industry and consumerswouldbebetter served ifdifferentopenstandardsbodiesspecializedtodothetypeofworkinquestion.

For instance, the private, non-profit AmericanNational Standards Institute or ANSI provides allinterestedU.S.partieswithaneutralvenuetoworktoward common agreements developing U.S.standards. ANSI has an Accredited StandardsCommittee responsible for developing voluntaryopenconsensusstandardsforthefinancialservicesindustry,knownasASCX9.Thisgrouphasdevelopeda standard called “Protectionof SensitivePaymentCardData-Part2:Tokenization.”Thisstandard,alsoknown as X9.119-2, defines minimum securityrequirements for implementing tokenization withpost-authorization systems to protect sensitivepaymentcarddata.Assuch,ANSI’sASCX9wouldaclear candidate to create and maintain opentokenizationstandards.

New organizations have been established in lastdecade that address e-commerce and mobilecommerce authentication standards. The FIDOAlliance and W3C are industry consortia currentlydeveloping open interoperable authenticationstandards. Although EMVCo claims to work withthese organizations, there have been few, if any,deliverables resulting from these cooperationefforts.

Theseorganizations—ANSI,ISO,IEC,W3CandtheFIDO Alliance — have consistent approaches todevelopingstandards:open,inclusive,balanced,notdominated by a single-interest category, andconsensus-driven.Toreaffirmtheircommitmenttoopenstandards,W3C,theInternetEngineeringTaskForceandthe InstituteofElectricalandElectronicsEngineers Standards Association signed an



agreementtoadheretoasetofprinciplesinsupportof a “modern paradigm for standards.” Theprinciples include cooperation, due process, broadconsensus, transparency, balance, openness,collectiveempowerment, availability andvoluntaryadoption. EMVCo does not follow any of theseprinciples.

4.2 EMVCo:fromConsortiumSpecificationstoDeFactoStandards

Financed by its member owners, EMVCo is notsubjecttopublicoversight,norisitrequiredtokeeprecords of proceedings during the creation of itsstandards. It is therefore difficult to obtainsystematicinformationabouttheseprocesses.SinceEMVCodoesnotofferdecision-makingrolestootherindustries,itsperspectiveisbiasedtowardthecardcompanies.

EMVCo asserts that it uses “its own approval anddecision-making processes, [and thus] operatesseparately fromthe internationalpaymentsystemswhichownEMVCo.”10Thisismisleading–EMVCoisheavilyinfluencedbyitsmember-owners.Thereisalong history of card companies developingtechnologies and turning them over to EMVCo forlegitimizationasstandards.EMVCosaysthatitisthecard companies that “assume the role of definingandissuingproductsandenforcingEMVcompliancefor products that carry their respective brands.”11But trying to differentiate specifications fromimplementationisadistinctionwithoutadifference.

Card companies build products in lockstep toimplement the specifications that they themselvesdesigned, usually ledbyVisa. Themember-ownersimplement these specifications consistently andsynchronously,makingthemdefactostandardsforthe United States and othermarkets in which thecard companies’ global payment networksdominate.

4.3 ComparingEMVCowithOpenStandards-SettingBodies

Global private regulation has become vastlyimportant in recent decades and is now aphenomenon of considerable social and economicconsequence.12 Outcomes notwithstanding,standardssetbyconsortiumsusingopenprocesseswill always be preferable to closed ones. ThoughEMVCo’s private standards may appear to beirrelevant to broader economic health, paymentcards dominate the U.S. paymentsmarketplace tosuch an extent that these standards negativelyimpactcompetitionandpaymentssecurity.Figure3shows a comparison between EMVCo and otherstandards- settingbodiessuchasW3CandANSI intermsofmembership,missionanddecision-makingauthority.

EMVCo’sstandards-developmentprocessisaclosedsystem operating without any accountability tostakeholders in the U.S. payments system. Incontrastwithotherstandards-settingorganizations,which advocate openness and inclusivity, EMVCodecisionsareeffectivelymadebyitssixowners,and



generally dominated by Visa and Mastercard.Despite claiming to work with other standards-settingbodies,EMVCosetsstandardsthatcanonlybemetbyproductsthatweredevelopedbythecardcompanies. Worse, EMVCo has used the guise ofglobal interoperability to co-opt or preempt workbeingperformedbyotherstandards-settingbodies.

The impact of the lack of multi-stakeholderrepresentationinEMVCoisrealandmeasurable.Inthe United States, the payments industry spendsmillions of dollars every year complying with

standards set by EMVCo and implemented by thecardcompaniesasdefactostandards.Thishighlevelofinvestmentpreventstheuseofcapitaltoinnovateordevelopotheralternativepaymentmethods.Thefactthatastandardisenforcedbydefaultdoesnotimplyitisserviceable,letalonethebest.



5. THEEVOLUTIONOFEMVCOFROM2007TO2019

In October 2007, EMVCo published a white papertitled “The Role and Scope of EMVCo inStandardizingtheMobilePaymentsInfrastructure,”whichstated:

There is an increasing need for EMVCo toaddress and resolve a number of technicalinfrastructure issues associated withenablingcontactlessproximitypaymentsviamobile phone handsets. This “technicaldevelopment” responsibility is in line withEMVCo’s traditional role within thepayments industry as a technologystandardsbody[emphasisadded].

EMVCo’s “traditional”backgroundandexpertiseatthatpointwereinchipcarddeployment,notmobilepayments. However, in this paper EMVCo claimedthatitshouldbe“thecommonvoiceofthepaymentsindustry…[assuming]thecentralroleindefiningtherequirements” for technologies beyond chip cardsand presaged greater ambitions. In 2013, EMVCoappointed itself as facilitator of “worldwideinteroperability andacceptanceof securepaymenttransactions by managing and evolving the EMVspecificationsandrelatedtestingprocesses.”13

With this expanded scope, EMVCo sought toestablish itself as the master and arbiter of allpaymentstechnology.

5.1 EMVCoOrganizationandDecisionMaking

EMVCo started without any permanent staff. Allworkinggroupswereledbyrepresentativesfromtheparticipating card companies, an arrangement thathaschangedlittleovertime.

Since its inception, EMVCo has been run andoperated by its Board of Managers with equalrepresentationfromeachofthecardcompanies.Asit deems appropriate, the board delegates workitems, functions and responsibilities to working

*Toseethecurrentlistofbothbusinessandtechnicalassociates,visit

https://www.emvco.com/get-involved/business-associates/andhttps://www.emvco.com/get-involved/technical-associates/

groups.TheExecutiveCommitteeprovidesstrategicfocustotheboardbutmakestheultimatedecisions.

There is also a Board of Advisors made up oforganizations that have an interest in thespecifications; most of them processors ortechnology companies. These are organized asbusiness associates, technical associates, andsubscribers.AsofJuly12019,onlyfiveoutofthe59EMVCo business associate members were non-paymentcompaniesandonlyonewasatraditionalmerchant. Similarly, only three out of 69 EMVCotechnical associate members were not paymentcompanies.* Notably, associate members do nothaveanydecision-makingpower.Figure4visualizesEMVCo’s entity organization and decision-makingprocess.



5.2 EMVCoStaffing

Executive Committee members and all Board ofManagersmembersarelong-termemployeesofthecard companies. Using publicly availableinformation, we identified several recent chairs ofthe EMVCo Executive Committee and theirrespective areas of expertise (Figure 5)*. The chartidentifies lifelong card company employees withnarrow technical expertise who speak under the

*EMVCodoesnotpublishanofficiallistofitsExecutiveCommittee

Chairsnorthelengthoftheirtenure.Thelistpresentedwascompiledfrompublicsourcessuchaspressreleaseandmediainterviews.

pretext of being the “common voice” of thepaymentsindustry.

A similar story was found when looking into thebackground of the current EMVCo Board ofManagers(Figure6),where,again,allmembersarelong-termemployeesofthecardcompanies.†Giventhisorganizational structure, it is fair toaskwhere

†EMVCo’swebsitereportsthattheBoardofManagersconsistsoftworepresentativesfromeachownercompany



theallegiancesof these individuals liewithregardsto their own organizations as compared with thebroader charter required of a true industrystandards-settingbody.Bydesign,EMVCo’sBoardofManagers is not set up to be impartial third-partyexperts, instead they are there to represent theircompany’srespectiveinterests.

PerhapsthebiggestconcernregardingEMVCoasabroader standards-setting body is its failure toinclude any other stakeholders in its governancestructure. Figures 5 and 6 show that there are noother payments industry representatives withextendedexposuretoanyotherpaymentmethodoneithertheboardortheExecutiveCommittee.

StandardizationleaderCarlF.Cargillwritesthatthecreation of standards assumes that participantsfollow rational economic models in their decisionmaking. Yet, he also recognizes that all standard-settingparticipantsarehumanbeingsthatbringwiththem their individual backgrounds and biases –professional pride, organizational goals andinterests, personal friendships – and this makesstandard creation a non-rational human beingactivity.14

With that inmind,our intent innaming theaboveindividuals is not to suggest that they are actingunprofessionally or to attack thempersonally. Our

intent is to demonstrate that EMVCo lacks theneutrality required to develop industry standardsthroughanopen,inclusivestructure.

Further, EMVCo has refused to work with openstandard-setting bodies despite claims that itengages with “other relevant industry bodies.”15EMVCohasbeenasked,forexample,toincludebankaccount numbers and other forms of payments inthetokenizationstandardbutstilllimitsthestandardtoworkonlywithproductsfromthecardcompanies.

5.3 Conclusions

Since its 2007 overreach into mobile payments,EMVCohascontinuedtodemonstratethat it isnotdesigned to develop, nor capable of developing,open standards. Its “closed” standards haverepeatedly failed to properly address ongoingchallenges to payment security and inclusivity at atimewhencollaborativeandcompetitivestandardswillbeneededto innovate,andmost immediately,keepupwithupcomingindustrydevelopmentssuch



as open banking or “push” payments.* Given itsorganization, staffing, areas of expertise, internalpoliciesandinclinations,itisunlikelythatEMVCocan

evertrulybeaneutraltechnologystandardsbodyletalone“thecommonvoiceofthepaymentsindustry.”

*OpenBankingisaconceptbeingimplementedinEuropeunderthe

secondPaymentsServicesDirective(PSD2)thatrequiresallbankstoopenAPIstoallowaccreditedPaymentInitiators(e.g.merchants,PaymentServiceproviders,etc.)accessbankaccountsbypassingthecardcompanies;“push”paymentsarecustomer-initiatedpaymentswheretheconsumersendpaymentforgoodsandservicestomerchants,sometimesinreal-time,usinganon-cardpaymentnetworksuchasACHoraRealTimePaymentservice.



PARTII—STANDARDSREVIEW

Thispartcontainsanin-depthreviewofeachofthestandardsforwhichEMVCoiscurrentlyresponsible:EMVcards, near field communications and tokenization. This review covers eachof these standards’ developmentprocess(totheextentthatitisdocumented),themarketcontextinwhichthestandardwasdeveloped,explorealternativeapproachesthatwouldhavebetterservedthelargerU.S.paymentsindustryandhoweachofthesestandardsbenefitedthecardcompaniesattheexpenseofcompetitivenetworksormethodsorpayment.

6. EMVCHIPANDPIN(ORSIGNATURE)

6.1 BackgroundonChipCardsandRiskManagement

Prior to the late 1980s, merchants who acceptedcreditcardswererequiredtotelephoneacallcenterto obtain voice authorization if a transaction wasabove a certain amount, called the “floor limit.”*Merchantsalsohadtocheckabulletinthatlistedallreported lost and stolen credit card numbers andcouldacceptatransactiononlyifthecardpresentedwasnotinthebulletin.Becausebulletinswereonlyupdatedmonthly,thieveshadplentyoftimetousestolen cards before merchants could be notified.Further, merchants were not equipped to detectforged credit cards despite security featuresintroduced to protect them such as holograms ormicro-printing.

ToaddressescalatingfraudintheUnitedStates,Visaand Mastercard moved to electronically authorizeevery transaction and eliminate the floor limitpractice of exempting thosebelowa certain dollaramount.Thisprocessisstill inusetoday.Cardsareswipedor inserted inareaderandthe informationcontained in the magnetic stripe or chip istransmittedviatelephonelinesorovertheinternetthroughtheVisaorMastercardnetworks,tothecardissuerforauthorization.

The information transmitted contains certain dataelements that allow the authorization center to

*Theterm“creditcard”isspecificallybeingusedinthissection,asin

thosedays,debitcardsoperatedincompletelydifferentnetworksandwereprotectedbyPINs.Theleveloffraudonthosecardswasafractionofwhatbankswereexperiencingincreditcards.Forthisreason,creditcardsimplementedstrategieslike“floorlimits”and“voiceauthorizations”whiledebitcardsdidnot.

determine, with a reasonable degree of certainty,whetherthecardpresentedwasforgedorreportedas lost or stolen. It is critical that a robust andinexpensivetelecommunicationsinfrastructurebeinplace for this approach to work, and the UnitedStateshadsuchinfrastructureinplaceatthattime.

In Europe, however, a similar approach was notpractical due to higher telecommunications costsand lower reliability. Instead, local card companiesdevelopedcardsenabledwithan integratedcircuitor chip that could verify the authenticity of a cardwithout the need for a telephone or internetconnection.Theresultswereimpressiveandoffereda better alternative to Visa and Mastercard’smagnetic-stripecards.TheCarteBancairechipcardprogram deployed in France caused fraud to dropfrom0.27percent in1987to0.03percent in1995.Similarly,theU.K.’sAssociationforPaymentClearingServicescreatedthePlasticFraudPreventionForumand ran several successful chip-and-PIN trialsdemonstrating that local card companies wereperfectly capable of developing standards for chipcardsasafraudmanagementtool.16

In order to protect market share from local cardnetworks,Visa,MastercardandEuropay(whichlatermergedintoMastercard)developedinitialtechnicalspecificationsforsmart,securecomputerchipsthatcould run verification routines when used inconjunctionwithPINs.Fieldtrialsbeganin1996and,



after successful testing, the first productionspecification for chip cardswas published in 1998.EMVCowasestablishedshortlythereafter.

EMVCo developed standards for chip cards thatcouldworkwithcredit,debitandstored-valuecardssuchasgiftcards.IncountriesthathadanationalPINdebitnetwork,chip-and-PINwasEMVCo’spreferredapproach for verifying transactions. But toaccommodate countries that did not yet have arobustPIN-debitnetworksuchasRussia,ChinaandIndia, EMVCo compromised and offered thesignature option in order to discourage growth oflocalchip-basedcardsystemsandtoensuregrowthin itsmembers’ transactionvolumes.* Sowhenthecard companies took over the role of standards-settingforchip,theirmotiveswereclearlyrootedinmarketpower,notsecurity.

By 2010, U.K. counterfeit card fraud rates haddeclined63percentfollowingtheimplementationofchip-and-PIN in 2004.17 In France, also using chip-and-PIN, the fraud rate from domestic in-persontransactions fell by over 50 percent from 2004to2009to0.01percent.However,thesemarketsalsosaw amigration of fraud to online commerce andremotepurchaseschannelsaswellastocrossbordertransactionswhere cards issued in these countrieswere forged and used in countries without EMVdeployment. Clearly, chip-and-PIN had helpedreduce fraud rates, but all innovations from localcardcompanieswereedgedoutbyEMVCo.

6.2 IntroductionofChipCardsintheUnitedStatesDelayedbyLackofBusinessCase

Evenaschipcardswerebeingrolledoutaroundtheworldandfraudnumberswerebeingbroughtundercontrol, theUnitedStatesremainedembroiled inadebate about whether to implement them. CarlPascarella, then president and CEO of Visa U.S.A.Inc., testified at a 2001 trial in an anti-trust casebrought by the Department of Justice against VisaandMastercardthatVisaU.S.A.had"notbeenabletofindacogentbusinesscaseorbusinessmodel”in *In2005SberbankinRussialauncheditsproprietarychip-based

schemecalledSberkartwhichitscuttledin2010andreplaceditinsteadwithEMVcompatibleUniversalElectronicCards(PRO100),whichitselfwasscrappedin2015forthenewRussianpaymentsystemMir.

favorofthechipcard.18ThemassivecostsinvolvedinconvertingtheU.S.markettochipcardswasmanytimes the costof fraudat the time. This reasoningkeptchipcardsoutoftheUnitedStatesuntilindustrystakeholdersvoicedconcernsinthemid-2000sthattheUnitedStateswas“fallingbehind.”

Still,evenaslateas2008,mainstreambankerswereskeptical of rolling out chip cards in the UnitedStates. Don Rhodes, director of risk managementpolicy at theAmericanBankers Association, statedthatbecauseofthe“costassociatedwithreplacingallthecheckoutterminals…and…becausethecostoffraudintheUnitedStatesismanageable,thereislittle incentive to change.” He continued, “I don’tthink,basedonmydiscussionswithbigbanks thatissue most credit and debit cards, or with cardassociations,thattheyenvisionrollingoutso-calledchip-and-PINintheU.S.today.”19Thus,eventhoughtheUnitedStatesledtheworldincardfraudatthetime, the card companies and their issuersdidnotfeel it was in their best business interests tointroducechipcardsatthattime.

6.3 VisaandMastercardCompetewithDebitNetworks

2010 marked nearly 20 years of battle for debittransaction volume between the card companies,primarilyVisaandMastercard,and theunaffiliateddebitnetworkssuchasSTAR,NYCEandPulse.Beforechipcards,VisaandMastercardhadotherstrategiesfor directing debit card transactions to theirnetworks. They introduced their own debit cardproducts, and in 1991 Visa acquired the Interlinkdebit network. Under its new ownership, Interlinkraised interchange fees, driving up costs formerchantsbutmakingthenetworkmoreattractivetobanks,whichcould receivehigher revenue fromtransactions processed over Interlink than theywould from transactions on other debit networks.Theotherdebitnetworksalsohadtoraisetheirownrates to remain competitive, making banks happy



butdrivingupcosts formerchantsand,ultimately,consumers.

During the 2000s, and strictly for revenuemotivations, banks issuing Visa and MastercardcardsdiscouragedcardholdersfromusingaPINfordebit cardpurchasesandencouraged themtosigninstead. These campaigns were generically called“skip the PIN and win.” In addition, Visa andMastercard began signing exclusive routingagreementswithcardissuersrequiringmerchantstorouteall theirdebit card transactions throughVisaandMastercard, further locking in their respectivedebitmarketshares.

In2011,theDurbinAmendmentwentintoeffectandbannedexclusiveroutingagreementsbetweencardissuers and networks. It required issuers to allowtheirdebitcardstoberoutedthroughat leasttwounaffiliated networks. While the affiliations weretechnology-based— signature debit versus PINdebit—the distinction signaledwas also a brandedone: Visa and Mastercard versus the unaffiliateddebitnetworks.

Thisbattleoverdebittransactionswasvitaltobothgroups,asdebitcardusehadovertakencreditcarduse by 2008. Further, the financial crisis of 2008-2010significantlyreducedcreditcardusebecauseofconsumers’ concerns over increasing their debt.20Pulse’s2010DebitIssuerStudyfoundthatbetween2008and2009,theuseofPINdebit,largelyhandledbytheunaffiliateddebitnetworks,grewby13%withan average ticket size of $41while signaturedebittransactions,atthattimeexclusivelyhandledbyVisaandMastercard, increased by 9%with an averageticketof$35.21

The provision of the Durbin Amendment thatrequired all debit cards to have at least twounaffiliated networks, along with the new rightsgiven to merchants to decide how to route atransaction (also called “merchant routing rules”)hadanimmediateeffect. Interlinkvolumedropped54 percent and large debit card issuers saw their

*ApplicationIdentifier,orAID,referstoinformationcontainedinthe

Chip.ThisinformationincludeswaysforthePOStoidentifywhatkindofcardisbeingused,aswellasprocedureforroutingit.

averagedebitcardinterchangedropfromabout44centsforatypicaltransactionto24cents.

PIN posed an existential threat to Visa andMastercard’srelationshipswiththeirlargestissuers.UnderDurbin,regulatedbanks(thosewithover$10billion in assets) would get the same interchangefrom a debit card transaction regardless of thenetwork used. Issuers’ cost and assessments,however, are generally higher for Visa andMastercardthanfordebitnetworks.Thus,arationalissuer–giventhesameincomefromatransaction–wouldprefernetworksthatdeliverthetransactionatalowercost.PINwasVisa’sandMastercard’senemybecause it allowed other networks to competesuccessfully with Visa and Mastercard for debittransactionvolume.

It was within this context that Visa announced itsEMVmigrationprograminAugust2011.

6.4 VisaLaunchesItsEMVMigrationPlan

Justa fewmonthsprior to theDurbinAmendmentgoing into effect, Visa launched its EMVMigrationPlanfortheUnitedStates.Thatwasfollowedshortlyby similar announcements from the other cardbrands. Surprisingly, given the precedent ofrequiringPINinothercountries,VisaindicatedthatitsU.S.EMVchipcardswouldcardholderverificationmethods,includingsignature,PIN,andno-signatureforlowvalue,lowrisktransactionsratherthanchip-and-PINasdeployedinmanyothercountries.22,23Allothercardbrandsfollowedthisguidance.

ThisdecisionwasbeneficialtoVisaandMastercard.UndertheEMVCostandard,thepoint-of-saledeviceuses an “application identifier”* to routetransactions according to information encoded inthe chip. TheAID is used by the POS to select theapplication that contains the rules governing the



transaction.* AIDs are registered with EMVCo andthis information is distributed to all POS devicemanufacturerstocodeintotheirterminalsaswellastoissuersandcardmanufacturers.Atthetimeoftheannouncement, there was no AID for unaffiliateddebit networks, meaning that all debit cardtransactions had to be routed through Visa andMastercard.

6.5 EMVPreventingMerchantChoicesinDebitCardRouting

The proposed EMV migration plan immediatelybroughttolightamajorconflictwithDurbin’sdebitcardroutingregulations.TheUnitedStateshasoveradozenunaffiliateddebitnetworksandsomeissuersbelong to multiple networks to cover differentgeographicareas;oftentheychangedebitnetworkaffiliations.EncodinganAIDforeverynetwork intoeverycardwasnotpractical.Cardswouldhavetobere-issued each time an issuer changed its networkaffiliation,and the testingandcertificationprocessforPOSmanufacturerswouldhavebeenlengthyandexpensive.TheinabilitytodosoundertheEMVchipsystemminimizedthenumberofdebittransactionsthat could be steered to the debit networks,benefittingVisaandMastercard.Visa’s initiative tolaunchchipcardsintheUnitedStatesthreatenedtocircumvent the Durbin Amendment’s requirementforunaffiliatednetworkrouting.†

Most countries have only one domestic debitnetwork so, encoding an AID for a single debitnetwork iseasilydonebutthiswascomplicatedbythenumberofdebitnetworksintheUnitedStates.EMVCowasunableandunwillingtoresolvethelackofadebitAIDbecauseEMVwasneverdesignedforthe U.S. market. The EMV Migration Forum — amulti-stakeholder industry association formed to

*Forexample,MaestrohasanAIDofA0000000043060whereasa

MastercardcreditordebithasanAIDofA0000000041010andCanada’sInerachasanAIDofA0000002771010.ThisallowsthePOSdevicetoidentifywhichapplicationitistoworkwith.Theapplicationdefinesthecharacteristicsofatransactionindicating,forexample,whattypeofCardholderVerificationMethodisrequiredfromtheCardholder.

support the U.S. migration to chip technology —appointed itself to resolve the chip debit cardproblem, resulting on an inelegant solution: the“CommonDebit”alsocalledthe“U.S.Debit”AID.

TheU.S.DebitAIDisencodedintoeveryU.S.-issueddebitcard,whichaggregatesallthedebitnetworksnot affiliated with Visa and Mastercard into onesingle application.‡ Importantly, because Visa andMastercardareonboth theGlobalAIDandon theU.S.DebitAID,effectivelydouble-dipping, theycanalso handle the debit card transaction. FormerchantstoretaintheirroutingchoicestheymustprogramtheirPOSdevicestoselecttheunaffiliateddebit-routing option, but this is far from an idealsolution.

Visa foughtback, requiring issuers toprioritize theVisaproprietaryAIDoverthecommonAIDandthendemandingthatconsumermakeachoiceatthePOSbetween “Visa Debit” and “U.S. Debit.” Selecting“VisaDebit”wouldoverridemerchantroutingchoiceand send the transaction to Visa, while selecting“U.S.Debit”wouldallow themerchant to route toany network enabled on the card, including Visa.Obviously,consumershadnoknowledgeabouttheramificationsofthisselection,norshouldtheyneedto. Given that the choice between a widelyrecognized global brand backed by extensivemarketing and a name not known or trusted byconsumers, these demands highlighted what wasimportant to Visa: steer debit card traffic back toVisa.§

Visa’sactivitiesaskingcardissuersandpointofsaleproviderstoprioritize itsproprietaryAIDaswellaslobbyingregulatorstomandateconsumerchoiceatthe point of sale has given Visa a head startrecoveringsomeofitslostdebitvolume.Ultimately,

†Visa’sinitialintentionwastorequireexclusivityonthechip,relegatingthedebitnetworkstothelesssecuremagneticstripebutthiswasdeemednon-compliantbytheBoardofGovernorsoftheFederalReserveSystem--https://www.federalreserve.gov/paymentsystems/regii-faqs.htm--Q1underSec.235.7

‡Asnotedearlier,VisaoperatestheInterlinknetworkandMastercardoperatestheMaestronetwork,bothPIN-basednetworks,buttheseareconsidered“affiliated”forthepurposesofDurbincompliance.

§USDebitwaschosenbecausetheindividualdebitnetworkshadtosharetheU.S.CommonDebitAID.



the Federal Trade Commission opened aninvestigation into the matter, and the FederalReserve again issued an FAQ clarifying that Visa’sactivities violated the law, so the battle continueseventodayasmerchantsfighttoenforcethisright.*

6.6 EMVCoFailureswithEMVChipCards

In implementing chip cards in the United States,EMVCo unequivocally failed at its mission to“facilitate worldwide interoperability andacceptance of secure payment transactions(emphasis added) by managing and evolving theEMVspecificationsandrelatedtestingprocesses.”Itbetrayeditsownprinciplesbyacquiescingtoaless-secureverificationmethodbyacceptingsignatureasthe cardholder verificationmethos. In addition, allpayment credentials remained in-the-clear ratherthan encrypted during the card-to-POS exchange.That meant that the EMV chip cards were notcompliant with requirements set by the PaymentCard Industry Security Standards Council, anotherorganization dominated by the credit cardcompanies that sets credit and debit card securitystandards.†

Furthermore,EMVCofailedtoprotecttheinterestsofallstakeholdersintheU.S.paymentsindustrybyagreeing to an aggressive timeline established byVisa whichwas quickly adopted by the other cardcompanies24. Its accelerated timing was surprisingconsidering that it required large monetaryinvestments by merchants and issuing banks at atime when the United States was just recoveringfrom one of the worst financial recessions in its

*In2016KrogerCo.suedVisaallegingthatVisathreatenedKroger

withfinesandpossiblythelossoftheabilitytoacceptVisadebitcardsduetoitsplansforitspoint-of-saleconfigurationthatwouldhavedivertedtransactionsfromVisa’spaymentnetwork.VisadeniedthoseaccusationsandthelawsuitwassettledoutofcourtinAugust,2019,https://www.bizjournals.com/cincinnati/news/2019/08/05/kroger-visa-settle-lawsuit.html

history.VisagavetheU.S.paymentsindustry—oneof the most complex, if not the most complexpaymentssystemintheworld—justoverfouryearsto accomplish the massive switch from traditionalmagnetic-stripe credit cards to chip-based EMVcards.Withoutanyotherstakeholdersatthetabletoprovideotherperspectives,EMVCowentalongwiththeplan.

EMVCo’s mismanagement of the certificationprocess also led to delays in EMV terminalcertificationanddeployment,withsomemerchantssaying they waited six months or more forcertification of EMV chip card readers they hadinstalled. Without the installations certified,merchantswereopento–andsuffered-increasedfraud liability the sameas if theyhadnot installedtheequipmentatall.Andsomeunscrupulouscard-issuing banks allegedly took advantage of theabsence of certified chip readers to issue“chargebacks” of transactions against merchantseven if the cardholder had not complained of afraudulent purchase, costingmerchantsmillions ofdollars.‡

Visa’s and Mastercard’s choice of signature debitover PIN debit meant that generating transactionvolumewasmoreimportantthanpaymentsecurity,prioritizingtheirbusinessinterestsoverthesecurityoftheU.S.paymentsecosystem.Clearly,EMVCowasatoolusedbythecardcompaniestohelppromotetheir own strategic objectives to capture marketshareandincreaseincome.

†PaymentsCardIndustry/DataSecurityStandards(PCI/DSS)isaninformationsecuritystandardfororganizationsthathandlebrandedcreditcardsfromthemajorcardcompanies.ThePCIStandardismandatedbythecardbrandsandadministeredbythePaymentCardIndustrySecurityStandardsCouncil

‡Ata2016EMVMigrationForummeeting,aTexasbasedbankreportedtheyhadmade$18Millioninchargebackssinceliabilityshiftas“Visahadpredicted”inapresentationmadeafewyearsearlierwhenbankswerelookingtoVisaforfinancialremunerationafterlosingnearlyhalftheirdebitinterchange.



8. NEAR-FIELDCOMMUNICATION

8.1 Background

Near-field communication is a technology used inmanufacturing, retail and transportation to conveyinformation between two electronic devices in awirelessmanneroverashortdistance,typicallyjusta few inches.Manyorganizationswere involved insettingtheunderlyingstandardsanddataexchangeprotocols including the International StandardsOrganization, the International ElectrotechnicalCommission, the GSM Association and the NFCForum. The NFC communications protocols weredevelopedbyopenstandardssettingbodiesandarearticulatedinISO/IEC18092.

NFCbegantobeusedinpaymentsinthelate1990sandearly2000s.DevicesandservicesincludingVivo,Bling Nation, the London subway system’s Oystercard,MobilOil’sSpeedpasskeychainforpayingforgasolineatthepump,andcontactlessPayPasscardsfromMastercardandpayWavefromVisa,usedNFCchips to be tapped, touched or waved at NFC-equipped readers. Around 2005-2007, severalcompanies began to incorporate paymentfunctionality intomobile phones by attaching NFCtagstothemorbyinsertingSubscriberIdentificationModule (SIM)cardswiththeNFC information.VisaandMastercard became involved in early pilots toexperiment with these new innovations.*Nonetheless,oneoftheoutcomesfromthesepilotswasthatthecardcompaniessoonsawtheriskoflostrevenue as these new products were based onstored value accounts or set up to directly accessbank accounts bypassing the card companies’networks.

*In2007RoyalBankofScotlandlauncheda“Tap-and-Go”programin

partnershipwithMastercardintheUKwhereasinAtlanta’sPhilipsArena,NFCdeveloperPhilips,Chase,ViVOtech,CingularandNokiaranatestinpartnershipwithVisaUSA.

†ThesedocumentsincludeEMVCoMobileContactlessPayment–TechnicalIssuesandPositionPaper(2007),EMVCoMobileProximityContactlessPaymentFAQ#1(2008),EMVCoContactlessMobilePaymentApplicationActivationUserInterface(2010),andEMVCoContactlessMobilePaymentArchitectureOverview(2010).

8.2 EMVCoEnteringMobilePayments

In October 2007, EMVCo published a white papertitled “The Role and Scope of EMVCo inStandardizingtheMobilePaymentsInfrastructure,”in which EMVCo designated itself as the“representativeoftheglobalpaymentscommunity”andthe“commonvoiceofthepaymentsindustryonmobile contactless proximity paymentsstandardization.” In this paper, EMVCo gave itselfthe role of definer of standards for mobilecontactless payments infrastructure and toconsolidateindustrystandardizationefforts.

This was the first time EMVCo looked at enablingpaymentdevicesbeyondcardsandrepresentedtheorganization’s first foray into NFC. During 2007-2010,EMVCopublishedNFC-relateddocumentsthatprovide insight into EMVCo’s continued evolutionfromaself-appointedstandards-settingorganizationtoaninstrumenttopre-emptthemarketonbehalfofitsowners.†

The 2007 paper said EMVComembers had agreed“to allow and support the presence of multiplebrands, multiple issuers and multiple paymentinstrumentsonthesamemobiledevice”toconductmobilecontactlesspaymentsregardlessofwhetherthemobiledeviceusedasingle“secureelement”ormultiple secure elements to store sensitiveinformationsuchasbankorpaymentcardaccountnumbers.‡, 25 This indicated that, at least initially,EMVCoconsideredincludingcompetingbrandsandmethodsofpaymentintoitsstandard.

The story changed in June 2010 with EMVCo’srelease of the “Contactless Mobile PaymentArchitecture Overview,” where it required that

‡EMVCodescribestheSecureElement(SE)astheplacewhereoneormorepaymentapplicationsarehosted,providingasecureareafortheprotectionofthepaymentassets(e.g.paymentdata,keys,thepaymentapplicationcode).SecureElementcanbedeployedasanembeddedHardwareSecureElementinmobilephones,onaUniversalIntegratedCircuitCard(UICC)(i.e.inthephysicalcard),inaremovableHardwareSecureElement(e.g.smartcardorsecurecoreonmultimediacard)notassociatedwithamobilecarriersubscription,orinaMobileDeviceBasebandProcessor.



“payment credentials” – basically a card’s primaryaccountnumber(colloquiallyknownasthePAN)andexpirationdate–beheldinthesecureelementandthat transmissionof thatdatabetween themobiledeviceandpointofsalesystemsmustusetheNFCcommunicationsprotocol.26Byspecifying15-19digitcard numbers and expiration dates as the onlyacceptable payment instruments the standardblocked potentially innovative and efficient newpaymentmethodsthatcouldhavebeendevelopedifother types of payment instruments had beenallowed such as bank routing code and accountnumber,forexample.

8.3 EMVCoSelectsNFCforMobilePayments

NFCisjustacommunicationtechnology.Itreplacesthe“swipe”ofamagneticstripecardwitha“tap”ofanNFC-enabledmobilephoneontoanNFC-enabledpoint-of-sale device. Whereas the swipe read theprimaryaccountnumber,expirationdateandothersecurity data from the card’smagnetic stripe, NFCachieves the same objective by transmitting thatsame information using the NFC communicationsprotocol.

This meant that card companies could move intomobile payments with very little infrastructureinvestmentbut, to implementNFC,merchantshadto add NFC capabilities to their card swipe POSdevices,placingtheeconomicburdenonmerchants.The rest of the payments’ infrastructure remainedunchanged becausemerchants’ banks (also knownas acquirers) and card-issuing banks had to makeminimalifanychangestotheirsystemssince,oncethe cards’ information was transmitted from thephone to the POS, transactions behaved just likethoseinitiatedbycards.

*EntryPointissoftwareinthePOSSystemthatisresponsibleforpre-

processing,discoveryandselectionofacontactlessapplicationthatissupportedbyboththecardandthereader,activationoftheappropriatekernel,handlingofoutcomesreturnedbythekernel,includingpassingselectedoutcomestothereader.

†TheKernelisthecentralmoduleofanoperatingsystem.IntheNFCstandarditisthepartofthesystemthatprovidesalltheessentialservicesrequiredbytheapplication.EMVCo’sstandarddefinesthe“card”asanyconsumertokensupportingcontactlesspaymenttransactions,whetherintheformofapaymentChipcard,akeyfob,amobilephone,oranotherformfactor.

EMVCo’s original architecture had severaldrawbacks: It was difficult to load the paymentcredentialsontothesecureelement(anactioncalled“provisioning”). Only NFC-enabled devices couldparticipate, forcing consumers to acquire NFC-equipped smart phones and obtain NFC-enabledpaymentcardsfromparticipatingbanks.UndertheEMVCoproposedapproach,thenumberofpaymentinstruments that could be provisioned into thesecureelementwaslimitedtothecardsacceptedbythemobilephonecarrierormanufacturer.

8.4 EMVCoNFCSpecificationComplicatesMerchantChoicesinDebitCardRouting

InviolationoftheDurbinAmendment’srequirementthatmerchantsbegiventhechoiceofroutingdebitcardtransactionsoveratleasttwounaffiliateddebitnetworks, the NFC standard omits debit networksthat compete with the card companies. The 2011versionof thestandardstates that theNFCPOSor“entry point” software* “queries” the card and,basedonitsresponse,identifiesthelistofproductssupported by the card, the operating system“kernel”†theywillrunwith,andtheirpriorityrelativeto one another.27 Since the “kernels” only supportthe EMVCo member networks, the standardaccommodates only cards from Visa, Mastercard,AmericanExpress,Discover,JCBandUnionPay.

In the early NFC implementations such as Isis andGoogleWallet,issuersdeterminedthetypeofcardsthatwereprovisioned to themobilephones.‡Veryfew, if any, loaded debit cards to these wallets.§Google addressed this provisioning issue with theintroduction of host card emulation that allowedconsumerstoloadwhatevercardtheywantedintoGooglecloudservers.Withthisarchitecture,phoneswereprovisionedwithGoogle-issuedpre-paidcards

‡IsiswasajointventurebetweenAT&T,T-MobileandVerizonwhoranunsuccessfulmobilepaymentpilotsinSaltLakeCityandAustinin2012.ThecompanyrenameditselfSoftcardin2014butin2015theventurewaswoundupwithintellectualpropertyandsomeassetsacquiredbyGoogleforintegrationintoitsownGoogleWallet.

§ThenumberofparticipatingissuerswaslimitedtoverylargecreditcardissuerssuchasJ.P.MorganChase,BankofAmerica,CapitalOne,andAmericanExpressthatwerewillingtopayIsisa$3to$5peryearfeepercardfee



thatwere used to initiate the transaction, but thefinalchargewasmadetotheconsumer’scardstoredby Google. Still, there was little consumer uptakebecause of the lack of NFC-equipped phones andpointofsaledevices.

SincetheintroductionofApplePay,consumershavebeenabletoprovisiontheirowncardsintotheApplePaywallet,includingdebitcards.However,anotherroutingcomplicationarose;becausethesecardsaretokenized before being stored in the iPhone,merchantsfacechallengeswhenattemptingtoroutethesecardsthroughtheunaffiliateddebitnetworks.These issues are discussed in greater detail in ouranalysisofthetokenizationstandardinSection8.

IntheparticularlyanticompetitivewaythatEMVCodrove the industry to NFC technology, EMVCoignoredothercommunication technologies suchasQRcodesandalsoexcludedotherformsofpaymentsuch as direct bank transfer to and from bankaccounts,whichwouldhave createda competitivethreat to the card companies formobilepaymentsvolume. To better grasp the narrowness of theproposedapproach,itisusefultoreview,aswedointhe next section, what possible alternatives couldhave been considered formobile payments in theUnitedStates,andwhyEMVCochosetoprotectitsownersratherthanactintheinterestofinnovation,speedandsecurity.

8.5 NFC:ATooltoPreventCompetition

There are alternative communication technologiesthat allow the exchange of payment credentialsbetweenconsumersandmerchantsat thepointofsale, which is NFC’s sole objective. These includemagnetic secure transmission technology originallydeveloped by LoopPay and acquired by Samsung;sound wave technology, which leverages mobilephones’abilitytogenerateandunderstandsounds;

*A“pull”paymentiswhenthepayer(i.e.thebuyer)sharespayment

credentialswiththepayeeandthepayee(i.e.themerchant)initiatesthetransaction.Anexampleofthatisadebitcardtransaction.A“push”paymentiswhenthepayee(i.e.themerchant)sharesitspaymentcredentialswiththepayer(i.e.thebuyer)andthepayerinitiatesthepaymenttransaction.Anexampleofthiswouldbeabillpaymenttransaction.

andquickresponsecodes,knownintheindustryasQRcodes.

Beyondthedataexchangetechnology,therearealsoother available technological solutions for storingpayment credentials. Payment credentials such asprimaryaccountnumbersorothersimilarnumbersrequiredtoaccessanaccountcanbestored in thecloudor insecureserversandcanbeencryptedortokenized,whichwouldbeanalternativetostorageinthephone’ssecureelement.Benefitsattainedbyimplementing mobile payments using thesealternativetechnologieswouldinclude:

• Compatibilitywithfeaturephonesandothernon-smartphonedevices

• Less investment at the point of sale tosupportmobilepayments

• Easeofprovisioningpaymentcredentials• Inabilityofsecureelementownerstocontrol

or charge rent to payment instrumentproviders

• Unrestricteddebittransactionrouting• Ability to support other paymentnetworks

besides those supported by EMVCO’sowners

• Flexibility to implement “push” or “pull”payments*

• Access to more than one funding source,including bank accounts rather than justcards

Of these benefits, the last two are the mostthreatening to the card companies: the ability tointroduce other funding sources and the ability tobypass the card companies’ networks. Doing sowould add competition and allow merchants toavoidthecardnetworks’highfees.EMVCo’schoiceof NFC for mobile payments preserved Visa’s andMastercard’smarket positions, and did not enablethebesttechnology.



TheFederalReserveBankofKansasCitycomparedthe merits of EMVCo’s NFC-based approach tomobilepaymentswithsystemssuchasQRcodesandcloud-based approaches such as PayPal. The studyshowedthatNFCcomparedunfavorablywithothertechnologies in terms of cost, labor and flexibility(Figure7).28

8.6 EMVCo’sNFCStandardDrawbacks

Despite all of NFC’s shortcomings, the cardcompanies and EMVCo promoted this sub-optimalapproach which, at that time, was difficult forconsumers to adopt, required expensive and

inefficient collaboration between businessparticipants, and was weak from a securitystandpoint because payment credentials wereexchangedunencryptedatthepointofsale.

NFC was difficult to adopt because NFC-equippedphones were not widely available until 2014 and

mostconsumershadyettoacquireone.Inaddition,NFC required merchants to make expensiveequipment upgrades. Few contactless cards wereinitiallyavailableandevenfewercardswereloadedtoNFCwalletssuchasIsisandGoogleWallet.Prior



tothedeploymentofEMVin2015,merchantshadtobuyanddeployexpensiveNFC-equippeddevicesatatimewhentheindustrywasalreadygearingupforamassive replacement of POS devices in support ofchip card introduction. Rather than facilitatingcollaboration from all parties, EMVCo created anunfavorable environment for competing mobilepayment methods for the sake of enhancing cardcompanies’marketshare.*

Moreimportantly,EMVCo’sNFCstandardhadmajorsecurityissues.Asnotedearlier,thedata-exchangeofpaymentcredentialsbetweenmobilephonesandPOSdeviceswasunencrypted.Cardnumbersstoredin the secure element were vulnerable to manyhacking techniques includingmalwareand“man inthemiddle”attacks.†

Meanwhile,QRcodesascendedtoprimacyinmobilepayments:Starbucksandmanyother loyalty-basedapplications made huge inroads using them. TheClearingHouseranapilotusingQRcodesandtokensasalternativestosecureelementsinmobilephones.Inlate2015,thelargestU.S.cardissuerintroducedChase Pay using this technology; Walmartintroduceditswallet,WalmartPay,whichalsousesQRcodes.

8.7 EMVCo’sQRCodeStandards

QR-codepaymentswereaclearalternativetoNFC.ManyconsumersandmerchantsfoundQRcodes–the two-dimensional “matrix” bar codes thatsmartphones can scan to obtain additionalinformationaboutaproduct–appealingbecauseallthey needed were phones capable of reading thecodes. EMVCo kept pushing NFC, however, untilissuersinAsiapressuredcardcompaniestosupportQRcodes.EMVCoeventuallyreleasedtwoQRcode

*AtthetimeoftheNFCspecificationreleaseandtheintroductionof

productssuchasIsisorGoogleWallet(2010)therewasnoEMVrequirementfortheUnitedStates.Thus,allPOSwerecardswipebased.EvenwhennewEMVdeviceswereintroduced,notallofthemcameequippedwithbothEMVandNFCasthiswasanadditionalfeaturethatincreasedthedevice’scost

standards in July 2017, one for a “consumer-presented” mode and the other for a “merchant-presented”mode.

In the QR Code consumer-presented mode, thefundingaccountcanonlybeattachedto“credentialsassociated with their EMV card previouslyprovisionedtotheirdevice.”29Inotherwords,theQRcode canonlybegenerated fromEMVCopaymentcards. There is no support for any other type ofpayment instrument such as bank routing andaccount numbers or private label cards. Thespecification also assumes that all transactions areprocessed through the card companies’ networks,justasiftheywereNFC-initiatedatthepointofsale.By doing so, the QR code consumer-presentedstandard blocked potential new competitors andtechnologiesfromenteringthemarket.

The QR Code merchant-presented mode erectshurdles against competition as well. That modeprovidesseveralfieldstoentermerchants’accounts,whichcanbeindifferentformatsbasedonthecardcompany or the merchant’s “acquiring” bank thatprocesses payments.‡,30 This standard falls in linewithEMVCo’spatternofdrivingalltransactionstobeprocessed through the card companies’ networksandobstructingthepossibilityofthesetransactionsto be processed through alternative paymentnetworks such as clearing houses or unaffiliateddebitnetworks.

8.8 EMVCo’sNFCSpecificationandApplePay

In 2011-2012, Apple, working together with Visa,Mastercard and American Express developed atokenization system that protected the paymentcredentials during the information exchangebetweenthemobilephoneandthePOSdevice.This

†Malwareissoftwarethatisspecificallydesignedtodisrupt,damage,orgainunauthorizedaccesstoacomputersystem.Malwareisusedbycybercriminalstotargetpointofsaleandpaymentterminalswiththeintenttoobtaincreditcardanddebitcardinformation.Man-in-the-middleisanattackwheretheattackersecretlyrelaysandpossiblyaltersthecommunicationsbetweentwopartieswhobelievetheyaredirectlycommunicatingwitheachother

‡Merchantsaccountswiththeiracquirersarecalled“MerchantIDs”or“MIDs”.EachacquirerhasadifferentformatfortheirMIDsandthetemplatesprovideforthisvarietybutthesetemplatesarenotintendedtobeusedfortheentryofbankroutingandbankaccountnumbers



system was extended to protect the paymentcredentials all the way to the networks, launchingthe concept of “network tokens.” After theirworkwith Apple, the card companies passed theirproprietarydesignstoEMVCotobuildaspecificationaroundthem,makingNFCapartofEMVCo’sdesignforanintegratedpaymentsplatform.*

8.9 EMVCoFailureswithNFC

Designatingitselfas“commonvoiceofthepaymentsindustry” was a self-serving move on the part ofEMVCo. Rather than addressing common concernslike security and interoperability, EMVCo hasrepeatedlyignoredthebestinterestsofthemobilepayments system. EMVCo’s choices around NFCpreempted the market of competitors instead ofimproving “interoperability and… secure paymenttransactions”. The result was deficient in manyareas:

• EMVCo’s approach for NFC wascumbersome, unwieldly and ignored theburdens placed on consumers andmerchants. It required extensivecollaborationbetweenbusinessparticipantsinwhichtheyparticipatedreluctantlyand,intheend,onlynominally.

• EMVCobetrayeditsownchartertoprovidesafepaymentsbyintroducingaspecificationthatwasweak from a security perspective(until the work with Apple Pay offered atokenizationsolution).

• EMVCo’sselectionofsecureelementsastheaccountnumberstoragelocationpreservedtheexistinginfrastructureandcardcompanydominance.

• EMVCodidnotincorporatealternativessuchascloud-storedpaymentcredentials,whichcould support alternative paymentinstruments and systems in competitionwithEMVCoowners.

• EMVCo’s QR code specifications supportEMVthecardcompanies’cardsastheonlypayment instruments and do not supportany payment method that could possiblycompetewithEMVCoowners.

The EMVCo NFC standard is another example ofEMVCo pre-empting competition, creating barriersto entry and increasing complexity for bothmerchants and consumers, all for the sake ofincreased market share for its owners and at theexpense of secure payments. EMVCo continues todemonstrate – despite its claims of being the“representativeoftheglobalpaymentscommunity”–thatitwillnotcreatespecificationsthatbenefittheentirepaymentsindustry.

Allowing EMVCo to “assume the central role indefining the requirements for an EMV mobilecontactlesspaymentsinfrastructure”doesnotservetheU.S.payments industryor theglobalpaymentsindustry.

*InAugust2011Visalaidoutavisionthatmergescontact(Chipcards)

andcontactless(NFC-enableddevices)intoasingleplatformwithSecureRemoteCommerce(SRC)allintegratedintoonesingleinfrastructurewithTokenizationand3-DSecuretechnologies



9. TOKENIZATION9.1 Background

Inthepaymentsindustry,tokenizationistheprocessof replacing sensitive account credentials (e.g. acard’s primary account number) with a randomstring of numbers. These strings, called “tokens,”unlike encrypted numbers, are generated in amannerthatcannotbemathematicallyreversedtoobtain the primary account number. Tokens arethereforesaferthanencryptionbecausetheycannotbe reverse engineered making them useless tofraudsters.

EMVCo did not pursue tokenization until 2014. Asearly as 1998, however, e-commerce merchantswereusingtokenstohideprimaryaccountnumbersfrom being used in-the-clear by their own internalsystems.In2010,acquirersandpaymentprocessorsbegan to offer security token services and token“vaults.” Through these services, merchants canmitigate PCI Data Security Standards complianceburdensasthecard’sprimaryaccountnumbersarestoredoutsideofthemerchants’servers.

Thecardcompanies,ontheotherhand,wereslowand late to the get into tokenization. The firstmentionofatokenfromthecardcompanieswasinOctober2009,whenVisareleasedits“BestPracticesfor Data Field Encryption Version 1.0.” In thisdocument, Visa said that if a primary accountnumberisneededafterauthorization,“asingle-useormulti-usetransactionIDortokenshouldbeusedinstead.”31 Visa advocated for tokenization of theprimaryaccountnumberinitsreleaseof“VisaBestPractices for Tokenization Version 1.0” on July 14,2010.32ThePCISecurityStandardsCouncilreleaseditsowntokenizationguidelinesayearlaterinAugust2011.ItisatellingexampleofVisa’sinfluenceoverstandards and standards-setting organizations thatsections of the PCI document are copied verbatimfromVisa’sbestpracticesdocument.Thisshouldnotbesurprising,however,asthePCISecurityStandardsCouncilisledbyanExecutiveCommitteecomposedofrepresentativefromfiveofthesixEMVCoowners(UnionPayisnotlistedasparticipating).

9.2 Standards-SettingOrganizationsDevelopingOpenTokenizationStandards

At the time, other organizations were developingopen standards for tokenization, including ANSI’sASCX9.119andTheClearingHouse’sSecureTokenExchange program. These organizations wereproposingtokenizationstandardsthatcouldbeusedforcardsandbankaccountnumbers,supportedbymultiple data-exchange technologies such as QRcodes,NFCanddynamictokens.

TCH’sSecureTokenExchangelaunchedin2012andstarted its pilot in 2013. Recognizing that cardcompanies’ participationwas ultimately needed toachieve market scale, TCH reached out to them.DavidFortney,TCH’sseniorvicepresidentofproductdevelopment and management, testified beforeCongressinMarch2014:

Theonlywaytogainbroadadoptionof tokenization and ensure aconsistentcustomerexperienceistodevelop an open tokenizationstandard. Open standards promoteinnovationandallowcustomersandmerchants to choose the point-of-sale technology thatworksbest forthem. But it will require banks,merchants,networksandprocessorsto work together to accomplishthesegoals.33

TCHcalled foranopen tokenization standardevenwhile EMVCo was beginning its work. In Fortney’sview,atrulyopenstandardwouldinvolvechoiceformerchants and consumers, including choice ofpaymentmethod.TCHrecognizedthedominanceofthe card companies in theU.S. payments industry,andthatnocompellingstandardcouldbedevelopedwithouttheirparticipation.

Shortly after Fortney’s testimony, Charlie Scharf,Visa’sCEOfrom2012to2016,respondedtoindustrygroupsthatwerecallingforopentokenizationwiththefollowingstatement:

This is an area where everyoneneeds towork closely together and



it’s paramount that we ensuretransparency,security,andintegritysothattheintegrityofthepaymentsystem remains. …It’s got to bestandards-based, technology-agnostic. It needs to address theneedsofeveryoneglobally,not justintheUnitedStates.34

Although Scharf appeared to support Fortney’sposition, EMVCo and the card companies did notworkwithTCHorANSI.Instead,theydevelopedtheirowntokenizationstandardthatwasclosedtootherforms of payment such as bank accounts, privatelabelcreditcardsandanyotheralternativemethodof payment. Any card company rhetoric aroundopenness, collaboration and inclusion was simplythat:emptyrhetoric,devoidofintent.

9.3 IndustryCallsforOpenStandards

With so many initiatives for tokenizationstandardization under way, the Secure RemotePayments Council, which represents unaffiliateddebit networks, released a statement theweek ofJuly24,2014askingpaymentindustrystakeholdersforacollaborativeapproachinthecreationofopentokenizationstandards.*

The National Retail Federation, Food MarketingInstitute, Merchant Advisory Group, NationalAssociationofConvenienceStores,NationalGrocersAssociation, National Restaurant Association andRetailIndustryLeadersAssociationreleasedasimilarannouncement on July 28, 2014.35 These partiescalled foropenstandardsandrequestedthatworkbemigratedawayfromEMVCotoatruestandardsorganization such as ISO or ANSI. Doing so wouldenableallindustrystakeholderstocompeteequallyandsupporttokenizationforalluses,networksandbrands in a manner agreed upon by all.

*TheSecureRemotePaymentsCouncil(SRPC)isacross-industrytrade

associationdedicatedtothegrowth,developmentandmarketadoptionofdebit-basedinternete-CommerceandmobilechannelpaymentmethodsthatmeetorexceedthesecuritystandardsforPIN-basedcard-presentpayments.SRCP’sdefinitionofdebitmeansanydevicethataccessesacheckingordepositaccount(orprepaiddebitaccount)including:Card(SignatureorPIN),ACHDebit,E-Check,Push-Credit,ChipDevice,USBDeviceandalternativepaymentinstruments

Unsurprisingly, thecardcompaniesandEMVCodidnot migrate this work to a more inclusive andtransparentorganization,presumablybecausetheirfocuswas to promote their cards as the dominantpaymentmechanisms,nottopromotecompetitionormoresecurepayments.

9.4 ApplePay’sRoleinTokenization

In2012-2013Visa,MastercardandAmericanExpressworked with Apple to expand the concept oftokenization to provide end-to-end protection ofpayment credentials, resulting in the beginning of“network tokens.” Apple combined tokenizationwithbiometricsecurity–firstfingerprintreadersonits phones and then facial recognition – which



augmented the security of EMVCo’s originalspecification.*

AstheworkwithApplewaswrappingupinOctober2013,Visa,MastercardandAmericanExpressjointlyannouncedanewframework,withthesharedgoal“to enhance the security of digital payments andsimplify the purchasing experiencewhen shoppingon a mobile phone, tablet, personal computer orother smart device.”36 That announcement wasmadejustthreemonthsafterTCHreleaseditsowncomprehensive open tokenization specifications.The key goals of this newer card companytokenizationframeworkwereto:

• Ensure broad-based acceptance of a tokenas replacement for the traditional primarycardaccountnumber

• Enableallparticipantsintheexistingsystemto route and pass through the paymenttoken

• Improve cardholder security with tokensthat are limited for use in specificenvironments37

*DifferentfromGoogleWallet,cardholdersprovisionedthecard

numberthemselvesbyenteringthecardnumberandotherinformationdirectlyintotheiPhone(orloadingitfromtheiriTunesaccounts).CardshadtobefromparticipatingissuersthathadagreedtopayAppleapercentageoftheinterchangegeneratedbythesecards.Intheenrollmentprocess,ApplePaysendsthecardnumberalongwithotherdeviceandconsumerrelatedinformation(e.g.devicename,iTunespurchasinghistory)tothecardcompanyfortokenization.Thecardcompany,actingastheTokenServiceProviderorTSP,sendstheinformationtothecardissuerforapprovalandfurthercardholderauthentication.Uponauthentication,theTSPissuesaNetworkTokenandauniquesharedkeythatisreturnedtoApplePayforstoringintheiPhone’sSecureElement.Thistokenislinkedwiththedevicetocreateastrongassociationbetweenthedeviceandthetoken,meaningthatpaymentsinitiatedbythattokencouldonlyoriginatefromthatspecificiPhone(and,ofcourse,theApplePayapplicationcouldonlybelaunchedbytheowneroftheiPhoneviafingerprintauthenticationoraPIN).Duringthepurchaseprocess,theApplePayapplicationauthenticatesthephoneuserviafingerprintorPIN.ApplePaythengeneratesanauthorizationcryptogramthatthatcanonlybecreatedbythatparticulariPhoneandwhichApplePaytransmitstothePOSdevice.Themerchant’sPOSsendsthecryptogramtotheacquirer,whoforwardsittothecardcompany’sTSP.TheTSPdecryptsthecryptogram,validatesitsauthenticity,anddetokenizestheprovidedtokenbacktotheoriginalprimaryaccountnumberandpassesthatinformationtotheissuerforauthorization.

In contradiction of these principles, the resultingtokenization specifications were proprietary andonly applicable to the card companies’ credit anddebitcards.Althoughthecardcompaniesclaiminputof“manystakeholders,particularlycardissuersandmerchants,” no merchant can be identified in thedocumentationandconsumergroupswerenotablymissing.

InlockstepwiththelaunchofApplePayinOctober2014,VisaandMastercardlaunchedtheirowntokenservices: Visa Tokenization Services and theMastercard Digital Enablement Service. Visa andMastercardbegan touse tokenization togive theirdigitalwalletsacompetitiveadvantagerather thanasauniversalsecuritystandard.†

9.5 EMVCoTakesOwnershipofCardCompanies’Tokenization

Up until 2014, the card companies’ tokenizationserviceswereproprietaryanddirectlyperformedbythe card companies. Around that time, the cardcompanies granted EMVCo their intellectualpropertywiththeexplicitpurposeofformalizingitasan EMVCo standard. Almost overnight, EMVCo

†Underatokeninterchangearrangement,VisacangettokensfromMastercardforMastercardcardsstoredinitsVisaCheckoutwalletandMastercardcangettokensfromVisaforVisacardsstoredinitsMasterpasswallet.BothschemesalsoopenedtheirTokenServiceProvidersorTSPservicestothirdpartywallets(e.g.Android,Samsung),aslongasthetokenspassedthroughMastercard’sDigitalEnablementServiceandVisa’sTokenService.Thisisakeypointbecausethesetokens(nowcalled“NetworkTokens”todifferentiatethemfromtokensgeneratedbyPSPsandgateways,called“PCITokens”)canonlybedetokenizedbythecardcompanies’TSP.



publishedafullydeveloped“TechnicalFramework”in 2014with no bulletins, lead time or third-partyinvolvementofanykind.38

The framework document essentially echoed thework done for Apple Pay and positioned it as a“standard”eventhoughEMVCoconcededthatmanyimportant issues remained unresolved, such aswhether tokens could be reused because of thelimited number of bank identification numbersavailablefortokenization.*Figures8and9showthesudden appearance of a fully formed tokenizationspecification (Version 1.0), using web archives to

*ABankIdentificationNumberorBINistheprimaryaccount

number’s(orPAN’s)first6digitsthatidentifiestheissuerofthecardandthetypeofproductthecardis(e.g.regularconsumercredit,SignatureElite,etc.).Toprotectthecardcompanies’infrastructure,NetworkTokensneedtolooklikeregularPANs(e.g.16digits,startwitha“5”ora“4”,etc.)sotheycanbepassedaroundasregularPANswithoutmodifyingtheirsystems.VisaandMastercardallocatedspecialBINstoissueNetworkTokenssotheycanbedistinguishedfromregularPANsbuttherearealimitednumberoftheseBINs,meaningthenumberofNetworkTokensthatcanbeissuedislimited.TheTSPassigningthesetokensarecalledBINControllers

revisitEMVCo’ssite in2014,whenthesestandardswerereleased.†

Although EMVCO does not generally releaseinformation about its internal proceedings anddecision making, its web site contains someinformation on its work. Examples of thesedocuments aredraft standardswhich arenormallysharedandpostedduringthedevelopmentprocess.EMVCo also posts notices and bulletins that areissued prior to the release of a final specification.None of that informationwas available during theprocessofdevelopingthetokenizationstandard.

†Fullyformedstandardshavewholenumbers(e.g.1.0,2.0,etc.)Draftspecificationshavefractionalnumbers(e.g.0.8,0.9,etc.).



9.6 EMVCoTokenizationFramework1.0Deficiencies

Industry observers quickly identified majordeficiencies in Version 1.0. “Network tokens”introduced friction in customer service andchargebackmanagementenvironmentsandcreatedsignificantchallenges formerchants tryingtoroutedebitcardsthroughnonaffiliateddebitnetworks.

For example, the use of alternative bankidentification numbers or BINs hid usefulinformation from merchants, which is veryimportant to locate orders to address customerservicecallsaswellas to identifychargebacks thatcouldbedisputed.Moreimportantly,merchantsuseBINstoidentifythecardtypeascreditversusdebitversus pre-paid or business versus consumer, forexample, which may determine card acceptanceflows. Crucially, BINs are critical to route thetransactionthroughunaffiliateddebitnetworks.

Version 1.0 was based on ISO’s older ISO8583standardfortransmittingcarddataratherthanthenewer and more flexible ISO20022 standard forfinancialdatainordertomaintaincompatibilitywith

older systems. This meant that less informationaboutacardandthecardholdercouldbepassedtothe issuer. For example, tokens were required tolook like cards’ 11- to 19-digit account numbers,were assigned from specially designated bankidentification numbers used for tokenization andpreventtheuseofotherpaymentinstrumentssuchasbankaccountsorprivatelabelcards.

UnderVersion1.0,therecouldbemultipletokensforthesameprimaryaccountnumberatonemerchant.This happened when a cardholder used the samecard in multiple smartphones. Version 1.0 did notprovide a way formerchants to link these tokens,makingitappearasthoughtwodifferentcustomersweremakingpurchases.Merchantsneededtoseeallthese tokens as a single customer so they couldprovide good customer service, provide loyaltypointsandmanagecustomerrisk.

Finally, it was reported by industry observers thatdynamictokens(amoresecuretypeoftokensthatchangeforeachtransaction)wereexcludedfromthespecification because some large issuers could notsupportthatcapability.39



9.7 EMVCoTokenizationFramework2.0UpdatesandRemainingDeficiencies

Although promised for late 2014, EMVCo did notcompleteVersion2.0untilSeptember2017.Version2.0remediedthecustomer-frictionshortcomingsofVersion 1.0 with the introduction of a “paymentaccount reference” number. Nonetheless,suggestionsformandatedsharingofkeyfieldssuchas typeof card, support for ISO20022, inclusionofdynamic tokens and support of other paymentmethodswereallrejected.Crucially,EMVCoalsodidnotaddresstheissueofroutingdebitcardsoutsideof the card companies’ networks, leaving thosedetailstoeachcardcompany’simplementation.

Thenewpaymentaccountreferencenumbers,alsoknownasPARs,linkmultipletokenstogetherforthesamecustomer.APARisa28-digitstringthatcannotbeusedtoinitiatefinancialtransactions,sotheirsolepurpose is to create a single view of a customer’spayment channels and methods. Unsatisfactorily,Version 2.0 did not require the card companies topass the PAR back to merchants. As a result,merchants are more dependent on the networks,potentiallyhavingtopayafeetogetPARnumbers.

9.8 NetworkTokensIntroduceChallengestoMerchantDebitCardRoutingChoices

Version2.0continuedEMVCo’spracticeofcreatingobstacles for merchants to exercise their rights toroute debit cards through unaffiliated debitnetworks.

To route debit card transactions from pay walletssuchasApplePayforin-persontransactionsthroughunaffiliateddebitnetworks, the followingneeds tohappen:(1)thebankidentificationnumberusedtotokenizethedebitcardsmustberegisteredwiththedebitnetworks, (2) thepointof sale terminalmustbeprogrammedtoselecttheU.S.CommonAID(seeSection6)and(3)unaffiliateddebitnetworksmustfollowrulesestablishedbyVisaandMastercardtobeable to detokenize a token back to the primaryaccountnumberorPAN.

These requirements are challenging formerchantsforthefollowingreasons:ifVisaorMasterCardweretoissueatokenforadebitcardthatparticipatesinanunaffiliateddebitnetworkbutthecorresponding

tokenBINwasnotenrolled,amerchantwouldeithernot route the transaction to the unaffiliated debitnetwork or, if it did, the transaction would berejected. It is very difficult, if not impossible, tocontinuously monitor if Visa and MasterCard areissuing tokens that use BINs that may be solelyenabled on their networks or hold the cardcompanies accountable for the timeliness of suchenrollmentwiththeunaffiliateddebitnetworks.

Further, unaffiliated debit networks can onlydetokenizetransactionsthatoriginateusingtheU.S.common AIDs. Since many terminals have beenconfiguredtoprioritizeVisaandMasterCardglobalAIDs, a merchant terminal will only select thecommon AID if it’s been configured to ignore theEMV priority. Any merchant that wants to acceptmobile wallet-based transactions (e.g. Apple Pay /Google Pay / Samsung Pay) and benefit from thefrictionless experience afforded by biometric-onlyauthenticated transactions must chose the globalAIDratherthanthecommonAID,effectivelygivinguproutingchoice.

Onceamerchant identifiesadebitcard token thatcan be routed through the unaffiliated debitnetwork,theunaffiliateddebitnetworkcanrequestthat the tokenbedetokenizedback to theprimaryaccountnumber.BecausethemerchantconfiguredtheterminaltodefaulttothecommonAID,however,the transaction is processed as a “no cardholderverification method” transaction. In this scenario,evenifthecustomerusesbiometricauthentication,the unaffiliated debit network is prohibited fromsendingthatinformationalongtotheissuingback.Itis importanttopointout,therearenotechnicalorsecurity challenges with the unaffiliated networkssendingthisdata,itisjustanarbitrarycardrule.Asa result, an issuing bank would consider anunverifiedtransactionas inferiorand ismore likelytodeclineit.

Similar obstacles are also found in the card notpresent environment which includes Internet,mobilecommerceandothertransactionsinwhichamerchantdoesnotobserveaphysicalcard.VisaandMastercard are actively promoting network tokenstoe-commerceand subscriptionmerchantson thebasis that their Account Updater service is not



needed.* But while merchants enjoy full routingchoicewhen the primary account number is used,the same is not true of tokenized card-on-filecredentials.Mastercardprohibitstheroutingofsuchtokenized card-on-file transactions to any otherunaffiliated debit networks enabled on the actualcard and requires all tokenized transactions runexclusivelythroughtheirnetwork.

Visadoesn’tprohibittheroutingoftokenizedcard-on-file transactions to unaffiliated debit networks,butVisawillonlyde-tokenizesuchtransactionsiftheissuerinstructsthemtodosoandwillsubsequentlydegradetheservice.Ifamerchantroutesthesametransactiontoanunaffiliateddebitnetwork,Visawilldetokenizethetransactionbutwillnotperformanytoken domain restriction or cryptogram validation,thereby eliminating the core security capabilitiesavailable on such transactions. Because of theperceived lessersecurity, issuersaremore likely todecline these transactions, seriously impactingapproval rates and discouraging merchants fromroutingthroughunaffiliateddebitnetworks.

Finally, it has been reported by industry observersand representatives of the unaffiliated debitnetworks that both in the future Visa andMasterCardmightrequireanytransactionwherethecardholderwasauthenticatedthrough3-DSecureontheir respective network that the correspondingauthorizationbeprocessedontheirnetworks.Withthepush tomakeadoptionof3DS2.0asbroadaspossible, this will further reduce the number oftransactionsthatcanberoutedthroughunaffiliateddebitnetworks.

9.9 EMVCoFailureswithTokenization

With “EMV Payment Tokenization Specification,TokenizationFrameworkVersion2.0,”EMVCofailedtobea“representativeofthepaymentscommunity”infavorofdeliveringtokenizationstandardsthat:

*AccountUpdaterisaserviceofferedbyVisa,Mastercardand

AmericanExpressthatautomaticallyupdatestheprimaryaccountnumberandtheexpirydateofcards-on-filewhenthisinformationchanges.Examplesarereplacementcardswhenthecardisreissuedbasedonitsexpirationdate.Thisisanimportantserviceforsubscriptionmerchantsandformerchantsthatoffercardholderstheoptiontostoretheircardswithmerchantsforfuturepurchases.

• Are narrowly focused on card companies’products

• Preservethecurrentinfrastructurebyusingtheolder ISO8583communicationprotocolratherthanthemoreflexibleISO20022

• Createcomplexity formerchantsandmakethem even more dependent on servicesfrom card companies, with potential newfees

• Are not transparent to merchants,negatively affecting approval and declineratesaswellascreatingfrictionforcustomerserviceandchargebackdepartments

• Hide key information such as card type,impacting routing and interchangecalculations

• Createobstaclesformerchantroutingdebitofcardsthroughunaffiliateddebitnetworks,ineffectprovidingthecardcompanieswitha mechanism to avoid complying with theDurbinAmendment

• Demonstrate, given the difficulty they hadevolving the initial tokenization frameworkto version2.0, that EMVCo isnot the rightbody to develop these specifications andstandards.

Tokenization is one more example of the cardcompanies — specifically Visa, Mastercard andAmericanExpress—appropriatinganopenstandardand preempting collaborative industry efforts.EMVCo did not develop the initial tokenizationstandard at all; the card companies leveragedEMVCo’s imprimatur to create the perception thatthe tokenization framework was an industrystandard. In so doing, EMVCo demonstrated, onceagain,thatitcreatesstandardsthatbenefitthecardcompanies at the expense of merchant choice foraffordablerouting.



PARTIII—CONCERNSWITHNEWSTANDARDS

Thispartreviewsrecently introduced,butnotfully implementedstandardssuchas3-DSecure2.0andSecureRemoteCommercethathavethepotentialtosignificantlydisrupte-commerceandmobilecommerce.WewilloutlineconcernswiththesestandardsandhowtheynegativelyimpactthecompetitivenessofpaymentsolutionsinthefastestgrowingsegmentofU.S.retailshopping.

10. 3-DSECUREVERSION2.010.1 Background

Three-DomainSecure,alsoknownas3-DSecureor3DS, is a security protocol originally developed byVisa.Ithasbeenadoptedbyallthecardcompaniesto help prevent fraudwhen using credit and debitcards to make e-commerce purchases online. It isalsothegenericnameforauthenticationtechnologypresentedtoonlinebuyersunderthenamesVerifiedbyVisa,MastercardSecureCode,SafeKey(AmericanExpress),ProtectBuy(Discover),andJ/Secure(JCB).

3DS originated with the 2001 Visa PayerAuthentication System, which encouragedcardholders to use only Visa cards for onlineshoppingbypromoting itsexclusiveauthenticationfeatures.That initiativehadmoretodowithbrandmarketing (with Visa claiming to be secure andothersappearingunsafebycomparison)thanitdidwithpaymentsecurity.Withinmonths,however,theother card companies offered similar solutions.Maintaining multiple authentication standardscreated logistical problems formerchants, and thecardcompaniesacquiescedtoacommonapproachthatbecame3DS.

The original 3DS scheme, called 3DS Version 1.0,requires that cardholders register with their cardissuing banks and that, prior to any e-commercetransaction, they be authenticated by the cardissuer. This authentication is performed byredirectingcardholderstoissuerswheretheyentertheiruser-identificationandpassword information.

*A“timeout”isthecancellationofanorderthatautomaticallyoccurs

whenapredefinedintervaloftimehaspassedwithoutacertaineventoccurringsuchasgettingaresponsefromaprovider

Whencardholdersareauthenticated,theliabilityforanyfraudshiftsfromthemerchanttotheissuer.

The initial releaseof3DSwasnotwell thought-outand it showed the card companies’ inexperiencewhen it came toonline shopping. Issuershad littleincentive to enroll cardholders because of theliabilityshift.Asidefromthe lackof issuersupport,online shopping cart abandonment under 3DS 1.0was high.Manymerchants who implemented 3DS1.0 reported lost sales as customerswhowere re-directed never returned to complete theirpurchases,eitherbecause theyhad forgotten theirpasswordsorbecause the redirectionprocess tooktoo long creating a timeout condition on themerchants’checkoutprocesses.*

Despite efforts from Visa and Mastercard toconvince online merchants to participate, effortsthat included meaningful financial incentives,adoptionremainedlowduetoincreasedfrictionandlostsales.†Moreimportantly,3DS1.0lackedsupportfor card-on-file and recurring payments, importantpayment modes for online shopping andsubscription merchants. Thus, what is now called3DS 1.0 was poorly designed, mismanaged in itsimplementationandwasminimallyadoptedbyU.S.merchants.

10.2 Evolutionfrom3DS1.0to2.0

Liketokenization,3DSwasnotdevelopedbyEMVCo.Itsimplementationasastandardisanothercaseofthe card companies using EMVCo to bolstertechnologies that structurally support theirobjectives. 3DS was “re-invented” by the card

†Visaofferedmerchantslargecashormarketingrebates,sometimesinthemulti-million-dollarrange.Mastercardintroducedinterchangereductionon3DStransactionsinadditiontotheliabilityshift.



companies during 2013-2014 because of separatecompoundingcircumstances:

• Increasesinonlinefraudratesledissuerstotighten their risk scores and to declineauthorization requests at higher rates. Forthis reason, merchants and issuers,dissatisfied with the card companies’solutionstotheproblem,decidedtoexploreways for merchants to share richerinformation with issuers, potentially usingthird party solutions that would pass thisinformation outside the card companies’control

• TheemergenceofcompetingauthenticationstandardsfromtheFIDOAllianceandW3C

• The impending arrival of EuropeanCommission’sPaymentServicesDirective2,which required “strong customerauthentication”onallonlinetransactions.*

Theseeventsledthecardcompaniestorethinkhowonline transactions are authorized and how theycould avoid being disintermediated by creating anauthenticationstandard.

10.3 3DS2.0Pre-emptingCompetition

Toincreaseapprovalrates,largemerchantssuchasMicrosoft, Google and Netflix reached out toselected issuers around 2013 to explore “out ofband” solutions. Both merchants and issuersconcludedthatapprovalratescouldbeimprovedifbetter data were available during the issuer’sdecision-making process. Additional data discussedincluded information such as email address, IPaddress,devicefingerprintandlengthofrelationshipbetweenthecardholderandmerchant.

Unfortunately,thecardcompaniesandmanyissuerswere, and still are, running their authorizationplatformsontheISO8583messageformatstandard,which, although very robust, is not very flexible.ISO8583 does not have the capability to carry the

*TheEUCommitteereleaseditsPSD2proposalin2013andwasfinally

adoptedin2015.†ThisriskofdisintermediationisnolongerthecaseafterVisa’s

acquisitionofCardinalCommercein2016andMastercard’sacquisitionofEthocain2019.

additional information issuers wanted. Issuersrealizedthattheyweremissingouton interchangeincome due to unnecessarily declined transactionsandbegancooperatingwithmerchantsinexploringsolutions thatbypassed the card companies. Someinnovative financial technology companies offered“out of band” messages running parallel to theauthorization flow, which conveys the data to theissuer. Companies such as Ethoca and CardinalCommerce, for example, were well-positioned toprovidesuchservices.

Facedwith these issues,Mastercard announced inNovember2014thatitwouldjoinVisaincreatinganewversionof3DS thatwouldcarry richerdata,amovethatpreemptedtheworkofothercompanies.†In January 2015, EMVCo owners agreed that thedraft framework and corresponding intellectualpropertydevelopedbyVisa andMastercardwouldbe handedoff to EMVCo for further development.Although promised for late 2015, it was not untilOctober2016thatEMVCopublisheditsstandardfor3-DSecure2.0,whichcoulddelivermuchofthedatasoughtbyissuerstoincreaseapprovalrates.

10.4 3DS2.0PositionedasaStrongCustomerAuthenticationStandard

OnNovember16,2015, theEuropeanCommissionenacted Payments Security Directive 2, whichextendedchangesoriginally implemented in2009.‡UnderPSD2,financialinstitutionsweremandatedtoopen access to bank accounts to any qualifiedpayment initiation service providers. In order toprotectconsumers,PSD2alsorequired—withsomeexceptions—thataccountaccessmustbedonewithstrong customer authentication,which is generallyreferredasSCA,amethodologytoauthenticatethe

‡TheoriginalPSDregulationopenedthepaymentmarketstopaymentserviceproviderswhowerenotfinancialinstitutions.PaymentServiceDirective2isofficiallyknownasDirective(EU)2015/2366amendingDirectives2002/65/EC,2009/110/ECand2013/36/EUandRegulation(EU)No1093/2010,andrepealingDirective2007/64/EC.



account owner based on multi-factorauthentication.*

The requirement applies to all remote paymenttransactionsinitiatedbyapayerwithintheEuropeanEconomic Area, including card transactions, butappliesonlyona“best-effort”basiswhenoneofthepartiesislocatedoutsideofEurope.Exemptionsarealso allowed for low-value and recurringtransactions.† However, it is believed that U.S.merchants selling in Europe that do not performstrongcustomerauthenticationcouldseesignificantloss of sales as European card issuers expect thisauthentication to be performed regardless of the“best-effort”exclusion.

Visa and Mastercard immediately positionedEMVCo’snewstandard,3DS2.0,asthebesttooltoperform strong customer authentication for cardtransactionsbothinEuropeandtheUnitedStates.‡ThedecisionisanotherexampleofEMVCostandardsbeingdevelopedandleveragedinawaythatbenefitsthe card companies’ existing practices whileincreasingmerchants’paymentprocessingcostsandinhibitingtruesecurityinnovation.§

10.5 EMVCoIgnoresAuthenticationStandardsfromOtherStandards-SettingBodies

EMVCo’straditionalareaofexpertisehasbeenchipcardsandterminals,notbiometrictechnologiesnorconsumer authentication. By contrast, the FIDOAlliance has been developing alternativeauthentication approaches for several years.Similarly,theWebPaymentsWorkingGroupoftheWorldWideWebConsortium (W3C) initiatedwork

*PSD2regulationsdefinestrongcustomerauthentication,orSCA,as

anauthenticationbasedontheuseoftwoormoreelementscategorizedasknowledge(somethingonlytheuserknows),possession(somethingonlytheuserpossesses)andinherence(somethingtheuseris)thatareindependentandthatprotect[s]theconfidentialityoftheauthenticationdata.TheregulationwasoriginallyscheduletobeeffectiveonSeptember,2019butduetothelackofindustryreadiness,theeffectivedatefortheapplicationofthisregulationhasbeenmovedtothelastdayofDecember,2020

†TheRegulatoryTechnicalStandardsorRTSprovidesdetailedspecificationstoachievethestrictsecurityrequirementsforpaymentserviceprovidersintheEU.

‡EventhoughneitherPSD2norRTSmention3DS,manymerchantsbelievethatPSD2havemandated3DS,failingtorecognizethat3DSisjustonealternativetocomplywiththeSCArequirement.

on its Payment Request application programminginterfacewithparticipation froma cross-sectionofindustrystakeholdersintendedtocreatetheconceptof“paymentapps.”

In collaboration with the FIDO Alliance, W3Cadvanced the Web Authentication API, namedWebAuthnand inMarch2019,WebAuthnbecameanofficialwebstandard.WebAuthn,issupportedinWindows 10 and Android and it is beingimplemented in Chrome, Firefox, Edge and Safari.WebAuthnaddressessomeoftheriskanalysisgoalsof 3DS 2.0 through new browser capabilities thatenhanceuserprivacy.

Payment apps like WebAuthn are intended tostandardize the buying experience and run ondesktops,laptops,tabletsandphones.Theyprovideservices suchas stronguserauthentication, loyaltyprogram integration, and back-channelcommunications with the merchant for fraudanalytics.Moreimportantly,WebAuthnisdesignedto“supportthebroadestpossiblearrayofpaymentmethods.” Yet none of these approaches tocustomerauthenticationhavefoundtheirway intothecardcompanies’initiativesforsaferpaymentsintheUnitedStates.

Insteadofcollaboratingwithopenstandards-settingorganizations,EMVCopursuedexpandingthe3-DS-based framework developed by Visa andMastercard. In so doing, the card companiesretained control of the authentication process andprevented other payment methods fromparticipatinginit.**

§Mastercardchargesa$0.03foreachSecureCodeverificationattemptandacquirersplanningtoofferSCAarequotingchargesfrom$0.02to$0.07per3DS2.0verificationontopofthat.

**EMVCocollaborateswithopenstandards-settingorganizationsbutonlywhenitbenefitstheirowners.Inoneexample,EMVCoprovidedpaymentusecasestotheFIDOAllianceforincorporationintoitsAuthenticationSuite.DoingsoallowsFIDOcertifiedauthenticatorssuchasfingerprintsandfacialrecognitiontoauthenticatecardtransactions.ByworkingwithW3CandtheFIDOAlliance,EMVCocanclaimthattheycollaboratedinpaymenttechnology.Intheend,providingtheseusecaseshadthedesiredoptics:Initsrelatedpressrelease,theFIDOAllianceunfortunatelymislabelsEMVCo“theglobalpaymentstandardsbody,”continuingtofostertheimagethatEMVCospeaksfortheentirepaymentsindustry.



10.6 IndustryConcernswith3DS2.0

3DS2.0isanewstandardthathasnotbeenwidelydeployed by vendors or adopted by merchants.Muchoftherecent impetusfor its implementationwas driven by the European strong customerauthenticationrequirements.*Becauseitisstillearlydays,therearefew3DS2.0practicalexperiencestostudy its impact on the U.S. payments industry.However, observers have identified issues andexpressed concerns regarding this standard thatechoes problems noted with other EMVCostandards.

• The architecture of 3DS 2.0 is essentiallysimilarto1.0–a3DSserverconnectingtoadirectoryserverwhich, inturn,connectstoanissuer’saccesscontrolservice.Giventhattheamountofdatabeingpassedisgreater,there are significant concerns aboutperformance and the possibility of cartabandonment because of timeoutconditions. This was a big problem under3DS 1.0 and reports from a recent EMVComeeting indicate that the 3DS 2.0authentication roundtrip suffers the sameperformanceissues.

• 3DS 1.0 had little adoption amongst U.S.merchants because of the friction itintroduced in the shopping process but, atleast,merchantshadtheoptiontouse3DS1.0 or not. There are concernswithin themerchant community that the cardcompanies will mandate 3DS 2.0. UnderEMVCo’s secure remote commerce, alsoknownasSRCbutbrandedas“ClicktoPay”,merchants lose control over whether 3DS2.0isexecutedastheauthenticationprocessis now being performed by the walletoperatingunderSRC.†

• AnothermajorconcernaboutEMVCo’s3DS2.0 standard is that it lets the cardcompaniesdefinerulesthatpreventroutingof debit cards through unaffiliated debit

*StrongCustomerAuthenticationwasscheduledtogolivein

September2019buthasbeendelayeduntilthelastdayof2020†Thiswillbediscussedatlengthinthenextsectiononsecureremote

commerce

networks. Unconfirmed reports frommerchants and other industry sourcesindicatethatMastercardwillrequireall3DS2.0 authenticated transactions to also beauthorized and settled through theirnetwork instead of the unaffiliated debitnetworks,violating thespiritandthe letteroftheDurbinAmendment.

• ThecardcompaniescontinuetopositiontheEMVCo 3DS 2.0 standard as the tool toaddress the European requirement forstrong customer authentication, pushingmerchants to implement it even thoughthere are also concerns, voiced by theEuropean Banking Authority that, undercertain conditions, 3DS 2.0 does not meettheir authentication requirements.‡ Thus,merchants are concerned aboutimplementing 3DS 2.0 but still not beingcompliant. A companion concern fromindustryobserversisthat,byputtingalltheattention on EMVCo’s 3DS 2.0 standard,other authentication approaches fromcompeting companies or open standardsbodiesarebeingpre-empted.

• Conveniently,EMVCo’sdefinitionofthe3DS2.0 standard allows the card companies todefinefeesandothergovernancerules.Thecard companies have historically takenadvantage of these opportunities tointroduce additional merchant fees. Forexample,whentokenizationwasintroducedin2013,Mastercardbeganassessinga0.01percent Digital Enablement Fee whichapplies to all online transactions – e-commerce andmobile commerce - even ifthe merchant does not use Mastercard’stokenization services. Similarly, sinceapproximately 2013 Mastercard has alsobeenchargingaSecureCodetransactionfeeof $0.03 for every 3DS 1.0 verificationattempts. Given this precedent, it isreasonable to be concerned about the

‡3DS2.0withoutbiometricauthenticationcannotbeusedtosatisfytheinherencefactorrequirementunderstrongcustomerauthentication,justknowledgeandpossession.



possibilityofthecardcompaniesintroducingorraising3DS2.0fees.

10.7 Conclusion

While EMVCo did not develop the original 3DSstandard,itsassumptionofthestandardwascriticalto itscredibility.3DS2.0followsthepatternofthecard companies preempting industry efforts andcreatingbarrierstomarketentryforbetterpayment

methodsaswellascreatingstandardsthatintroducefee-generatingservices.3DS2.0shows,onceagain,that EMVCo acts as a pass-through company tocreate standards that benefit the card companies,nottheoverallpaymentsindustry.



12. SECUREREMOTECOMMERCE

12.1 Background

SecureRemoteCommerce is a recently introducedEMVCo standard intended to provide a unifiedcheckoutforremotecommercewherepurchasesaredoneviawebbrowsersormobilephonesandwherethephysicalpaymentcard isnotpresent.Tousers,SRCwillappearsasasinglebuttonwithavarietyofpaymentmethodsfromthecardcompaniesthatareenrolled in the SRC system the merchant hasimplemented.

The document that defines the SRC standard is atechnical framework draft released inMarch 2017that broadly described its concepts, including therolesandresponsibilitiestobeheldbythedifferentparticipants in the SRC system. Early merchantimplementationsofSRCbegantoappearinOctober2019 under the name “Click to Pay” but the cardcompaniesdonotexpectmajoradoptionuntilafterthe2019holidayseason.40

TheSRCstandardcreatesanewcheckoutexperiencewhile enabling integration with other EMVCostandardssuchas3DSecureandtokenizationwiththe objective of delivering to merchants anexperiencesimilar tothepointofsale: receiptofapaymenttokenthatthemerchantcanusetoinitiateasecureremotepayment.

EMVCohasstatedthattheobjectivesoftheEMVSRCstandardsareto:

• Design uniform interfaces that allow forsecure exchanges of payment data amongparticipants in the digital commerceenvironment

• Accommodate options for using dynamicdata — such as cryptograms or othertransaction-unique data— to enhance thesecurity of payment transactions on amerchant’s SRC-enabled website, mobileapporothere-commerceplatform

• Enable compatibility with other EMVCotechnologies such as payment tokenizationand3-DSecure

• Facilitate consumer recognition of acommon user experience by display of theSRCicon

EMVCostatesthattoday’se-commerceenvironment“…has many different integration models andpractices. The variety of implementations and thelackofcommonspecificationsforthisenvironmentresults in fragmentation, complexity andinconsistency.”41 EMVCo purports to address theneed for consolidation, simplicity andinteroperability by providing a “universal buybutton” that contains cardholder paymentinformation which can be used at all SRC-enabledmerchants.

Thecardcompaniesclaimthattheirmotivationforintroducingthisstandardistosimplifythecheckoutprocessandeliminatetheconfusioncreatedbythelarge number of checkout buttons. Ironically, theproliferationofcheckoutbuttonswascausedbythecardcompaniesthemselvestryingtocompetewithother user-friendly and secure solutions such asPayPal.Sincethecardcompanieshavefailedtogainmuchmarketadoption,SRCseemstobeanattemptto rewrite the checkout button display rules.EMVCo’sSRCisasolutioninsearchofaproblem—unless one concedes that the problem is brandingandincreasedmarketshareforEMVCo’sowners.

12.2 GameofButtons

The card companies care about both their brandsand about transaction volume; one is critical tomaintainingtheother.Thatiswhy,forexample,Visaand Mastercard lament that consumers often saythey are “paying with PayPal” when the actualfunding instruments are their credit or debit cardslinked to consumers’ PayPal accounts. It was notsurprising that when PayPal grew out if its eBayorigins around 2006, the card companies becameconcernedthatitwouldbeconsideredacompeting“acceptancebrand”.

Prior to 2006, the card companies had very strictrulesregardingthedisplayoftheirlogosonwebsites.Alllogoshadtobedisplayedequallyandtherecould



not be a preference between logos. The cardcompanies were so concerned that they requiredthatthePayPallogoonmerchantsitescomplywiththeirregulationswithregardstosize,colorandotherconsiderationsasa “comparable” logo.Apre-2006merchant checkout logo display looked like thatshowninFigure10.

Around2007-2008,however,PayPalfoundawaytoachieve prominence by convincing merchants toimplement a larger button that initiated a new“process”runninginparalleltotheprocessofcard-based checkouts. “Check out with PayPal” gavePayPalgreatervisibility,asshowninFigure11.

Despitethenegativereactionandthreats fromthecardcompanies,PayPalwasabletoprevailbecauseitarguedthatthisapproachdidnotviolatetherules,as “Check outwith PayPal” was not a comparableproduct but a different “process.” PayPal createdmultiple versions of its “buy buttons.” Somemerchants even presented the “Check out withPayPal”buttonalongsideplaintextsaying“checkoutwithcreditcards”thatdidnotshowanyofthecardcompanies’logos.

Around 2011-2013, the card companies tried tocompetewithPayPalatitsowngamebydevelopingtheirowncheckoutbuttons.VisaintroducedV.mein2011whichevolvedintoVisaCheckout;Mastercard

introduced PayPass Wallet Services in 2012 whichevolvedintoMasterpassandAmexExpressCheckoutwas introduced in 2015. Each of these buttonsappearedwithvaryingdegreesofmarketingfanfarebut they all had low customer and merchantadoption. Their functionality was still rudimentaryand comparable with what PayPal had offered in

2002.Still,thecardcompaniespersisted,leadingtothe proliferation of buttons— as shown below—that EMVCo now claims is causing consumerconfusion and creating a reason to introduce SRC(seeFigure12).

The card companies’ concerns are not just aboutbrand prominence. E-commerce provides a realopportunity fornew, competingpaymentmethodsto be introduced. Consumers are more likely toadopt new online payment forms while theinfrastructurecostformerchantstoimplementthemisafractionofthecostassociatedwithadoptingnewformsofpaymentin-store.EMVCoconsolidatestheresourcesofthecardcompaniesagainstserviceslikePayPalandinterfereswitheffortsofotherstandardbodiesbeforetheycangainmomentum.

ShortlyafterEMVCo’sannouncementoftheSecureRemoteCommerce initiative in late2017, the cardschemes—led by Visa, Mastercard, and AmericanExpress—launched public relations efforts to



buttressEMVCoandSRCwhich leftnodoubtas towhotheirtargetwas(seeFigure13below):walletsnot associated with the card companies’ checkoutbuttons.*

One of SRC’s functions is to authenticatecardholders before adding their payment cards totheSRCwallets. Intheearly implementations,thisauthentication is being performed via one-timecodes sent to the e-mail address ormobile phoneregisteredwiththecard.Thisapproachignorestheongoing authentication work of the FIDO AllianceandW3C.

For example, the FIDO Alliance’s open standards-making process, started in 2013, encouragedand invited participation from all companies andorganizations that wanted simpler and strongeronline payment authentication. Participation inFIDO,incontrastwithEMVCo,isopentoanypayingmemberandincludesvotinginboardmeetings.FIDOAlliance’sobjectiveistodefineanopensystemthatbenefitsallusersoftheinternet.

*PicturefromapresentationbyAlfredKelly,VisaCEOatJPMorgan

GlobalTechnologyandCommunicationsConference,Boston,May2018

Similarly, theWorldWideWebConsortium,knownas W3C, launched its Web Payments Initiative in2014.Itsstatedobjectivewastoenableconsumerstochoosetheirpreferredpaymentoptionsacrossall

theirdevices,formerchantstotransparentlysupporta growing number of payment options, for newpaymentproviderstoenterthemarketmoreeasilywithinnovativesolutionsandpaymentsystems,andto support new payment models such asmicropayments and payment wallets. W3C’sstandardsdevelopmentprocessisfullyinclusiveandtransparent. From its launch, W3C’s initiative wasopen to participation fromall themembers of thepaymentcommunity.† The initiative speaksdirectlyabout preventing vendor monopolies and includesall forms of payment, including ACH and non-traditionalpaymentmethods.

Ratherthanpursuingsimilarlyopensystems,EMVCostates that “EMV SRC is focused on providingconsistency and security for card-based payments[emphasis added] within remote paymentenvironments” and that “EMVCo aims to work

†ToseetheinclusivenessofW3Cparticipatingmembers,seehttps://www.w3.org/Payments/WG/charter-201803.html



closely with industry participants such as W3C tocapitalise on opportunities for alignment whereappropriate.”42

InaJune2018EMVCoad-hocmeetinginSanDiegoto discuss SRC, EMVCo stated that its inability towork with W3C was due to intellectual propertyissues because W3C and EMVCo work underdifferent confidentiality models. W3C’s workinggroupsoperateinpublic,soifagroupreviewedanEMVCo standard it would have to release thosefindingspublicly,whichEMVCowouldnotallowasitoperatesbehind closeddoors. EMVCo’soppositiontotransparencyinthestandardsettingprocessis,infact, the problem itself. At the same meeting,attendees criticized EMVCo’s inability to definespecificrolesandprocessesforparticipationbyanycompetitors to the card companies in the SRCprograms.

It was not until April 2019 that EMVCo joined theFIDO Alliance andW3C in creating a new interestgroup to collaborate on a vision forweb paymentsecurity and interoperability. In its press release,EMVCo said it looked forward to “productivediscussionsandultimatelyincreasedinteroperabilityforpayments."43Itremainstobeseenwhatdevelopsfrom this interest group, given EMVCo’s history ofsuperseding other standards-setting bodies’ workandoperatinginaclosed-doorenvironment.

12.3 SRCUserExperience

The initial SRC implementation at merchants’checkoutpagesshowsaprocessverysimilartowhat

consumers do when they create PayPal accounts(the numbers detail the windows in Figure 14below):

1. Inmerchants’paypageconsumersclickonthe Click to Pay button. This brings up awidget or java script window whereconsumers enter their e-mail address toregisterorlogin.ThewidgetorjavascriptishostedbythecompanyorSRCprogramwithwhom merchants entered into anagreementwith,eitherVisaorMastercard.Intheexamplebelow,thewidgetpresentedisbyVisa.

2. The window asks for payment cardinformationfromnewconsumers.Notethatthewindow only allows entry of 15 to 16-digit payment card numbers (rather thanbank or other account number) and thatoncethecardnumberisdeterminedtobeaMastercard,thehostofthewindowchangestoMastercard.

3. Consumers must provide additionalinformationsuchasbillingaddresswhichisalso used as the default shipping address.Thisprocess is similar toenrollment inanyothere-walletenrollment.

4. TheSRCprogramsendsaone-timeusecodeto the email address of record for thatpaymentcard. It isnotknownat this timewhetherthisprocessusesthe3-DSecureoranother proprietary protocol. The e-mail



comesfromVisaorMastercard,dependingonthecardtype,notfromtheissuer.

5. Oncethenumberisenteredandverified,atokenispassedbacktothemerchantswhocaneitheruse it to initiate thepaymentorstore it for future use. The actual primaryaccountnumbermayormaynotbepassedto the merchant depending on SRCprogram’s implementation rules. Theprimary account number is optionallytokenized and bound to the device thatinitiated the transaction by means of analgorithm that indicates the tokenassociatedwiththeprimaryaccountnumbercanonlyoriginatefromthatdevice.

In subsequent SRC experiences – either with thesamemerchantoranyothermerchant, consumersdo not have to re-enter their primary accountnumberorcredentialsasthecardnumberisalreadyregistered and bound to the device in question.Consumersentertheire-mailaddressesandtheone-timecodeonthewidgetorjavascriptwindowwhichwill cause the SRC programs to pass the paymentdatatothemerchant.Optionally,consumerscansettheir phones or computers as trusted devices andthiswillpreventtheneedtoentertheone-timecodewhentheydosubsequentpurchases.

12.4 EMVCoSRCStandardComponents

Theunprecedentedcollaborationbetweenthecardcompanies and EMVCo has delivered a complexstandardwithmanyparticipantsandroles:

• SRC program: Responsible for the policiesandprocessesassociatedwiththeoversightof SRC participants within an SRC system.Thisroleisexpectedtobeperformedbythecardcompanies.

• SRC system: Orchestrates all activitiesbetweenparticipantsandmanagestechnicalaspectsoftheSRCprogram.Thisroleisalsofulfilledbythecardcompanies.

*In2017,consumersspent$453.46billiononthewebforretail

purchases,a16.0%increaseover2016.Overall,e-commerceaccountedfor49%ofthegrowthseeninretailin2017.https://www.paymentscardsandmobile.com/major-card-schemes-set-for-simpler-e-commerce-via-emvcos-secure-remote-commerce/

• Digital shopping application: A paymentapplication (on the merchant side) drivingthe consumer experience for SRC. Thisfunctioncanbeprovidedbythemerchantorapaymentserviceprovider.

• SRCinitiator:Supportscheckoutand/orthesecure retrieval of payment data from theSRC systemonbehalf of a digital shoppingapplication.Thisisprovidedbymerchantsortheirpaymentserviceproviders.

• SRCparticipatingissuer:IssuerswhodecidewhethertoenrolltheirpaymentcardswithagivenSRCsystem.

• Digital card facilitator:Holds payment carddata andmakes it available to support thecheckout process. The role is rather openand,whilecardcompanies’paymentwallets—suchasthereplacementsforMasterpassand Visa Checkout— could fulfil this role,thequestion iswhethertherole isopentoanyotherparticipantsand,ifso,underwhatconditions.

Understanding these roles is important becauserulesandregulationsfortheseprogramsflowfromthetop.BothVisaandMastercardhaveintroducedSRCprogramsbut fewdetailshavebeenpublishedpublicly about their implementation, especiallyaboutrulesandfees.

12.5 IssueswiththeDevelopmentofSRCStandard

The history of SRC reveals a pattern of the cardcompaniestryingtocreateacard-biasedfutureforremote payments. The EMVCo SRC standard wasdeveloped in a closed collaboration between thecard companies that own EMVCo, primarily Visa,MastercardandAmericanExpress.Earlyversionsofthe SRC standard were developed with littleinfluenceoutsideof thecardcompaniesbut,giventhecontinuedvolumegrowthinthewebandmobilecommercechannels,industrystakeholdersclamoredfortheopportunitytoprovideinput.*



After considerable pressure, and in anunprecedented move, EMVCo released a draftstandard–“Version0.9”–forpubliccommentinthefourth quarter of 2018. However, the public wasgiven only forty-five days to review 329 pages oftechnical content with no context beyond thepublished 30-page high level framework. Despiterequest for clarification and for opening of thestandard from the broader market, little changedfromthedraft standardwhen the finalVersion1.0waspublishedinJune2019.Inaprimeexampleofitsflawed structure, EMVCo purports to allow otherstheopportunitytobeheard,and“haveavoice”but,intheend,nooneoutsidethecoreownerscanreallyinfluence outcomes. Shortly thereafter the cardcompaniesannouncedtheirplansto launchSecureRemoteCommerceprogramsduringthe latterpartof 2019. Based on the timing of theseannouncementsandthepublicationdateofthefinalVersion1.0, the card companyproductplanswerelikelydevelopedbasedonadraftspecificationpriortopublicinput.

Despite EMVCo’s claims of incorporating extensiveindustry feedback during this review process,sources interviewed for this paper (whowished toremainanonymousbecauseofthenonpublicnatureoftheirdiscussions)reportedhavingbeenleftwithmanyunansweredquestionsabouttheparticipationofU.S.unaffiliateddebitnetworksandtheabilityofmerchantstoroutetransactionstothenetworksoftheir choice. Participants also reported questionsabout key roles and responsibilities that weredelegatedtothecardcompanies.

12.6 IndustryConcernswithSRCStandard

EMVCo leaves many SRC operationalimplementationchoicestothesolediscretionofthecardcompanies.Althoughtheuseof3-DSecureandtokenizationareoptional,therearemajorconcernsthatchoiceandroutinglimitationsexperiencedwithotherEMVCostandardswillbereplicatedwithinSRC.EMVCo states that use of non-EMV tokens androutingdecisions areoutside the scopeof the SRCstandard and leaves those decisions to the cardcompanies, potentially limiting the choice ofproductsorsolutionsthatsupportenhancedsecurityandcompetitivechoiceformerchantrouting.

The rules and regulations for SRC programs areproprietary to the card companies. EMVCo haschosen to defer to itsmember owners in strategicareas where the companies can leverage theirmarket strength to create entry barriers forcompetitors. SRC threatens PayPal, Alipay, GooglePay and Amazon Pay by potentially limiting theirparticipation in SRC programs. Such reduction incompetition would also affect merchants’ andconsumers’choices.

Merchantsarealsoconcernedthattheymightnotbeable to incorporate or prioritize their ownproprietarypaymentproductswithinSRCdigitalcardfacilitators. Despite feedback provided during thedraftspecificationpubliccommentperiod,theinitialVersion1.0specificationdoesnotallowamerchantorconsumertoprioritizethepaymentcardswithinthecandidatelistpresentedtotheconsumerwithinSRC checkout on a merchant’s own website.Mastercard has subsequently pushed EMVCo tomodify the standard toenableprioritizationwithinthecandidatelistofitsco-brandedcards.However,the optimal solution calls for merchant andconsumer choice of that prioritization for all cardswithinandoutsideofSRC.

BasedonSRCprogramhierarchy,ahigh-levelreviewof both the SRC framework and draft standard aswellasreviewoftheearlySRCimplementations,weidentify potential outcomes that could negativelyimpactotherpaymentindustrystakeholders:

• In theory,merchants can create their ownproprietary SRC programs. However, bothnetworkshave communicated that existingwallets, such as the reincarnated VisaCheckout andMasterpass, will be the firstones to transition consumers to SRC. BothVisa and Mastercard have been able tolaunch their SRC programs in October of2019 due their “inside” view into thedevelopment of the standard throughEMVCo.NeitherEMVCo,VisaorMastercardhavepublishedtheirimplementationguidesformerchantsatlargetoconsidertheeffort,investment, or opportunity of taking thisstep.



• Early merchant implementations show thedigitalcard facilitatororwallets tobeare-incarnation of Visa Checkout andMasterpass. There can be multiple digitalcard facilitators connected to one SRCprogram, but it is the SRC program thatdetermines the facilitator selectioncriteria.*44 These criteria arenotdefined inthestandardandarelefttothediscretionofthe SRC program owners. Will the cardcompanies, in their roles as SRC programowners, limit or deprioritize facilitatorsotherthantheirown,limitingcompetition?

• Alltheaccountinformationstoredindigitalcard facilitators iscard-basedanddoesnotprovide for any other type of account.Payment card data as defined in thestandard is an 11- to 19-digit accountnumbergeneratedwithinrangesassociatedwithabankidentificationnumberbyacardissuer.† This automatically limits paymentinstruments to cards, preventing anycompeting payment methods fromparticipating.

• TheEMVCostandardleavestothediscretionof the SRC programs whether to sharepayment data beyond the token, expirydate, and other relevant informationrequired to process a payment.Merchantsareconcernedthatthecardcompaniesmaychoose not to share other importantinformation such as the primary accountnumber,bankidentificationnumberorcardproduct type, all important elements formerchants to decide their routing andprocessingoptions.

• The EMVCo standard offers choices withregards to the level of security enabled,whichsuggestssecurityisdependentontheSRC implementation. For example, devicebinding may not be implemented in the

*TheSRCProgramestablishesproprietarycriteriathatdefinesthe

selectionofaspecificDigitalCardFacilitator†Althoughthestandardspecifies11to19digits,theearly

implementationsofSRCbyVisaandMastercardunderthebanner“ClicktoPay”,limitsthetypesofformsofpaymentsevenfurtherbyonlyallowingaccountnumbersof15-16digitsinlength

initial market deployment by one SRCsystem while another SRC system maychoose to enable device binding upon theinitialmarketdeployment.Anopenpaymentstandardsbodyshouldbesettingstandardsthat meet minimum security requirementsbasedoncollectiveaggregateinputfromallstakeholdersversus leaving thosedecisionsto thecardcompanies,whichare theearlyimplementors.

• The implementation by each SRC programimposescosts, rulesandrequirements thataresetbythecardcompanies.ThiscreatesalargeconcernformerchantsastowhatSRCwilldototheirtotalcostofpayments:Willthere be a fee for associating third-partydigital card facilitators to an individual SRCprogram? Will there be a digital cardfacilitator fee to resolve a request forpaymentdatatothemerchantortoprovideadditional payment data? Will Visa andMastercard also assess additional fees fortheirtokenizationservices,aswasoriginallysuggestedwhentheVisaTokenServiceandMastercardDigitalEnablementServicewereintroduced?Will Visa and Mastercard, thetwo initial SRC programowners, charge anadditional fee for processing transactionsthroughtheirSRCsystems?

Finally,althoughmerchants’acceptanceofSRChasbeen communicated initially as a choice, it isconcerningthatcardcompaniescould,inthefuture,mandate merchants’ participation under theirproprietaryrules.Smallermerchantsmaynothavea choice of SRC participation as they are heavilydependent on their payment service providers. Inaddition, the card companies may use financialpenaltiesor incentives to forcemerchantadoptionof SRC and restrict competition on merchants’checkoutpages.‡

‡Thereisaprecedentforthisbehavior.Intheearly1990’sVisaestablishedtheelectronicinterchangereimbursementfee,alsoknownasEIRF,toincentmerchantstoadoptelectronicauthorizationratherthancontinueusingfloorlimits.Itis,therefore,reasonabletobeconcernedthatthecardcompaniescouldpricenon-SRCtransactionsatahigherinterchange.



12.7 Conclusion

In theory, someof the ideasbehindSRCaregood:lowering fraud while enhancing consumers’experiences are hard to argue against. Complaintsarenotwith theconceptbehindSRC,butwith thedevelopment of this standard without meaningfulpublic input. EMVCo claims standardization andinteroperabilityjustifySRC’sexistence,butEMVCoisaclosedenvironmentprovidingprioritizedbenefittoits owners. At this time there is no indication thatSRC will be interoperable with unaffiliated debitnetworksoranyothercompetingsystem,otherthangeneral oral representations at public forums that“nothing will change” with regards to processesbehindthebutton.Ifhistoryisanindicator,SRCwillbe restricted to the card companies’ brands andproducts, justasallotherEMVCo’s standardshaverestrictedcompetitiveproductsandservices.

EMVCo claims that it “has the strategic breadth,industry knowledge and technical ability, coupled

with a proven record of specification delivery, tofacilitate the development of secure andinteroperable remote payment solutions ... thatmaintain compatibility with the existing paymentinfrastructure.”45 What is clearlymissing fromthislist is an open and inclusive environment for allstakeholderstoparticipateandaffectoutcomes.

WithSRC,thecardcompaniesareleveragingEMVCostandards in a bid to limit competition in onlinecommerce. Cards are losing market share toalternative payment methods, and their own VisaCheckoutandMasterpassweredismalfailures.Thecardcompanies’concernfore-commercecustomerexperience is a veil for revitalizing card-branddominance in online commerce. Merchant andconsumer groups are justified in their growingskepticism about SRC even as the card brandscontinuetoincreasetheirdrumbeatsforprematureadoption that preempts both present and futurecompetition.



PARTIV—CONCLUSIONS

13. CONCLUSIONSThequestionsasked in thebeginningof thispaperwere:

• Is EMVCo furthering the entire U.S.paymentsindustryorsimplyprotectingVisaandMastercard’smarketshare?

• IsEMVCocapableofdevelopingstandardsinareas beyond its original charter and arethese standards delivering more efficientandsecurepayments?

• Is theU.S.payments industry’scompetitivelandscapebeinghurtbyallowingEMVCotoestablish broad payment standards andshouldthisworkbeperformedbytrueopenstandards-settingbodies?

13.1 IsEMVCoProtectingVisa’sandMastercard’sMarketShare?

Yes.EMVCoisavehicleforcollusionamongthecardcompanies on payment standards. Visa andMastercard use this process to jointly work ontechnology and processes that benefit them,preserving or increasing their market dominance,whilestiflingtheemergenceofanycompetition.Thecard companies hand theirwork to EMVCo,whichturnsitintostandards,givingthepatinaofcredibilityto technology that is biased in favor of the cardcompanies. Despite claiming to only create“specifications,” EMVCo produces standardsimplementedinanear-identicalmannerbythecardcompanies and, when EMVCo releases standards,the card companies are immediately ready toimplement them because the card companies areEMVCoandtheydesignthestandardstomeettheirneeds.

Visa’sandMastercard’sobfuscationeffortstocreatethe impression that EMVCo is an independentorganization are unconvincing. EMVCo’s Board ofManagers ismadeupexclusivelyof long-termcardcompanyemployees,nonehavinglessthan10years’tenure. These individuals’ function without anychecks from other sectors of the U.S. payments

industrysuchasbankers,merchantsorconsumerstocounterbalancetheirperspective.

EMVCo operates in opacity and with noaccountability to anyonebut its owners. The inputprovided by its technical and business associatemembersislimitedalmostentirelytocardpaymentprocessingcompanies thatneedtounderstandtheimpactofthenewstandardstotheirownplatforms.Because all decision-making powers are limited toonly EMVCo’s owners, merchants recognize thatjoining EMVCo is not effective and areunderrepresented.

EMVCoclaimstobetherepresentativeoftheglobalpayments industry. This paper concludes thatEMVCo is not an appropriate standards body anddoesnotrepresenttheindustry.Truestandardsaredevelopedinacollaborativemannerinopenforumswith diverse and inclusive representation of allstakeholders.ThatisnotthecasewithEMVCowhichis structured todeliver standards that benefit onlythecardcompaniesandprotecttheirmarketshare.

13.2 IsEMVCoCapableofDevelopingStandardsinAreasBeyonditsOriginalCharter?

No. Throughout its history, EMVCo has sacrificedpayment security for the convenience of the cardcompanies and for retaining or increasing thosecompanies’ transaction volume. Its standardsconstantly limit merchant choice for transactionrouting, in violationofU.S. federal law. This paperconcludesthat:

• EMVCobetrayeditsownchartertoprovidesecurechipcardpaymentsbyacquiescingto,and ultimately supporting, Visa’s 20-year-plusbattleagainstU.S.PIN-basednetworksandVisa’s insistenceon chipand signatureinsteadofPIN.

• EMVCo introduced a complex, expensiveand unwieldy system formobile paymentsusing near-field communication technology



because it protects the status quo of itsownerswhilepreemptingtheworkofotherstandard-setting organizations andpreventing competitors entering mobilepayments;

• EMVCo co-opted tokenization standardswork from other organizations anddeveloped an anticompetitive tokenizationstandard that discriminates against debitnetworksandnon-cardformsofpayment.

• EMVCo ignored the work of the FIDOAllianceandW3Cregardingopenstandardsforauthenticationthatwouldhavealsobeenavailable to non-card payment systems,instead adapting the card companies’ 3DSsystem to preempt the market fromcompetitivesolutions.

• EMVCo is nowpreempting themarket andcoopting standards for e-commerce byassertingitselfasthe“representativesofthepaymentscommunity” todevelopaSecureRemoteCommercestandardthatwillmakeit difficult to route transactions throughunaffiliated debit networks, create higherdependence on the card companies andincrease merchants’ payment processingcosts.

13.3 IstheU.S.PaymentsIndustry’sCompetitiveLandscapeBeingHurtbyAllowingEMVCotoSetStandards?

Yes, theUnitedStates lagsmanycountrieswhen itcomes to payments. QR code-based mobilepaymentsarethenorminmanyAsiancountries,forexample, while tap-and-go- contactless paymentshave beenwidely adopted in theUnited Kingdom,Canada and Australia, and both UK and Europeanconsumershaveaccesstoreal-timebanktransfers.Consumersinthesecountrieshavemoreoptionstopaythatareconvenienttothemwhereasmerchants

also benefit as competition keeps lower paymentcostslowerthanwhatU.S.merchantspay.

Meanwhile,thecardcompanies—primarilyVisaandMastercard–useEMVCoastheirsurrogateastheyseek to foster an archaic, card-based environmentthat isoneof themostexpensiveand fraud-pronesystems in the world. EMVCo missed the mark inselectingNFCinsteadofopeningmobilepaymentstoothertechnologiessuchasQRcodesandstiflednewpossiblepaymentsystemsbyimplementinganarrowtokenization standard that does cannotaccommodateotherpaymentmethods.

WhileEMVCoclaimstopromote“compatibility”and“interoperability” in order to provide “secure”transactions, thosearecodewords for controlandpreservationof thestatusquo forcardcompanies.EMVCo standards exclude other forms of paymentandcreatebarrierstomerchantchoiceinawaythatis continuous and stifling. EMVCo’s de factostandardscauseallpaymentindustryparticipants–including merchants, card-issuing banks andmerchants’“acquiring”banks–tospendmillionsofdollars on implementation. Doing so all buteliminates thepossibilityof investing inalternativepaymentmethods.

ItisourconclusionthattheU.S.paymentsindustryisbeing harmed by the card companies and EMVCo.Thesettingofpaymentstandardsfortopicssuchasauthenticationandtokenizationshouldbemigratedaway from EMVCo to independent and neutralnational or international standards-setting bodies.EMVCo’s collusion with the credit card companieshasputprofitsaheadofsecurity,drivenupcostsforbusinesses and consumers alike, and has left theUnited States with a fraud-prone payment cardsystemevenasfraudhasbeenreducedintherestoftheworld.



PARTV—ENDNOTES

1“AGuidetoEMVChipTechnologyVersion3.0,”EMVCo,December18,2017,https://www.emvco.com/terms-of-use/?u=wp-content/uploads/documents/A-Guide-to-EMV-Chip-Technology-v3.0-1.pdf.

2ClaireGreeneandJoannaStavins,“The2017DiaryofConsumerPaymentsChoice,”DiaryofConsumerPaymentsChoicebytheFederalReserveBankofAtlantano.18-5(2018),https://www.frbatlanta.org/banking-and-payments/consumer-payments/research-data-reports/2018/the-2017-diary-of-consumer-payment-choice.aspx.

3“TheFederalReservePaymentsStudy:2018AnnualSupplement,”theFederalReserveSystem,December2018,https://www.federalreserve.gov/newsevents/pressreleases/files/2018-payment-systems-study-annual-supplement-20181220.pdf.

4JimDaly,“InterlinkStartsGrowingAgainAndVisaProspersDespiteLegalandRegulatoryUncertainties,”DigitalTransactions,July24,2013,http://www.digitaltransactions.net/interlink-starts-growing-again-and-visa-prospers-despite-legal-and-regulatory-uncertainties/.

5 DouglasKing,“Chip-and-PIN:SuccessandChallengesinReducingFraud,”RetailPaymentsRiskForumWorkingGroupoftheFederalReserveBankofAtlanta,January2012,https://www.frbatlanta.org/-/media/documents/rprf/rprf_pubs/120111wp.pdf.

6“TheWTOAgreementsSeriesTechnicalBarrierstoTrade,”WorldTradeOrganization,2014,https://www.wto.org/english/res_e/publications_e/tbttotrade_e.pdf.

7“GlobalStandards:BuildingBlocksfortheFuture,”U.S.CongressOfficeofTechnologyAssessment,https://www.princeton.edu/~ota/disk1/1992/9220/9220.PDF,101.

8MasamiTanaka,“Toolsforleaders–Demonstratingandexploitingthebenefitsofstandards,”ISOFocus+,June2010,vol.1(6):1.https://www.iso.org/files/live/sites/isoorg/files/news/magazine/ISO%20Focus%2B%20(2010-2013)/en/2010/ISO%20Focus%2B%2C%20June%202010.pdf.

9EdwinMansfield,MicroeconomicsTheoryandApplication(NewYorkNY:W.W.Norton1970)


11ibid.12TimBütheandWalterMattli,TheNewGlobalRulers:ThePrivatizationofRegulationintheWorldEconomy,(Princeton:PrincetonUniversityPress,2011).


14CarlF.Cargill,“WhyStandardizationEffortsFail,”Standards14,no.1(2011),doi:http://dx.doi.org/10.3998/3336451.0014.103.

15“EMVCoOperatingPrinciples,”EMVCo,2017,https://www.emvco.com/wp-content/uploads/2017/03/EMVCo-Website-Content-8.0-Operating-Principles-PDF_v1.1-1.pdf.



16DouglasKing,“Chip-and-PIN:SuccessandChallengesinReducingFraud,”RetailPaymentsRiskForumWorkingGroupoftheFederalReserveBankofAtlanta,January2012,https://www.frbatlanta.org/-/media/documents/rprf/rprf_pubs/120111wp.pdf.

17ibid.18UnitedStatesofAmericav.VisaU.S.A.Inc.,VisaInternationalCorp.,andMastercardInternationalIncorporated,(98Civ.7076BSJ)U.S.DistrictCourtFiled10-9-2001SouthernDistrictofNewYork

19AllieJohnson“U.S.creditcardsbecomingoutdated,lessusableabroad”,CreditCards.com,October1,2008,https://www.creditcards.com/credit-card-news/outdated-smart-card-chip-pin-1273.php.

20RobinSidel,“Debit-CardUseOvertakesCredit,”TheWallStreetJournal,May1,2009,https://www.wsj.com/articles/SB124104752340070801.

21“DebitCardUseRemainsRobustinMidstofEconomicDownturn,”Pulse,June14,2010,lastaccessedJuly11,2019,https://www.pulsenetwork.com/news/archive/2010/debit-use.html.

22“VisaRecommendedPracticesforEMVChipImplementationintheU.S.,”Visa,July11,2012,https://technologypartner.visa.com/Download.aspx?id=153.

23“VisaAnnouncesPlantoAccelerateChipMigrationandAdoptionofMobilePayments,”Visa,August8,2011,https://usa.visa.com/about-visa/newsroom/press-releases.releaseId.8916.html

24ibid.25“MobileProximityContactlessPaymentFAQ#1,”EMVCo,July2008,https://2426-9805.el-alt.com/best_practices.aspx?id=162.

26“ContactlessMobilePaymentArchitectureOverview,”EMVCo,June2010,https://www.emvco.com/wp-content/uploads/documents/Contactless_Mobile_Payment_Architecture_Overview_2010062808363068.pdf.

27“EMVContactlessSpecificationsforPaymentSystems,BookA,ArchitectureandGeneralRequirementsVersion2.1,”EMVCo,March2011,https://www.emvco.com/wp-content/uploads/2017/05/Book_A_Architecture_and_General_Rqmts_v2_6_Final_20160422011856105.pdf.

28FumikoHayashiandTerriBradford,“Mobilepayments:Merchants’Perspectives,”EconomicReview,FederalReserveBankofKansasCity,SecondQuarter(2014):33-58,https://www.kansascityfed.org/~/media/files/publicat/econrev/econrevarchive/2014/2q14hayashi-bradford.pdf.

29“QRCodeSpecificationforPaymentSystems(EMVQRCPS)Consumer-PresentedMode,Version1.0,”EMVCo,July2017,https://www.emvco.com/wp-content/uploads/documents/EMVCo-Consumer-Presented-QR-Specification-v1-1.pdf.

30“QRCodeSpecificationforPaymentSystems(EMVQRCPS),Merchant-PresentedModeVersion1.0,”EMVCo,July2017,https://www.emvco.com/wp-content/uploads/documents/EMVCo-Merchant-Presented-QR-Specification-v1-1.pdf.

31“VisaBestPracticesforDataFieldEncryptionVersion1.0,”Visa,October5,2009,https://bd.visa.com/dam/VCOM/global/support-legal/documents/bulletin-encryption-best-practices.pdf.

32“VisaBestPracticesforTokenizationVersion1.0,”Visa,July14,2010,https://usa.visa.com/dam/VCOM/global/support-legal/documents/bulletin-tokenization-best-practices.pdf.



33“TestimonyofDavidFortneyTheClearingHousePaymentsCompanyHouseCommitteeonFinancialServicesSubcommitteeonFinancialInstitutionsandConsumerCredit,”SubcommitteeonFinancialInstitutionsandConsumerCredit,March5,2014,https://www.theclearinghouse.org/-/media/files/association-related-documents/20140305-david-fortney-testifies-on-tokenization.pdf.

34JimDaly,“InterlinkStartsGrowingAgainAndVisaProspersDespiteLegalandRegulatoryUncertainties,”DigitalTransactions,July24,2013,http://www.digitaltransactions.net/interlink-starts-growing-again-and-visa-prospers-despite-legal-and-regulatory-uncertainties/.

35“MerchantcommunitycoalescesbehindopenprocessforsecuritystandardstobetterprotectU.S.businessesandconsumersfromcybercriminalactivity,”PRNewswire,July28,2014,https://www.prnewswire.com/news-releases/merchant-community-coalesces-behind-open-process-for-security-standards-to-better-protect-us-consumers-and-businesses-from-cybercriminal-activity-268879481.html.

36“Mastercard,VisaandAmericanExpressProposeNewGlobalStandardtoMakeOnlineandMobileShoppingSimplerandSafer,”Mastercard,October1,2013,https://newsroom.Mastercard.com/press-releases/Mastercard-visa-and-american-express-propose-new-global-standard-to-make-online-and-mobile-shopping-simpler-and-safer/.

37ibid.38“EMVPaymentTokenisationSpecification-TechnicalFrameworkv1.0,”EMVCo,March10,2014,https://www.emvco.com/wp-content/uploads/documents/EMVCo_Payment_Tokenisation_Specification_Technical_Framework_v1.0.pdf.

39“TheFedWantsToCleanUpTokenConfusion”,Pymnts.com,September29,2014,https://www.pymnts.com/in-depth/2014/the-fed-wants-to-clean-up-token-confusion/

40“VisaCEOPredictsa‘RelativelyEasy’ConversiontotheNewSecureRemoteCommerceSystem”,DigitalTransactions,October24,2019,http://www.digitaltransactions.net/visa-ceo-predicts-a-relatively-easy-conversion-to-the-new-secure-remote-commerce-system/

41“EMVSecureRemoteCommerceTechnicalFramework-Version1.0,”EMVCo,November1,2017,https://www.emvco.com/wp-content/plugins/pmpro-customizations/oy-getfile.php?u=/wp-content/uploads/documents/Secure-Remote-Commerce-Framework-FINAL-v1.0.pdf.

42ibid.43“EMVCo,FIDOAlliance,andW3CFormInterestGrouptoEnhanceSecurityandInteroperabilityofWebPayments,”W3C,April17,2019,https://www.w3.org/2019/04/pressrelease-wps.html.en.

44“EMVCOSecureRemoteCommerceSpecification,Version0.9DRAFT,”EMVCo,October19,2018,https://www.emvco.com/wp-content/uploads/documents/EMVCo-Secure-Remote-Commerce-Specification-v0.9-2.zip.

45ibid.

Documents

Payment Insecurity V0.1 (2 Columns)-c2 · in furtherance of private companies’ preferences alone, the public benefit of the standards will be reduced, or even eliminated. EMVCo