Paypass, Paywave and Expresspay, a nightmare for developers

We have been developing contactless EMV level 2 kernels since two years for the various payment schemes, and I must admit: it is a nightmare. There are obstacles everywhere. One of the biggest issues (or stupidities) is, that Visa, Mastercard and American Express cannot agree on a common specification. Not to mention the totally different certification processes. Under these circumstances, what does EMV stand for?

Maybe we start from an earlier point in EMV history. In the early days EMV was standing for Eurocard, Mastercard and Visa to develop a worldwide common standard to process card payments. That really worked well in the contact (chip card) environment. There is one specification and one certification process. EMV recommends to take around 18 month time to develop and certify a contact kernel. The certification is good for Visa, Mastercard and Amex. Perfect. That way, everybody can calculate their development cost plus around euro 50’000 for test tools and certification fees. Something between 200’000 and 400’000 Euro is a normal value.

With NFC things changed. Visa, MaterCard and Amex have their own implementation specifications for the EMV Level 2 contactless kernel. Also the certification cannot be done at one single place. You must do a certification for each kernel at an accredited certification laboratory. As you can imagine you also need several test tools to be able to prepare for certification. Now you can recalculate the cost for development and certification for a contactless kernel. Just multiply everything by three. Ok, that might be a bit exaggerated, but you will face double the cost as for a contact kernel, for sure.

But know, since the contactless stuff is still in a pre-birth (embryonic) state, things like specifications, test tools and certification processes change a lot. To give you an example: with the Expresspay Contactless Kernel we had to pass around 500 test cases. After we were down to 5 unpassed tests, we received a new version of the test tool that sent us back to around 300 unpassed tests. That means they fixed over half of their tests? This game went on three times until we had a test tool that was ok and free of bugs. Annoying or nightmare-ish. Or think of developing Paypass 2.1 versus Papass 3.0. This is basically a totally new specification and you can almost redevelop everything from scratch to pass the 3.0 certification. This multiplies the cost by 3 or 4 times, for sure.

And why do we have to do this? To process maybe one percent of all the transactions contactless? That’s a lot of pain and a very small gain.  I hope the industry is not starting to hate NFC before it starts. Or; does NFC really start or will it be a stillborn child of some technology freaks?

I would love to see some comments of fellow developers or card scheme people. Maybe we did everything wrong or we have a lot of suffering friends out there. Please drop a comment.



Visa plans to accelerate acceptance/use of EMV cards in U.S.

EMV Deployment Map (September 2010)

In Summer 2011 Visa announced plans to accelerate the acceptance and use of EMV cards throughout the U.S. EMV cards are also known as IC or Chip cards. This announcement was no surprise as EMV has been a long accepted standard through Europe and Asia. However, to make the entire network EMV ready requires all the participants in the market to adapt their systems. Chip cards will need to be issued, the acquirer/processors must adapt their host systems and the terminals at the POS will need to be replaced.

Accompanying the announcement Visa published a road map stating the following:

  1. Visas Technology Innovation Program (TIP) will be expanded into the U.S., effective October 2012.
    This means Visa will waive the annual validation of a merchant’s PCI/DSS compliance, as long as at least 75% of the merchant’s transactions originate from dual-interface EMV terminals. Dual-interface terminals are terminals that can process contact and contactless EMV transactions.
  2. All participating acquirer/processors have to make their systems EMV ready by April 2013.
  3. Visas global POS Counterfeit Liability Shift Program will be extended into the U.S., effective October 2015 (two years later for petrol merchants).
    This program will transfer the liability for fraud originating from non-EMV transactions to the acquirer/processor, and as a result to the merchant as seen in other countries.

This plan clearly focuses on two goals:

  1. Reducing fraud.
  2. Setting the benchmark for NFC based card acceptance (for example; contactless payment by card or mobile phone).

In recent years the U.S. has been an easy target for fraud. In 2008, fraudulent transactions made up 0.04% or USD 8 billion of the complete U.S. turnover of credit card transactions. Card numbers are being stolen all across the world and used in the U.S. to commit fraud. The predominant number of magstripe POS terminals makes this a relatively easy way to commit fraud. With the adoption of the liability shift program one large fraudulent region will be eliminated, as seen in other countries that already run the program. Once this has been achieved, the question remains: Where will the fraud move next? Until chip cards are used worldwide, magstripe fraud will remain a global problem.

Interestingly, the liability shift program is a sweet deal for Visa as it will instantly and largely increase the points of acceptance for NFC based cards. Conversely, it will be a cost intensive change for the merchants as it forces them into changing their POS infrastructure into dual-interface EMV terminals. This sets the ground for Visas contactless program Pay Wave and for mobile payment. Google already provides a nice solution with its wallet, where the phone emulates an NFC payment card.

This is where we believe it gets really interesting. In contrast to Europe where cardholder authentication through PIN is usually required, Visa aims for an online / non-PIN model in the U.S. which will pave the way for contactless transactions. Wave the card and that’s it, no PIN entry required. Issuers and acquirer/processors will be happy with this, as it lessens the costs and complexity on the card and the terminal.

In contrast to all of this, one can see an increasing market for “easy” magstripe transactions. Square, amongst others, provides an easy way for merchants to accept magstripe cards. Up to April 2011 Square has seen USD137M total flow. These payment solutions target small businesses and make it very easy to accept credit cards as a merchant. Common to all these solutions are high transaction fees for the merchant and the full risk of chargebacks. What some people might not know is that Visa invested in Square. There seems to be a two way strategy in pushing the mid and large size businesses into accepting contactless EMV cards and enabling small businesses to accept credit cards on their full risk. Clearly a winner for Visa! But what do they actually do for it?

In the longer term magstripe transactions will disappear. Issuers will simply stop issuing magstripe cards. This has already started in some Eastern European countries. The main reason is fraud, but also because there is new technology that makes cards obsolete. The “card” itself might not be a “card” anymore, but a mobile phone, key fob or all sorts of mediums carrying the chip. While it may take several years to fully implement, it is interesting to wonder how small businesses will be targeted.