On Wednesday April 27, MasterCard unveiled its M/Chip Fast, which is an almost identical version of Visa’s Quick Chip For EMV. Both approaches cut down on some authentication so that the EMV card can be removed a couple of seconds after the shopper dips it. And both Visa and MasterCard are only pushing it for retailers that have the greatest need for speed, which has the unfortunate result of guaranteeing vastly different EMV experiences as shoppers go from merchant to merchant.
In a GuestView this week, Mercator Advisory Group’s Tim Sloane argued that by encouraging different kinds of EMV experiences, the card brands might be impeding the rapid adoption of EMV.
In MasterCard’s statement, the brand said it was important that it join Visa’s effort and that EMV can only succeed through industry standardization. “MasterCard called for the industry to activate current action-oriented forums like the Payments Security Taskforce and the EMV Migration Forum to align behind a common approach to address perceptions of speed of a chip card transaction,” the statement said, before quoting Ajay Bhalla, president of enterprise risk and security for MasterCard saying “Ultimately, we all want to deliver great experiences for consumers and merchants. That’s why we believe that M/Chip Fast or any similar product should be implemented in consultation with the industry. With that holistic view, interested merchants can easily integrate this with their current systems to provide both speed and security for all chip cards.”
In an interview, Bhalla stressed the need for standardization. “There should be a common standard for this,” he said.
Bhalla did say that MasterCard’s M/Chip Fast process was “very similar” to what Visa rolled out, but “the way the transaction is signed off on is a little different. The only difference is in the signing off.”
Sloane expressed some concern with how both approaches will deal with PIN updates.
“Mercator reviewed the Visa technology and, based on that review, we believe it will not be able to update the PIN. Consumers are hard pressed to remember a PIN that is randomly assigned to them, so issuers typically enable the user to assign their own PIN. They might ask for this before issuing the card, which eliminates the problem but increases card production complexity. In a prepaid card, the user is rarely know before the card is produced, eliminating that option,” Sloane said. “As a result, as prepaid cards become EMV enabled–think Social Security program—they will need the ability to update the PIN. If this Visa approach eliminates PIN updates then the issuer may need to direct the cadholder to a location that has PIN update support. Who will keep this list is unknown to me.”
Asked about the chip PIN update implications of M/Chip Fast, Bhalla said “The PIN issue is not a big issue” and pointed out that “most banks allow you to change your PIN at the ATM.”
Bhalla also said he was not worried about the increased risk of a man-in-the-middle-attack—which he confirmed was indeed “a theoretical risk” with these approaches—because MasterCard uses many “layers of security” along with “things happening behind the scenes.”
Both brands knew of these implementation options before the U.S. EMV liability shift about six months ago but opted to wait until late April to offer them. Speaking just for MasterCard, Bhalla said his team miscalculated how much shoppers and merchants in the U.S. would complain about the reader’s retention of the EMV card until the transaction was complete.
“We may have underestimated the behavior change that was needed after decades” of magstripe usage, he said. “There was a little bit of a mismatch in expectations” of merchants, he said, adding that he expects those concerns to dissipate somewhat over the next six months.