New study shows credit card industry has ignored security innovations

"Our payments system should be the strongest and most secure in the world,but we won't get there unless we change the way we set security standards."

NRF SVP and General Counsel Stephanie Martz

WASHINGTON – A new study conducted for the Secure Payments Partnership coalition shows that the U.S. credit card industry has failed to establish adequate security standards and that a neutral third party should be put in charge, the National Retail Federation said today.

“Millions of Americans have experienced credit card fraud and that’s unacceptable,” NRF Senior Vice President and General Counsel Stephanie Martz said. “Our payments system should be the strongest and most secure in the world, but we won’t get there unless we change the way we set security standards. This study shows that the card industry has repeatedly ignored innovations that could have given us a more secure system, and that cannot be allowed to continue. NRF remains committed to continuing our work with the card companies to find lasting solutions that will protect businesses and consumers alike.”

SPP today released “Payment Insecurity: How Visa and Mastercard Use Standard-Setting to Restrict Competition and Thwart Payment Innovation,” an in-depth study of EMVCo, an organization owned by the world’s six largest payment card companies that sets technical specifications for credit, debit and other payment cards. Conducted by the Retail Payments Global Consulting Group industry research firm, the report highlights a systemic pattern of decision-making by EMVCo that has put in place standards with diminished security that have led to increased fraud risk. Doing so has helped those card companies dominate the payments market, according to the report.

The 55-page paper concludes that the leadership of EMVCo has prioritized card companies’ market share over security, driven up costs for businesses and consumers and left the United States with a fraud-prone payment system that lags behind security standards in international markets. EMVCo claims to produce only technical “specifications” needed to ensure interoperability, but those specifications become de facto standards with implications far beyond technical compatibility. Because EMVCo is run by the major card companies, it is not an appropriate organization to develop standards with such widespread impact on the U.S. payments system, the paper says.

The report recommended that standards-setting be shifted from EMVco to a neutral national or international standard-setting body. The report shows:

  • Visa and MasterCard dominate EMVCo and ensure that it sets standards they can use to beat competitors.
  • EMVCo bolstered Visa’s 20-year-plus battle against allowing retailers to process transactions through competitors’ debit networks, resulting in the implementation of less-secure chip-and-signature EMV cards in the United States rather than the chip-and-PIN cards used in most of the rest of the world.
  • EMVCo adopted expensive, complex and difficult-to-implement technology such as near-field communication because it prevents competitors from entering the mobile payments market.
  • EMVCo adopted an anticompetitive tokenization standard that discriminates against debit networks and non-card forms of payment.
  • EMVCo ignored the work of other organizations such as the Fast Identity Online Alliance and World Wide Web Consortium in developing open standards for authentication that would have allowed competitors into the system.
  • EMVCo has introduced the Secure Remote Commerce standard, which purports to become a new integrated checkout platform for online payments but could make it difficult to route transactions through competitors’ debit networks, create higher dependence on the card companies and increase merchants’ payment processing costs.

EMVCo and the card companies have routinely dismissed innovations and new standards to maintain their dominance, according to the study. The paper highlights how EMVCo says its specifications promote “compatibility,” “interoperability” and “secure transactions” but contradicts these concepts with its own practices.

SPP was formed last year by NRF, other retail trade associations and card processing networks to push for stronger credit card security and focus on consumer expectations for security, convenience and flexibility in payment options.

About NRF
The National Retail Federation, the world’s largest retail trade association, passionately advocates for the people, brands, policies and ideas that help retail thrive. From its headquarters in Washington, D.C., NRF empowers the industry that powers the economy. Retail is the nation’s largest private-sector employer, contributing $2.6 trillion to annual GDP and supporting one in four U.S. jobs — 42 million working Americans. For over a century, NRF has been a voice for every retailer and every retail job, educating, inspiring and communicating the powerful impact retail has on local communities and global economies.