Security concerns heighten merchant group's call for voice on standards

With EMVCo's launch of the Secure Remote Commerce standard last year, the card brands felt they had developed a better way to protect payment credentials through a single "click to pay" button in a digital world.

Despite the buy-in of some major digital merchants like Netflix, the Secure Payments Partnership saw it as another example of how merchants are left out of the decision-making process when it comes to what occurs within the payments networks. Even more so, the SPP sees it as a potential power move by the card brands to have control over how mobile payments operate in the future.

Those different viewpoints reveal much about the conflict that continues to mount between the card brands and merchants. Merchants say they deserve more input and actual decision-making power and that payments should operate through completely open standards in which all involved parties have had a say.

At another key level, SPP says that if fraud continues to mount the way it has, it should translate to the need for taking a closer look at U.S. payments standards organizations and how they operate.

What's different with the SPP, however, is that unlike merchants in various class-action lawsuits against the card brands for antitrust and price-fixing violations, this coalition of merchant associations and debit payment networks wants a resolution outside the courts.

It isn't fixing for a legal fight, or rallying behind a vocal leader. In fact, the SPP doesn't have a designated president or other key positions. Instead, it intends to keep voicing its position as a whole that merchants should be front and center in helping to develop open standards and inviting more security innovation.

In that regard, the SPP's recent barrage on Twitter citing problems with EMVCo's operating methods is far different than the class-action antitrust settlement that has moved into an injunctive relief phase examining card brand rules and standards. Tweets citing the downside of EMVCo operations are simply a way for the SPP to keep pressing the matter.

"The lawsuit is more focused on Honor All Cards and price-setting, whereas the SPP is focused on security standards," said Doug Kantor, a partner at Steptoe & Johnson LLP and legal counsel for merchants and the Secure Payments Partnership. "There is some overlap, like in the EMV transition, but for the most part the SPP is concerned that EMVCo sets all of these standards without acting like a normal standards body."

The SPP formed in mid 2018 with founding members Food Marketing Institute, National Association of Convenience Stores, National Grocers Association, First Data's Star Network, and the Shazam debit network.

EMVCo for years has advocated openness and inclusivity in terms of gathering feedback, but its six members — Visa, Mastercard, Discover, American Express, JBC and China UnionPay — make the final decisions. No merchant or consumer group, nor a U.S. financial institution, has a voice on final standards decisions, Kantor said.

In its tweets and specifically a Dec. 6 white paper, SPP does not hold back in viewing the EMVCo operations as "a vehicle for collusion among the card companies on payment standards."

In a statement released to PaymentsSource, EMVCo said it was reviewing the Dec. 6 white paper published on the SPP website and delivered via Twitter, but expressed frustration with the latest SPP claims.

"Despite efforts to engage SPP, we are disappointed that this document was published without an opportunity for EMVCo to provide input or comment," the statement noted. "SPP's paper contains factual errors, lacks supporting data and fails to recognize the benefits EMVCo's open and flexible specifications deliver by facilitating interoperable, secure transactions worldwide."

In its role as a global technology body that has been operating for 20 years, EMVCo says its mission is to "facilitate worldwide interoperability and acceptance of secure payment transactions by evolving the EMV specifications."

EMVCo declined at this time to comment further on what it views as inaccuracies within the SPP report.

The SPP doesn't have an enormous presence on social media, with 113 followers on Twitter and less than half that on Facebook, but its message does align with other merchant organizations.

SPP claims EMVCo has "sacrificed payment security for the convenience of the card companies and for retaining or increasing those companies' transaction volume."

Instead, EMVCo should be seeking more input, inviting new innovations and giving merchants more say in the latter stages of the process, Kantor said.

"Mobile payments are an opportunity with the new technologies to really have a more open, competitive marketplace and see some big innovations," he added.
"The worry is that if you have a standard in there that Visa and Mastercard put into their rules, that cuts off the type of competition you want, and we may lose a generation of innovation in payments that we ought to get."

However, it's not easy to change how the networks view their roles in delivering payments and what it takes to do so, said Thad Peterson, senior analyst with Boston-based Aite Group.

"The networks logically develop standards and rules for their offerings, and it would be illogical for a payment network to develop standards and rules for other organizations," Peterson said. "Also, the networks consistently handle millions of transactions each day, so anything that they attempt to do related to changing processes or rules needs to minimize impact on throughput, and that's a difficult thing to do."

Still, the SPP looks at other standards setting bodies and views stark differences. The World Wide Web Consortium, or W3C, and the American National Standards Institute have active memberships open to all payments stakeholders, and all participating members define the mission and work to be done. Decision-making roles are available to all active members and their meetings are documented for public view, and an appeals process to resolve differences in standards is open to all members.

EMVCo has none of that, the SPP contends.

But it doesn't mean that collaboration between payments groups would be impossible, Aite's Peterson contends.

"The WC3 team is working in conjunction with EMVCo and the FIDO Alliance to deliver an integrated, secure platform that allows merchants to accept any kind of payment anywhere in the world," he said. "It would be great if SPP got involved in that effort, as it's a significant attempt to increase security and acceptance worldwide."

Even if such a collaboration could unfold, the SPP's view that the card brands aren't interested in a completely open process isn't likely to diminish without far more discussion.

"EMVCo has really set up these standards in a way that they can be imposed to protect Visa and Mastercard's market share, as opposed to just promoting the best payment security," Kantor said. "EMVCo has an advisory committee with merchants and community banks, but our position is that there is a night-and-day difference between being an advisory committee and being part of the decision-making body, which is how other standards organizations work."

There is no specific timetable for SPP to come forward with proposals or even seeking a summit with the card brands. But that could change if the SRC standard continues to move in a direction the merchants don't like.

"We are just going to keep plugging away at this," Kantor said. "There is a broad enough consensus that these folks could work together and make the necessary changes, and that would be the right way to go on this thing (rather than more legal tussles)."

UPDATE 01/08/20: Due to a technical error, the original version of this article was missing roughly two paragraphs from the middle, including part of EMVCo's statement.