In 2013 and 2014, more than 30% of all credit cards in the US were reissued due to fraud and major merchant customer databases being compromised (e.g. Target, Home Depot, Anthem and others). As a Card-Not-Present (CNP) merchant, we are sure you have been working hard to mitigate churn in your customers due to this. It’s a big issue! Think updating 30% of your cards on file is a challenge? Think again, the biggest disruption is right here, right now.
By October 2015, 100% of credit cards will be required to adhere to the new EMV standard. EMV, which stands for Europay, MasterCard, and Visa, is a global effort to ensure the security and global interoperability of chip-based payment cards. As a Card-Not-Present merchant, why should you care?
- 100% churn of your customer’s credit and debit cards Do you have a plan in place to overcome this challenge?
- Fraud will quickly move from POS to Online. Do you have a protection plan?
In this on-demand webinar, Paul Larsen, Founder and Managing Partner of PLC and our INSIDER Guide to Payment Processing, discusses why the new “Chip” Credit Cards will completely upend your Card-not-presence business – and how your business needs to prepare for these changes.
Full audio transcript:
Kathy G. Sexton: Hello everybody and I hope everybody’s having a great day. This is Kathy Greenler Sexton. If you are here to hear from Paul Larsen talking about chip cards and their impact on our bottomline, you are in the right place. Before we get started I want to let everybody know that questions are very, very much welcome. If you are on a desktop the chat window is on your lefthand side. There are some things on the top of your screen if you want to raise your hand or are not talking clear enough. The key thing is the chat window on your lefthand side.
If you are on a tablet, the chat window is also on the lefthand side and you have a few additional options just to enlarge your screen. With that I would like to welcome Paul Larsen. Welcome Paul.
Paul Larsen: Well thank you so much Kathy. It’s a pleasure to be on board here and to make everyone’s electronic acquaintance.
Kathy G. Sexton: Absolutely. I want to let everybody know just a little bit about Paul before we get started. He is the founder and managing director of Paul Larsen Consulting, otherwise know as PLC. Which is a consulting company that was founded in 2004 and it’s focused exclusively on payment processing. Prior to PLC, Paul has held a number of different roles in operations at publications like Readers Digest and ultimately was Director of Operations for the Synapse Group, which is one of the world’s largest magazine and subscription companies.
Paul is also Chairman of both Direct Response forum and the Payment Processor’s Association. [00:02:00] I have known Paul for years. He really understands payment processing and in a previous life, helped us win back revenue from payment processing in a way that was very, very dramatic. He does know his stuff.
Paul why don’t you tell everybody a little bit about PLC and obviously why you’re such an expert to talk about the chip cards that are going to impacting our businesses very shortly?
Paul Larsen: Thank you. We do concentrate primarily on subscription business. We wish we had the cure for cancer but commerce is good. Products and services that people like are good. Packaging and subscription form is great. Whenever that happens we love to make sure that those relationships between customers and merchants ultimately have the lifetime value they deserve. For a dozen years our consulting team has delivered payments optimization guidance to primarily subscription merchants. Here’s the thing – the reason for subscriptions is the provision of a service over time and made a reality through the development, maintenance and extension of lifetime value of that service. Plus, the worst possible scenario arises when those wonderfully cultivated customer relationships prematurely end even though neither party asked for that to happen.
The very purpose for our existence is to help merchants facilitate and protect customer relationships that are threatened primarily by credit card issues and problems over time. [00:04:00] I think that issue we’re going to discuss today … is notorious. The notorious EMV will in all likelihood have significant implications for ecommerce and subscription merchants.
Among the things that we want to accomplish on this call today is get our bearings regarding EMV. What is it really? Provide a brief history of its worldwide rollout. Point out the positive outcomes it has brought to bear wherever it’s become a reality. Honestly discuss the downside associated with its implementation. Finally and likely most importantly to all of us, we want to take some time to explore the means by which merchants. Especially subscription merchants can protect against and even overcome EMV’s consequences.
First, from what I hear I should always go back to the very beginning because it’s a very good place to start. Let’s define what EMV is in case you’re not familiar with it. EMV stands for EuroPay, MasterCard and Visa, representing chip technology and credit cards. These cards with embedded chips contain security information that helps authenticate transactions at retail point of sale. In most places where it’s been adopted, chip authentication has replaced magnetic strip authentication, which we [00:06:00] all in America are well familiar with. As we know, it’s still the current standard.
There are EMV options at point of sale that include chip and PIN. Chip and signature. In addition some chip cards also contain a magnetic strip. The thing to note is that in order for chip technology to work, point of sale equipment must be chip-enabled. Which again, has not been the U.S. standard to this point.
Since EMV was a joint effort initially conceived by Visa, MasterCard and EuroPay, which has since been folded into MasterCard, by the way. That’s why you don’t hear of it today. It makes sense that Europe was the first to utilize it. Here’s an abridged view of EMV’s global adoption. You can see that it has been progressively rolled out worldwide. There’s lots of other territories and countries and areas of the world where it’s been rolled out. You could see that it has there has been a conspicuous holdout. You know who that is. That’s the United States.
The question of course is why would we hold out? “We” being United States. We are first and foremost all about convenience. Reducing friction at any point of sale. Swipe, sign and go which today is practically just swipe and go, is about as [00:08:00] convenient as it gets. If you move to a chip and PIN area, now we have to take the time to read the chip. Enter information and by golly, another PIN to remember? Wow. What is that? Is that my PIN for my Chase Visa debit card? Is it … What’s the PIN for my CityBank MasterCard?
A lot of potential friction, which American merchants just don’t like. Plus, there’s huge expense implications both issuers and merchants. Issuers would have to produce, distribute, pay for millions of much more expensive chip cards. Merchants would have to purchase and replace all their existing point of sale equipment with chip-capable equipment.
The truth is that the U.S. would likely have continued to stonewall EMV. They would likely have continued to turn a blind eye to it but for two fairly recent seminal events. You know what they are. They were the point of sale breaches at Target and Home Depot. The fraud perpetrated through those two massive invasions both compelled and propelled the U.S. to finally embrace chip technology. Now we’re committed to it.
There’s some questions that are worthwhile asking. Such as, what actually happened in other places [00:10:00] where it was rolled out? Was it all good? Are there lessons we need to learn and events we need to prepare for that those other realms went through? There’s some real opportunity to do that because since we’re last to the party, there’s a lot of water under that bridge. One of the best places to take a look maybe the best two places to take a look are the two places that kind of mirror our culture.
Most definitely, that would of course be the U.K. We’ll look at what happened in the U.K. first. There we can see that there was nearly a seventy percent decrease in point of sale fraud post-EMV. It had not been widely adopted in two thousand and four. The mandate was announced it needed to be ready in 2006. They began to harness it in ’05 and by ’06. Fraud had really been curtailed at point of sale. The point of EMV seemed to be lived out in the U.K.
Obviously, when that happened and chip and PIN curtailed fraud and POS, we know that all the fraudsters gave up and went home. Right? No. Not really. Fraud at point of sale fell drastically, but fraud migrated progressively to [00:12:00] ecommerce as you can see from this chart.
In the U.K., EMV drove point of sale fraud down and ecommerce fraud up. What about Canada? What Canada did was five years after the U.K. There’s a five year lag, maybe something changed about the behavioral characteristics but as it turns out, not really. The blue line there represents point of sale fraud, which went down. The purple line represents ecommerce losses, which went up. Continue to go up as point of sale fraud continues to go down. Just about everyone attributes that to EMV.
What about the U.S.? What’s going to happen in the U.S.? Most forecast this is one forecast from the Group that is forecasting a rise in fraud losses because of EMV. I would say most forecasters believe there’s little reason to doubt that we’ll have a different outcome here.
Then the question is what to do about fraud? We’re going to talk about other issues as well, but what to do about fraud? First of all, I have to say that we’ve had over four hundred subscription merchants that we’ve helped. I would say that most of them have been lax in regards to fraud protection. [00:14:00] Especially those serving digital content and not hard goods. That’s going to have to change. It’s not going to just be about a decision whether or not to require CVV, which is going to have to do of course. That’s minimal.
You’re going to have to put yourself in a position to quickly implement fraud screening should a problem arise. Perhaps the best way to do that is to partner with a processing company that embeds tokenization, encryption, and fraud screening tools right into its frontend, into its authorization engine.
You can build it in-house if you have an in-house operation of course. You can do all sorts all sorts of things like IP address evaluation and velocity checking and things like that. There are great third party solutions out there that you … I won’t mention names but if you like to know more about those, we know those guys pretty thoroughly. In a lot of cases these days the major requirers have cake in these third party solutions and integrated them into their own payments platform. If you engage with one of them, then you have the fraud screening available if you need it. You may.
I was just reading on the Merchant Risk Council discussion board. A quote from a Vantive executive. This was just from this past weekend. “The good news is that EMV very effective at preventing the use of counterfeit cards at point of sale. The bad news is that EMV [00:16:00] is so effective at preventing fraud and point of sale that it has been historically shown to actively push fraud attacks to other channels. Only by combining multiple sophisticated fraud prevention tools, can CNP merchants in the U.S. expect to effectively minimize risk in the coming post-EMV payments environment.
My guidance is to think this through and put yourself in a position to grab the fraud tools you’ll need, should it ever happen. Protectively ahead of time begin to start to utilize those. Not least of which would be encryption.
There’s something else that we’re just as concerned about in terms of EMC which we think is what we know is a nasty byproduct of it. Especially for subscription companies. That is that every subscription is at risk. Nearly every credit card is going to be reissued with minimally a fresh expiration date. That means renewals will fail without updated information. There you see the rollout schedule for EMV in the United States. Probably by the end of the year sixty-eight to seventy-two percent of cards will have been reissued with chips. Then they’ll be slowly but surely until everything has chips by 2017.
[00:18:00] What’s going to happen is that … payments and subscriptions are at risk of imploding. We saw what happened when with the reissuance associated with the Target and Home Depot breaches. This graph shows the spike in account number changes as reported by a major processor who engages the account updater services on behalf of their merchants. You could see the two spikes. The first spike was the Target breach in which there was some shell shock and some not so quick decisions about whether or not to reissue cards. Eventually, forty to fifty million were reissued.
The second spike is the Home Depot. By that time they knew there’s going to be a lot of fraud perpetrated here. Credit cards were basically immediately reissued. You also see here at the end here the beginning of another rise. That is likely this third wave is likely related to EMV reissuance.
Look at what’s in my wallet. I don’t know what’s in your wallet but in my wallet is it’s far too much danger as far as credit. Here you see somewhat you see my five major credit cards. The bottom four are my own personal [00:20:00] cards. After those four personal cards, only one has been reissued with a chip. That is my Chase Visa on the bottom there. The other ones are still to come. That means there’s still a lot of churn to go.
The question then is how to protect against the churn caused by all this reissuance? Lots of other things impact the viability of a credit card over time. The only way to really crush involuntary churn caused by credit card issues and problems is to have a comprehensive decline prevention and recovery strategy that not only invokes the things I know most of you are familiar with. The recycling of declines. You need to have a recycling strategy for when declines fail.
What do I do with them? Hard, soft? How many times? What interval? You need to figure that out. This strategy not only needs to invoke recycling, it needs to invoke the account updater services. Any merchant who’s not been taking advantage of that over the past year and a half has just lost a lot of business that it never had to lose because of the reissuance associated with the Target and Home Depot breaches. You have to be part of the account updater services.
A lot of merchants, I know who have optimized scale expiration date tactics to help overcome that scenario. Today, each of those on their own isn’t quite enough. [00:22:00] The optimal thing to do is to leave them together in such a way as to create the tightest possible safety net for subscriptions. The bottom line is … EMV is coming to the U.S. Based on history, fraud will be reduced at retail point of sale. Based on history, fraud will increase online – subscription, retail, ecommerce.
Card Not Present merchants will have to enhance their fraud screening capability. Practically all U.S. cards will be reissued with chips. Subscriptions, memberships, installments will be at risk. Best practices exist that can crush the potential churn if optimally deployed. The good news for all of us is that we live in a subscription economy. Everyone one is the in revenue chain suffers when perfectly healthy subscriptions implode. That’s what Visa and MasterCard over the last dozen years have visually and industrially made available and encouraged the use of tools and weapons and dials and levers. Such as account updater to help keep subscriptions alive.
I trust that you’ll think long and hard about your strategy to meet and overcome the challenges associated with EMV. That’s really my overview of the situation and I’m happy to try to answer any questions [00:24:00] that folks might have.
Kathy G. Sexton: We actually have a few questions that have come in. This is I encourage everybody to ask lots of questions because Paul is here. Anything we can’t answer online, we’re certainly follow-up with you. Feel free to type something in the chat window. Paul, what in terms of if I am a small merchant, are some of the tactics that you’ve explained really out of reach in terms of what a small vendor can do? I’m just curious if you’re strategy in thinking in terms of tools and tactics change based on size of a subscription company.
Paul Larsen: That’s a great question. They’re as out of reach as the partnerships that you’ve engaged. Visa, MasterCard are irrespective of size of merchant. They make the tools available for overcoming this churn. They make those available through your credit card processing company. That’s how they’ve decided to do that. Rather than provide those tools directly to the merchant, they provide them to the merchant through your processor. We have many a startup – many a small company who, having made a good decision about who their processor should be, are able to feast at the same table of best practices that Netflix is able to feast at. Really so much is dependent on who your gateway/processor/acquirer is and whether or not they in fact [00:26:00] are trafficking in those tools.
Kathy G. Sexton: I think that’s important because a number of companies, they will either use subscription management add-ons to a content management platform such as WordPress, or they’re using an all-in-one subscription management platform, which limits their potential in terms of the tools that may be available. What do you recommend for the subscription providers in this webinar today? What do they need to look for and ask of their subscription management platform provider? Obviously, their gateway. What are the types of questions they need to be asking?
Paul Larsen: I would start with something really, really big and really, really specific. If you’re on a subscription engine of some sort, a platform, and you ask the question, can we … participate in account updater through you? The answer is “no,” that is an indication of the capability of that provider. There’s no more elementary and elemental necessity for subscription companies than that. That kind of tells you whether or not they’re really focused on subscriptions with a broad vision.
Then I wouldn’t … If the answer is no, I wouldn’t necessarily jettison them. I would try to have a discussion with them and let them know how important it could be to them to be able to provide this service on behalf of all of its customers. Again, they’re [00:28:00] being remunerated by the number of transactions that continually go through the system. The more they help retain, the better. This is all about retention and … I would start with that question right. If the answer is no then it’s indicative.
Kathy G. Sexton: That’s good point. I have a question here which mentions that several years ago you commented a large percentage of cardholders were over their credit limit. How has this changed in the past two to three years? Are trends in soft declines dropping? What are your thoughts on that?
Paul Larsen: The culture of the United States is still one of accumulating significant credit. That problem ends up usually being exacerbated by the state of the economy. State of the economy right now is not as dire as it was just a couple of years ago. That being said, soft declines are probably down overall a little bit. Again, to change U.S. culture, American culture, is hard to do. Its still insufficient funds – is still clearly the number two reason for declines in the world.
The thing is, declines overall have risen dramatically because of all this reissuance. Insufficient funds as a percentage is down because hard declines associated with reissuance [00:30:00] is way up. As far as the number is concerned, the volume is concerned, that’s been pretty steady.
Kathy G. Sexton: The next question is about technology and the question is, I hear a lot of my peers are moving to Stripe. Are they a good solid option to bet my business on?
Paul Larsen: I don’t necessarily want to editorialize on Stripe. One thing you can always ask yourself is – Is the entity with which I want to strike a partnership … Let’s just say you’re a subscription company. You really are a subscription company. Is that entity totally focused on subscriptions? Stripe has, last I checked, Stripe is obviously a hot commodity. Their API is simple to code to and it allows people to get going rather quickly with them.
They do have account updater. The thing to realize is they’re still, at the end of the day, all things to all people. They don’t concentrate necessarily on subscriptions. They only have one option for you last time I checked, in regards to who your actual processor is. They’re a gateway as it turns out. They might have some recurring billing capabilities but they still have to clear their transactions through a processor or First Data is their acquirer.
You’re also dependent not just on Stripe but you’re dependent [00:32:00] on first data to be on the forefront of subscription optimization. Which that’s a different question which I can answer if you like me too.
Kathy G. Sexton: Keep going on Paul, I think this is good information.
Paul Larsen: First Data, even if you weren’t going through Stripe, if you’re going through if you go through whoever, or you’re going direct. A lot of people go direct to First Data. First Data has multiple platforms. Some of them are archaic and really not conducive to subscription success.
Let’s put it this way: One of them is and the rest of them aren’t. Chances are if you don’t specify, you could end up on one of the platforms that isn’t. You want to … If you have a long-term relationship with First Data, ultimately you want to end up on their Compass platform if at all possible. That’s the one that was developed specifically for subscription companies.
Kathy G. Sexton: This is a very hot topic amongst all of our members in terms of all-in-one subscription platform. Content management system with a different plugin. We are actually going to be doing some coverage of why particular companies may want to go with one approach versus another. How they tie in to payment processing is obviously critical as well. A lot of the issues relate to your own sophistication with technology and specifically in this case, payment processing.
Paul Larsen: That’s right. [00:34:00]
Kathy G. Sexton: Is your technology resources … Are they in-house or are you outsourcing? The more APIs and other things that you might be layering into a great customized solution, requires some good, solid knowledge by you and your team. Good security for your overall platform. Not just your payment processing. Different solutions are good for different types of companies at different phases. Regardless of what you’re doing, what I’m learning from you Paul is we all need to just really make sure we’re getting the account updater at a minimum through whatever solution we have in-house or are outsourcing to.
Paul Larsen: You mentioned something that was really interesting. It really is actually true. When as you are aware, payment optimization company and as we kind of alluded to. The greatest facilitator to an obstacle against payments performance would be who you select to be your processor. Again, you could choose a processor that makes all the best practices available or you could choose a processor that isn’t all those.
When a merchant would come to us for help, we could do one of two things. We could evaluate what they do and what they sell, and try to culturally align them with a best in class solution for them. We could RSP payment processing for them if they wanted to. We do that dozens of times and we don’t love that because it’s a lot of effort.
If we can cut to the chase [00:36:00] and get to a champion, that’s what we want to do. What’s happened in our business over the past five years is we do just as much skunk works for our merchant churns of third billing platforms. There’s more and more of a desire to outsource payment processing. We built ours when I was on the merchant side. We built ours ourselves and we strongly believe in controlling our own destiny.
Things have changed. Security, PSI and all sorts of other things have driven the rise of this third party billing platform phenomenon, this service bureau phenomenon. We’re in deeply involved in ferreting those out as we are payment processors. For those it’s about understanding who the best payment processors are and then finding a good fit on the platform side that ultimately can dovetail with the best possible processors.
It’s a new day in that world. It’s one you have to … Even if you don’t ever call us, it’s worthwhile to one thing we found out years is that a big failure on behalf of most merchants is to cross reference. We’ve gotten the great sales pitch from whoever it is, and you’re pretty convinced that it would be good to use them as either a processor or a platform. The due diligence in following up [00:38:00] with reference is just neglected and ends up being a reason why we see a lot of merchants ultimately frustrated. They didn’t actually. They bought the line. They bought it hook, line and sinker and didn’t do the follow up. Two things. Take out the questionnaires they’re asking, what was your downtime in two thousand whatever? Do do this, do do that, do do this. Don’t follow up with references.
Kathy G. Sexton: Our next question which is probably going to be our last one just due to time, is a question that’s actually near to my heart because I … This is an issue that I and subscription (merchants) need to look at very, very carefully as well. The question is: How do you move thousands of paying customers onto a new platform and processor? I think you’re going to say, “well, it depends.” It is a daunting task if you’re trying to change processors and platforms and obviously it’s the lifeblood of your business. What recommendations can you provide for us, Paul?
Paul Larsen: Conversions are always hard. Migrations are always difficult. Sometimes you face a choice of the status quo and putting yourself in a position to succeed despite your payment processing setup, instead of putting yourself in position to succeed because of it. The good news is that hopefully you’re going to make a decision to embrace and engage a real pro on that side. Real world-class solutions. Those solutions are quite [00:40:00] used to coordinating the migration to them.
They have and they’re level one PSI compliant so they can certainly be the acceptors of the information that needs to be moved. If you’re talking from platform to platform, a lot of times it’s got to move between two PSI level one compliant platforms. Again, that should be doable with strategic exports along the way. Sometimes you have to pay for them. Sometimes you don’t. Ultimately we have some things going on right now with migrations in which we’re actually using the processor to be the intermediary between the two building platforms that migration’s taking place between. That’s working fine.
Kathy G. Sexton: Thank you very much. Paul this has been very, very insightful. Thank you so much for your time.
Paul Larsen: Bless you.
Kathy G. Sexton: I’d like to thank everybody whose joined us today. If you have any other questions for Paul or for myself, you have our information there. Any other final comments Paul?
Paul Larsen: No, I’m just grateful for the opportunity.
Paul Larsen, our INSIDER Guide to Payment Processing, is the Founder and Managing Partner of Paul Larson Consulting (PLC), a consulting company focused exclusively in the area of payment processing – specifically on recurring and installment billing merchants in the card-not-present (CNP) space. With over 700 clients, PLC’s expertise helping card not present businesses significantly improving their bottom line by both reducing costs and increasing customer retention. (Read Paul’s full Bio)