By Isabella Pelegero
What qualifies an organization to set standards for the payments environment? And by whom are these organizations kept accountable? According to the U.S. government, “how standards are set is a matter of some concern because the economic and social stakes in standards are so large. The standards development process must be fair to prevent any single interest from dictating the outcome,” [1]. There is also an economic case for developing standards that contribute to public welfare [2]. Yet, payment standards are largely set by private consortia in this country. Privately set standards are insufficient to public welfare because they are not all equally committed to standards-setting processes which are fully transparent and inclusive to all stakeholders. Payments standards that exclude payment instruments or prevent merchants from freely routing transactions are collusive, harmful to the U.S. payments industry, and may violate federal law (debit transaction routing is protected by the Durbin Amendment but its enforcement has been timid).
In early 2019, RPGC was approached by the Secure Payments Partnership to research the practices and policies of a powerful U.S. standards consortia, EMVCo. EMVCo is owned and staffed by the world’s six largest card schemes–Visa, Mastercard, American Express, Discover, JCB, and Union Pay–but likes to position itself as the “common voice of the payments industry” and the “representative of the global payments community,” [3]. As a group, EMVCo claims they merely produce technical “specifications” and imply that they shouldn’t be held to the same scrutiny as a standards-setting organization. While EMVCo takes rhetorical lengths to distance themselves from the appearance of setting standards if you look into the organization structure of these programs, they are fully overseen by EMVCo, and by extension, the card brands. Thus, their “specifications” do in fact become de facto standards with implications far beyond technical compatibility.
Our resulting whitepaper, “Payment Insecurity: How Visa and Mastercard Use Standard Setting to Restrict Competition and Thwart Payments Innovation” synthesizes our research and analysis on the evolution and operations of EMVCo. Its conclusions are derived from an in-depth review of EMVCo’s specifications: EMV chip cards, Near Field Communications (NFC), Tokenization, Three-Domain Secure (3DS) 1 & 2, and Secure Remote Commerce (SRC). Our methodology was twofold: using publicly available sources and expert interviews. Our primary sources included each standard, noting where and how it could have been more open and inclusive through web archives that show the rushed and shutoff nature under which many of EMVCo’s standards evolved. Informal, unstructured interviews with fellow industry experts helped fill in the gaps where documentation was insufficient.
Using these methods we have found that, because transactions that flow through competing networks do not generate revenue for the card brands, maximizing transaction volume is a matter of high priority for them at every organizational level and each decision-making process. Undoubtedly, EMVCo’s decisions systematically privilege the card brands and are designed to augment their transaction volumes at the expense of security, user experience, and interoperability. At RPGC, we strongly believe that EMVCo’s standards work should be migrated to an open and inclusive organization with the true intent to set standards that benefit all stakeholders. To learn more about why, you can download our whitepaper, “Payment Insecurity: How Visa and Mastercard Use Standard Setting to Restrict Competition and Thwart Payments Innovation” here.
[1]: “Global Standards: Building Blocks for the Future,” U.S. Congress Office of Technology Assessment, https://www.princeton.edu/~ota/disk1/1992/9220/9220.PDF, 101.
[2]: Masami Tanaka, “Tools for leaders – Demonstrating and exploiting the benefits of standards,” ISO Focus+, June 2010, vol. 1 (6):1. https://www.iso.org/files/live/sites/isoorg/files/news/magazine/ISO%20Focus%2B%20(2010-2013)/en/2010/ISO%20Focus%2B%2C%20June%202010.pdf.
[3] “The Role and Scope of EMVCo in Standardizing the Mobile Payments Infrastructure,” EMVCo, October 2007.