Submissions – Payments System Applications for Authorisation in Relation to PIN@POS

9 August 2013

Ms Hayley Parkes
Adjudication Branch
Australian Competition and Consumer Commission
GPO Box 520
MELBOURNE VIC 3001

Dear Ms Parkes

APPLICATIONS FOR AUTHORISATION A91379 & A91380: MASTERCARD AND VISA JOINT IMPLEMENTATION OF MANDATORY PIN@POS ARRANGEMENTS

Thank you for the opportunity to comment on the applications by MasterCard and Visa for authorisation to jointly implement mandatory PIN@POS arrangements. As background, the Reserve Bank of Australia provided an initial submission related to these applications on 19 July, which focused on the applicants' request for interim authorisation to arrange a joint marketing campaign to encourage cardholders to voluntarily adopt PIN@POS. In that submission, the Bank noted that, on balance, it supported the granting of interim authorisation for that purpose. The attached submission addresses the more substantive aspects of the applications for authorisation, where the applicants seek authorisation to jointly arrange to implement PIN@POS mandates on the same terms and with the same timeframes.

The Bank would be happy to discuss this further with the Commission.

Yours sincerely,

Tony Richards
Head of Payments Policy Department

SUBMISSION TO ACCC ON APPLICATIONS FOR AUTHORISATION A91379 & A91380

Summary

Overall, the Bank supports the granting of authorisation, based on the assumption that MasterCard and Visa would proceed to implement PIN@POS at different points in time in the absence of authorisation. Ultimately such implementation is a commercial decision for the schemes. Compared to the counterfactual of the two schemes individually implementing mandatory PIN@POS arrangements at different points in time, a coordinated approach has the potential to reduce the costs incurred by consumers, merchants and financial institutions in adjusting to the new scheme requirements. Furthermore, the Reserve Bank sees PIN@POS as a valuable mechanism for reducing fraud, but given that it may cause some inconvenience to some customers, an inability for the schemes to coordinate may delay implementation as card schemes may wish to avoid being the first mover. The Bank notes that the costs and inconvenience of implementation are mainly one-off, whereas the benefits are likely to be ongoing.

If the process is managed carefully, and in a transparent manner, the joint implementation by the applicants need not pose any detrimental effects for competition between payment card schemes. On the other hand, as noted in our initial submission, a poorly designed joint marketing campaign could potentially have detrimental effects on competition between card networks if cardholders are not provided with clear and complete information about the choices available to them when selecting a payment network at the point of sale. Furthermore, it is the Bank's view that any joint marketing campaign should refrain from straying into areas that are not necessary or directly relevant to the introduction of mandatory use of PINs at the point of sale.

The next section of this submission discusses in more detail the potential benefits and costs of joint implementation of PIN@POS compared to the alternative scenario of asynchronous implementation. The final section discusses potential detrimental effects on competition if the joint implementation is not carefully managed.

Likely benefits and costs related to joint implementation of PIN@POS

Lower incremental adjustment costs

The implementation of mandatory PIN@POS arrangements will impose costs on consumers, merchants and financial institutions/providers of payment services. According to the applicants' submission, around half of cardholders do not currently use PIN authorisation at the point of sale. These cardholders would need to make an adjustment to their payments behaviour and may need to obtain their PIN from their card issuer in advance of the changes coming into force. Card issuers in turn would incur costs of implementing the necessary EMV card software updates and informing their cardholders of the changes; this would also need to occur far enough in advance of the implementation date to avoid cardholder confusion and disruption at merchants' stores. Card acquirers and merchants would incur costs in updating terminal software, and in some cases hardware. Further, merchants would need to train staff in the new authorisation procedures so that transactions proceed efficiently when the new arrangements come into force.

In the absence of authorisation, all of the above costs would still be incurred by the various parties, assuming that MasterCard and Visa individually proceeded with PIN@POS but at different points in time. Authorisation of joint implementation will provide more certainty for consumers, merchants and financial institutions, particularly around the timing of the changes, without imposing any additional costs over the alternative scenario. In fact, as noted in the applicants' submission, there would likely be economies of scale and associated reductions in cost from a coordinated, rather than separate, implementation. For example, card issuers who issue on multiple schemes would only need to undertake one technical upgrade exercise (rather than separate exercises for each scheme). Acquirers would only need to update POS terminal software once rather than twice and merchants would only need to inform staff about one set of changes.

There would also likely be less confusion amongst cardholders whose preference is to sign for purchases. For example, a cardholder who holds both a Visa card and a MasterCard card may become confused over the authorisation choices available to them.

Authorisation overcomes possible short-term first-mover disadvantages

Underpinning part of the efficiency benefits of joint implementation discussed above is the assumption that individually the various stages of the schemes' implementation programs would not otherwise be perfectly aligned. It is possible that without authorisation, the timetable for introducing PIN@POS could be further delayed for both schemes, deferring the likely reduction in fraud related to card-present transactions (see discussion below).

As noted above, PIN@POS implementation involves material costs on the part of issuers, acquirers, merchants and cardholders. If MasterCard and Visa were to implement their respective PIN@POS mandates asynchronously, costs are likely to be somewhat lower for the second mover, as certain costs would not be duplicated (e.g. point-of-sale hardware upgrades), and more generally they can learn from the experiences of the other scheme. There may therefore be an incentive for schemes to delay implementation and ‘free ride’ off the first mover. A coordinated approach would help ensure certainty around timeframes and minimise adjustment costs associated with a prolonged migration.

Given that, according to the applicants, around half of cardholders do not currently use a PIN, if one scheme moved to mandatory PIN@POS without the other doing so, those cardholders resistant to changing to PIN authorisation might switch to the other network still allowing signatures. This would have the effect of increasing the market share of the second-mover and creating an incentive for schemes, acting individually, to delay implementation.

Nevertheless, despite short-term disadvantages of being the first-mover, the schemes face longer-term incentives to implement PIN@POS, and would weigh up the longer-term benefits of lower fraud against the shorter-term costs of moving away from signature authorisation.

Importance of reducing fraud losses and associated resource costs

To the extent that a joint implementation increases the probability of mandatory PIN@POS being implemented by schemes and the pace at which this happens, the proposed joint implementation could reduce fraud losses and resource costs associated with certain types of card-present fraud. For example, under current arrangements if a card is lost or stolen, fraudsters can initiate card-present transactions by forging the cardholders' signature, based on the sample signature on the back of the card (which is generally an easier task than obtaining the correct PIN). Under the proposed PIN@POS arrangements, this avenue would not be available, and there would likely be less fraud associated with theft of cards (‘lost/stolen’ and ‘never received’ fraud). The transition to mandatory PIN use (and EMV chip card issuance) in the United Kingdom in the mid-2000s coincided with a significant reduction in fraud associated with theft.^[1]

According to data published by the Australian Payments Clearing Association (APCA), card-present fraud accounted for 27 per cent of total scheme card fraud ($79 million) in 2012. Of that figure, $34 million in fraud losses was attributable to ‘lost/stolen’ and ‘never received’ fraud. On top of these losses, there are resource costs involved in investigating and resolving fraudulent transactions. Cardholders also face disruption if their account/card needs to be frozen by their card issuer.

Finally, while this is not strictly relevant to the current application, the Bank is in general supportive of efforts by industry participants to improve the security of the services they provide to the extent that the benefits of the improved security measures over the long term generally are likely to outweigh the costs. Although the industry initiative related to the authorisation application is aimed at addressing card-present fraud, it is worth noting that card-not-present (CNP) fraud accounted for around three quarters of all scheme card fraud in 2012 and has grown rapidly in recent years (Graph 1). Accordingly, while not the focus of the current industry initiative, it is likely that future efforts to reduce fraud will increasingly need to focus on CNP transactions.

Potential detrimental effects on competition

Marketing campaign

In the Australian card payment market, a significant number of debit cards on issue are ‘dual-network’ cards. Dual-network cards allow cardholders to process transactions through the eftpos system by pressing ‘CHQ’ or ‘SAV’ (cheque or savings) account buttons on a point-of-sale terminal, or alternatively through either the MasterCard or Visa systems (depending on the card) by pressing the ‘CR’ account button.

One of the ways in which the different card systems compete is at the transaction level, by encouraging cardholders to make an account selection that routes transactions through their system. The Bank has previously expressed its support for the issuance of dual-network cards, noting its benefits for cardholder convenience and network competition.

As part of the PIN@POS implementation, MasterCard and Visa have proposed a joint public communications strategy that includes direct communication from issuers to cardholders, the ‘PINwise’ website and the ‘PIN to win’ promotion. These joint communications could potentially cause a shift in cardholder behaviour, increasing the likelihood of a selection of ‘CR’ (a MasterCard or Visa transaction) over a selection of ‘CHQ’ or ‘SAV’ (a PIN-initiated eftpos transaction) on dual-network cards.

Card schemes regularly undertake marketing exercises to promote their brand individually, as part of competing with other schemes. However, there may be a concern when two competing schemes undertake a coordinated campaign if it has detrimental effects on another competitor. For example, certain aspects of the proposed joint communications campaign, (e.g. the proposed ‘PIN to win’ promotion) might be regarded as broader marketing for MasterCard and Visa credit cards, and for the routing of debit transactions to MasterCard and Visa networks, rather than purely as a communication initiative for adoption of PIN@POS to combat fraud.

The MasterCard and Visa marketing materials potentially might encourage cardholders to make a selection of ‘CR’ and enter in a PIN instead of using signature authorisation. In doing so, it is important that these materials do not give the impression to cardholders that they no longer have the choice of pressing ‘CHQ’ or ‘SAV’ and entering in a PIN on dual-network cards, or that the combination of PIN and ‘CR’ is the only secure way to make a payment. Similarly, they should not give the impression that signature authorisation is no longer possible on all brands of cards (if for example American Express and Diners Club are not part of the campaign).^[2]

Relatedly, MasterCard and Visa have noted in their application that they wish to use the phrase ‘industry initiative’ in marketing material. At present, only two of the five major card systems are participating in the proposed PIN@POS initiative. The Bank considers that a campaign marketed as an ‘industry initiative’ should not disadvantage other competitors. It should be apparent to cardholders that the initiative only relates to the cards of the schemes participating in the campaign.

Competition in authorisation/security methods

Card payment systems compete on a wide range of characteristics, including security and convenience in the choice of authorisation methods available. The proposed PIN@POS mandate will have the effect of increasing security, but reducing consumers' and merchants' choice in authorisation method for MasterCard and Visa.

In a competitive card market, individual systems determine the authorisation methods provided to cardholders by taking into account the particular mix of security and convenience desired by issuers, acquirers, merchants and cardholders. For example, some cardholders will prefer to sign rather than enter a PIN. Some merchants may prefer the efficiencies provided by PIN authorisation, for example, in reduced checkout time compared with signature. Other merchants may prefer the flexibility offered by having signature authorisation (e.g. to allow authorisation of card payments at restaurant tables without mobile terminals). Card issuers, on the other hand, bear much of the risk of point of sale fraud and are likely to favour PIN authorisation.

Authorising MasterCard and Visa to coordinate on a joint PIN@POS mandate removes one minor aspect of competition between those two systems, but the Bank considers that this is not a significant concern given that such competition, on the basis of modestly higher convenience but lower levels of security for card payments, is unlikely to generate significant public benefits. More broadly, it is not clear that a joint industry initiative to implement PIN@POS will reduce the incentive to innovate in card authorisation processes. If a technology became available that was superior in terms of either security or cardholder convenience (without compromising the other), the schemes would have a competitive incentive to implement this technology, regardless of any joint industry initiative.

Payments Policy Department
Reserve Bank of Australia
9 August 2013

Endnotes

For example, see data on fraud for the United Kingdom in Fraud: The Facts 2012, The UK Cards Association. Available at <http://www.financialfraudaction.org.uk/Fraud-the-Facts-2012.asp>. [1]

The Bank would not object to participation by other schemes in the PIN@POS initiative. [2]