The Collateral Plays on EMV – FIS, VNTV, NCR, NXPI
SEE LAST PAGE OF THIS REPORT Howard Mason
FOR IMPORTANT DISCLOSURES 203.901.1635
July 10, 2014
The Collateral Plays on EMV – FIS, VNTV, NCR, NXPI
“It is very clear that card issuers like Capital One need to have our US customer base by the latter part of 2015 on a chip basis ….. but I have a feeling by the time we have all invested in chip and PIN it may have passed its prime” Richard Fairbank, CEO of Capital One, May 29th 2014
- We believe investors are under-estimating the pace of EMV adoption and that, instead of the “gradual grind” reflected in consensus and based on guidance from small issuers and providers such as NXPI, large issuers will have migrated customers to chip cards by end-2015. The reason is that fraud tends to concentrate around weak-spots, and issuers will not risk being disadvantaged by high fraud costs as the last mag-stripe swiping.
- While, under network rules, fraud risk on EMV-transactions will be borne by merchants if they are not EMV-compliant by October 2015, most large merchants already are. Furthermore, re-terminalization will accelerate ahead of the October deadline so that total penetration of EMV-compliant hardware, currently 20-30% of the base of ~12mm terminals, increases to 50%+.
- Rapid EMV adoption will create upside surprise at: third-party card issuers (such as FIS and VNTV); suppliers of EMV-compliant chips (such as NXPI); and acquirers (such as VNTV) able to take advantage of the retailer focus on payments security (following the Target breach last November) to sell an integrated solution including not only EMV but also tokenization and encryption of card credentials. The scale of card reissuance is large: there are presently only ~8 million US chip-cards in circulation vs. 550mm total credit cards and 590mm total debit cards.
- In addition, the transition to EMV will catalyze a share-shift from debit running over signature networks to debit running either over PIN networks or directly routed from acquiring-processor to issuer based on the bank identification number or BIN. Obviously this is true for PIN-authenticated transactions (on chip-and-PIN cards) but is also true for PINless transactions (i.e. those transactions below the threshold, often $50 and even on a signature-card, where no authentication is required). FIS and VNTV will benefit through their ownership of the NYCE and Jeannie PIN debit networks respectively, and because the access to funding accounts arising from their issuer-processing businesses enables direct BIN routing.
- While there is potential upside for PAY on the terminal side, particularly in the hospitality segment where there are ~3 million terminals and where EMV will require the replacement of existing infrastructure with customer-facing terminals, we prefer NCR as a play on the EMV-related ATM upgrade cycle. We are early since the deadline for fraud liability-shift on ATMs is October 2016 (vs. October 2015 for POS terminals). However, we expect the ATM refresh-cycle to anticipate this given bank initiatives to cut teller-staffing through “smart” (and, to NCR, high-margin) ATMs providing functionality above cash withdrawal (including deposit acceptance, check-cashing, bill-exchange and remote-teller access) and integrating with digital and mobile services via a single platform to capture customer activity.
There is a reason that card-security approaches have evolved differently in the US and Europe. In the US, the card industry evolved in the context of a reliable telephone infrastructure allowing for real-time monitoring of transactions so that, in effect, the lists shop-owners used to keep on their walls of dodgy cards could be consolidated at the network level and transactions vetted against them (and denied if necessary). In Europe, the telephone infrastructure was not reliable enough to support this approach and the focus turned to keeping illegitimate transactions out of the system through stronger cardholder authentication – i.e. chip-and-PIN. Richard Fairbank’s point in the headline quote to this note is that network-level fraud detection is getting stronger “with the ability to analyze your whole patterns of prior transactions … and the ability to geo-locate and see where you are relative to where your ‘phone is” and this erodes the business case for chip-and-PIN.
Our thesis is the mirror opposite: that the adoption of chip-and-PIN in the US will erode the business case for network-level fraud risk management and hence the pricing power of the Visa and MasterCard networks. Indeed, we expect the adoption of PIN-authentication (which lowers the fraud-content of card transactions from over 6 cents/$100 to below 1 cent) to catalyze a shift to BIN-routed transactions (which are routed directly from the acquiring processor to the issuing bank on the basis of the bank identification number) from switched transactions (which are first routed through a network “switch”) because the ability of network-level risk management to reduce fraud losses will no longer justify the network fee. As discussed in our note of June 10th titled “The Shift from Signature Debit and Prospect for a Bank-Owned PIN Debit Network”, the resulting patchwork of bilateral connections between acquirers and issuers will over time evolve into a bank-owned PIN debit network.
The Collateral Plays on EMV
The objective of this note is to explore other investment opportunities arising from adoption of chip-and-PIN across other elements of the ecosystem including card issuers and chip-manufacturers (such as FIS and NXPI respectively), acquirers (such as VNTV and GPN), and terminal-providers (such as PAY and NCR). The catalyst for the US adoption of chip-and-PIN is network rules specifying that, in October 2015, fraud liability will shift to merchants who are presented with an EMV-compliant card but do not have an EMV-compliant terminal. EMV stands for Europay-MasterCard-Visa; through the EMV collaboration, these three networks have established the global protocol by which chip-enabled payment devices (whether card, wristband, or ‘phone) communicate with terminals. Similar fraud liability-shift rules come into effect in October 2016 for ATM machines (as opposed to point-of-sale terminals) and October 2017 for gas-stations.
It is important to note that, while the EMV standard is specifically for chip-based payment devices, it does not mandate an authentication method so that the US will likely have chip-and-signature cards as well as chip-and-PIN cards. Either way, there will be a substantial reduction in fraud losses since chip cards are harder to clone than mag-stripe cards making it more difficult for criminals to use stolen card data (whether from merchant systems or by intercepting communications between card and terminal) to produce counterfeit cards. Counterfeiting accounts for ~70% of fraud losses while lost or stolen cards account for the balance and will be reduced only by the adoption of chip-and-PIN vs. chip-and-signature.
We expect the EMV fraud-liability shift rules to give rise to a rapid displacement of mag-stripe cards by chip cards and to rapid reterminalization (i.e. replacement of existing terminals with EMV-compliant terminals at point-of-sale). There is precedent for these “tipping point” dynamics in the newspaper and music industries (see Exhibit 1), and we believe the shift of storage medium for payment credentials from mag-stripe to digital will be similar. The specific reason is that fraud tends to concentrate around the most vulnerable points of the system so that you do not want to be the last issuers to replace mag-stripe with chip cards or, given the liability shift, the last merchant to install EMV-compliant terminals.
Exhibit 1: Structural Change Can Happen Slowly Until It Happens Quickly
Source: NAA; RIAA; McKinsey
The Opportunity in POS and ATM Terminals
There are ~12 million terminals in the US and, given a typical replacement cycle of 7-10 years, annual shipments are running at ~1.5 million; approximately 70% of these shipped terminals are EMV-compliant and 20-30% of installed terminals are upgraded including most large merchants have upgraded (even if they have not activated EMV capabilities which typically involves an annual subscription fee).
The incremental opportunity, worth about 3mm terminals, is in the hospitality space (e.g. restaurants, hotels, and government agencies) since the standard practice, where a service-person takes a card and processes a transaction on a terminal that may not be visible to the cardholder, is not permitted under EMV. EMV requires the terminal to be customer-facing so that the card is never out of the customer’s sights and, of course, this is a practical necessity for PIN authentication.
In many cases, the customer-facing requirement will translate to mobile POS (so that, in Europe for example, many restaurants bring a mobile POS to the table for settling the check). Indeed, more generally, the so-called “dongles” that turn tablets into mobile POS devices (by communicating payment information through the audio channel) will need to be EMV-compliant and we see this as an opportunity for established hardware-providers, such as PAY, offering the same security on a dongle as on a stationary POS terminal, and integrating the two with other security features including encryption and tokenization, to take back the dongle market from early innovators such as Square.
The opportunity for PAY appears reasonably understood but less so the opportunity for NCR given the liability-shift for ATM terminals is October 2016 and so further out than the liability-shift for POS terminals in October 2015; the ATM refresh cycle will likely also complement bank initiatives to cut teller-staffing at banks through “smart ATMs” providing functionality above cash withdrawal (including deposit acceptance, check-cashing, and changing bills as well as access to remote tellers) and integrating with digital and mobile services via a single platform to capture customer activity.
The Opportunity in Chip Card Issuance
Banks have already begun to issue chip cards to customers who travel, with personal cards tending to be chip-and-signature and corporate cards sometimes chip-and-PIN; however, the 8 million chip cards in circulation compares with total US cards-in-force of over 500 million so there is an enormous replacement cycle in 2015 benefiting third-party card issuers such as FIS and providers of the chip-set such as NXPI. We believe the opportunity is under-discounted for several reasons:
- First: We are not yet seeing it in the numbers and both FIS and NXPI indicate it as an opportunity for 2015 rather than 2014. Furthermore, while NXPI acknowledges EMV migration in the US as a “real opportunity”, management cautions investors that it will be a “gradual grind higher and it will take a number of years”. We do not agree; given the fraud-liability shift rules and the tendency of fraud to concentrate with issuers who do not migrate to EMV, we expect large-scale re-issuance by national banks in 2015. Indeed, given the EMV standard is now established, there is no “hedge-your-bet” benefit to waiting that can offset the incremental fraud costs and associated loss of competitive advantage.
- Second: Some investors are concerned that host card emulation or HCE, a Google technology creating a virtual secure element for Android ‘phones (KitKat or higher), will substitute for the secure element in a ‘phone and the associated chip-set that can be provided by NXPI. We see HCE as a transition technology, to release NFC-enabled payments from dependence on, and associated costs of, the carrier-provided SIM card. Over time, secure elements will be increasingly embedded into ‘phone hardware if only to enable biometric authentication and will then be available for payments (and more secure than HCE). Indeed, rather than carrier-provided subscriber identity modules (SIMs) signing customers onto a payments network, the more likely evolution is that hardware-embedded secure elements will sign customers onto mobile networks through a virtualized SIM (technically allowing customers to switch between carriers phone-call by phone-call).
- Third: The extent of the infrastructure roll-out by merchants seems under-appreciated. As noted above, 20-30% of installed terminals are already EMV-compliant including at large merchants and we expect accelerated replacement in 2015 because of the fraud liability-shift rules particularly in the hospitality channel.
The Encryption Opportunity for Acquirers
Following the data-breach at Target last November, card security has become an IT priority at most retailers even over mobile apps and loyalty offers. Paul Gallant, CEO of PAY, makes no bones about it: “Every Board
of Directors has asked every CEO, can what happened at Target happen with you? And most CEOs, I will tell you, lose sleep on this. They go to their CIO and they say are we encrypted?”
The overarching objective is to remove sensitive card data from merchant systems so that they are not targets for hackers. The EMV standard does not call for this, and allows for the primary account number or PAN to be passed in the clear from payment device to POS terminal. As a result, EMV needs to be complemented by encryption (to scramble the PAN) and/or tokenization (to represent the PAN with an alias that can be limited in life and scope). Furthermore, the encryption needs to occur the minute the payment device communicates with the terminal and maintained all the way through to the acquirer.
At the same time, retailers need access to decrypted data in order to run their customer analytics, inventory management, and accounting software. We believe this creates an important opportunity for acquirers who can offer an integrated security package (including EMV, encryption, and tokenization) and integrated POS or iPOS solutions which bundle payments with marketing, inventory management, and accounting apps. VNTV is our preferred play particularly following its acquisition of Mercury Payments Systems in June; further details are available in our April 7th note titled “US Payments: A Primer on Merchant Acquiring”.
- The networks have different perspectives on authentication. MA CEO Ajay Banga has said “I would prefer people go to cip and PIN because it is safer”. V CEO Charlie Scharf is more ambivalent: “We use chip and choice [of both PIN and signature]; choice meaning let’s figure out what the merchants want, want the issuers want, and we will move forward with them”. Ed Gilligan at AXP seems to prefer signature: “There’s a big expenses for the industry if it goes to chip-and-PIN vs. chip-and-signature”.
- Indeed, EMV-compliance at point-of-sale is likely to push fraud online which is one reason for a parallel network initiative around tokenization.
- Apple manages biometrics through the A& Secure Enclave and Google through the ARM TrustZone
- The contactless EMV specification calls for an additional encrypted digital “signature” that uniquely identifies the payment device but the PAN can still be passed in the clear.