May 19, 2014
Delivering EMV
Connecting the Links
Small merchants, more than anyone, have been dealing with the challenge of rolling out EMV. The deadline that the industry has been most concerned with is October 2015 when the liability will shift to acquirers for domestic and cross-border counterfeit fraud card-present POS transactions, if the merchant does not have an EMV-enabled POS device.
Benefits for fraud and risk reduction are significant, but the hardware and software installations have been formidable to bear. One of the driving forces pushing EMV implementation has been the shock of data breaches at Target this past holiday season, and more recently Michael’s, which affected more than 40 million card holders. Industry players such as processors and issuers were jolted upright enough to come to the table to figure out solutions. Major retailers like Walmart already have their chip and pin hardware but are waiting for issuers to issue new chip and pin cards to consumers.
“There are still many links to connect,” said Mitchell Cobrin, CEO, Anywhere Commerce, a Montreal-based company that works with acquirers around the globe to deliver EMV. “If one link is weak, there could be a failure. But the Target breach has turned tepid discussions into more compelling talk.”
Hardware is only one piece of the puzzle. Merchants have to implement software and issuers have to issue new cards to consumers. “In the US, there are so many competing interests, it is a complicated soup to make,” said Cobrin. “There are 15 debit networks, 15-20 process platforms, and many issuers in the US. By contrast, there is only one debit network, Interact, in Canada.”
Continue reading this article
Please enter your email address:
EMV Migration Forum Sees Growth
Nevertheless, US EMV chip adoption is poised for exponential growth in the next year resulting from an estimated 17-20 million EMV chip cards and millions of EMV-capable ATMs and POS terminals, the EMV Migration Forum announced at its March meeting.
Director Randy Vanderhoof stated: “In the last few months we have seen a dramatic shift in the interest and understanding of the beliefs that EMV chip cards provide, particularly in helping to lessen the impacts of payment data breaches and to prevent counterfeit card fraud.”
The EMV standard was first introduced in 1994, when Europay, MasterCard and Visa formed EMVCo and the organization defined the interoperability for chip-bearing smart card technology. It has become a global standard for interoperation of integrated circuit cards and IC card capable ATMs and POS terminals for authenticating credit and debit card transactions. In countries where there are fewer decision-makers and fewer debit networks, EMV implementation has gone smoothly.
The new standards are going to impact the entire payment system and its players, including acquirers, issuers, processors, merchants and consumers. The process is tricky because every player must do their part to make the conversion to pin and chip possible.
MasterCard, Visa, American Express, and Discover set a series of readiness deadlines for US issuers, acquirers and processors to be EMV capable. Industry players are focused on two deadlines: Merchant Fraud Liability Shift is October 15, 2015 and Liability Shift for Gasoline Retailers is October 15, 2017.
MasterCard estimates that among all the major brands, there are about 20 million chip cards in the United States. That means that the US, which has about 1 billion general-purpose credit and debit cards and is the last major mag-stripe holdout country, has just barely started its EMV conversion. So far, issuers have given most EMV cards to international business travelers.
Commercial Cards Consider Chip Strategy
Besides consumer cards, commercial cards, including corporate and purchase cards, are impacted. Commercial cards represent trillions worth of spend annually, according to Amy Hoke, director, Commercial and Enterprise Payments Advisory Service, in a white paper on the subject, entitled: “EMV: Rollout for Commercial Card Stalled by Cost and Lack of Justification.”
In her report, Hoke writes, “For consumer cards, the cost for fraudulent transactions is much more significant than in commercial card transactions, which have historically experienced low fraud rates mostly because of the additional controls available on the commercial product set. This is one of the core reasons that EMV rollout for commercial cards has largely stalled after the initial issuance to global business travelers.”
For commercial card issuers, fraud is a fraction of what it is on consumer card portfolios. So the reality of incurring costs for the liability shift alone may not have sufficient impact for an issuer to decide to roll out chip based on this change in liability, says Hoke.
“Issuers are evaluating whether it makes sense to issue chip on purchase cards in addition to corporate cards, even when no international transactions are taking place,” explains Hoke.
Discussions regarding commercial card adoption of EMV standards are just starting to heat up as the deadlines outlined by MasterCard and Visa for compliance to avoid a liability shit are almost upon card-issuing financial institutions.
“Issuers are internally considering several questions: Should chip be rolled out for corporate card only? Should chip be rolled out for both corporate and purchase card? What about open-loop fleet cards?” Hoke questions.
Important News from Visa and MasterCard
On the debit side, merchants have the option of routing transactions to more than one network. Under the Durbin Amendment, cards can be supported on multiple networks. Previously, Visa and MasterCard argued over which application to use. Each network wanted the application to be theirs.
The applications on the chip have to know which common application identifier it is. Robert Martin, senior VP, Attended Merchants with Apriva, said, “Progress is being made to come to resolution with multiple solutions being proposed, and agreement on a common application.”
There’s been a string of news from Visa about partnerships with electronic funds transfer networks to facilitate debit transactions with chip cards. MasterCard got back in the game on April 3, announcing that First Data Corp.’s Star network will use MasterCard’s so-called common application identifier (AID).
Soon after processor Fidelity National Information Services’ NYCE network said it would use Visa’s common AID; the Star-MasterCard development makes clear the end game in what had been a raging controversy in the debit industry: All the major EFT networks are now using or seem likely to soon be using both the Visa and MasterCard common AIDs.
Visa has common AID agreements with the EFT networks that accounted for 99 percent of PIN-debit transaction volume in 2012, according to a Mercator Advisory Group study: NYCE, Star, Fiserv’s Accel, Discover Financial Services’ Pulse, its own Interlink PIN-debit network, and MasterCard’s Maestro. Visa and MasterCard mutually licensed each other’s common AIDs last summer.
With Accel, Interlink, and now Star in MasterCard’s camp, the momentum of the announcements that began Feb. 26 with the Visa-Star pairing foretells that MasterCard will strike deals with Pulse and NYCE.
In a press release, Barry McCarthy, president of First Data’s Financial Services unit, which includes Star, said the new MasterCard pact will help card issuers, merchant acquirers, and merchants get on with the business of issuing and accepting Europay-MasterCard-Visa (EMV) chip debit cards.
“This agreement, and other EMV agreements we have recently announced, helps accelerate the migration to EMV adoption, and moves the entire industry a step closer to additional debit payment security,” McCarthy stated.
The deals mean that banks and credit unions will be able to issue EMV cards that meet the requirements of the Dodd-Frank Act’s Durbin Amendment.
Can EMV Prevent Data Breaches?
EMV technology will not prevent criminals from accessing data – it was not designed to do so,” said Martin Ferenczi, president, North American Region of Oberthur Technologies, a global supplier of EMV products and services. “What EMV does is reduce the value of the data the hacker can acquire. Therefore, EMV would not have prevented the recent Target, Neiman Marcus, or Michael’s data breaches. However, consumers’ information could not have been used to make in-store fraudulent purchases or to produce counterfeit magnetic stripe cards.”
To produce a counterfeit EMV card, said Ferenczi, the criminal would have to acquire the real card and spend a large sum of money to find the unique cryptographic keys programmed into the chip. And to counterfeit another EMV card, the criminal would have to spend another large sum of money to find that new card’s security information.
What about ecommerce risk? While the new EMV technology will add to security at the point of sale, card account numbers that are used for phone, internet, and mobile transactions, carry the same risk as before because there is no card present, and therefore no chip.
“Chip and pin does not address online commerce,” said Cobrin. “It has much more effect in face to face transactions. We have to look for other fraud mitigation technologies.”
EMV with tokenization is one. Tokenization, or creation of a nondecryptable set of data to stand in for a card account number, is growing in popularity as a means to further secure a card transaction. During a payment transaction, the merchant gets a “token” instead of the actual card number, but the token can be verified by the acquiring bank.
Besides tokenization, other techniques are end-to-end encryption, 3D-Secure, Fido and various other methods used to assure that the rightful cardholder is using the card. Ferenczi said, “These technologies combined offer the security essential to protecting cardholder data.”
As the industry continues to deliver fraud mitigation technologies that encompass point of sale and ecommerce, look to Europe and Latin America where the second generation of EMV products have already been implemented. •
