The Payment Industry's Perspective On EMV
By Business Solutions magazine
Where Does EMV Fall Short?
“EMV is designed to authenticate the validity of the payment card presented at each POS, which it does very well, so there really are no shortcomings. It can do it offline and online; it’s very versatile and very configurable. Critics say it doesn’t do anything for e-commerce, but that’s because EMV isn’t designed for e-commerce. It’s specifically designed for a cardpresent transaction. The e-commerce environment has different needs, and there are various solutions available to mitigate fraud losses in that environment.” — Allen Friedman, director of payment solutions, Ingenico Group
“EMV represents the backbone for future payment technologies. It offers more rigorous security than mag-stripe cards. But for optimum merchant and consumer protection, it should be augmented with extra security measures, such as end-to-end encryption.” — Michael English, executive director, product development, Heartland Payment Systems
“EMV is designed to prevent counterfeit fraud and, in some cases, lost and stolen where a PIN is used. It does this by signing the transaction, but still allows the PAN [primary account number] data to be transmitted in the clear. This means that while EMV can reduce card-present counterfeit fraud, it does nothing to prevent card-not-present fraud.” — Ed Learned, payment industry product specialist, Merchant Link
“It is not clear how point-to-point encryption (P2PE) coexists with EMV to bring an additional level of security for merchants. EMV is a great technology, but the cost of certification is significant, and that makes it difficult to adopt for both merchants and VARs.
“The EMV process should be a set of standards decided by the Associations. In the United States, processors are setting the standards. This causes every gateway, POS, and hardware device to be certified to every processor instead of simply adhering to a single certification for all processors.” — Rick Taylor, CEO, BridgePay Network Solutions
“Migration to EMV is a complex undertaking, and to support it in common environments like Windows and Linux, a whole software ecosystem must be developed. Software is needed to drive the chosen PIN pad or card reader, and the interface to the processor must be updated to support EMV, as well as terminal management and support for P2PE. EMV is often criticized for its lengthy and inflexible certification process which has caused issues for parties all over the world who have migrated.
“Many ISVs and merchants are not aware that developing all of this supporting software can take more than 12 months. When combined with the onerous EMV certification regime, another six months (or longer) is often added to the process.
“In terms of security, EMV can be improved by being paired with additional security measures, such as P2PE and tokenization.” — Jeremy Gumbley, CTO, Creditcall
“EMV improves card security by reducing the use of fraudulently created cards used at the point of sale, but isn’t the panacea being promoted. EMV wouldn’t have helped with most of the major card breaches that we’ve been hearing about over the past few years, mostly because they were database-style breaches. Importantly, EMV implementation has actually driven more fraud towards e-commerce transactions.
“EMV validates/authenticates the payment terminal and even possibly the cardholder if a PIN is required. But if only a signature is required, it’s still not clear that the cardholder owns the card, simply because clerks do not check signatures. The really big problem is that the card data is actually still in the clear (not encrypted) at the payment terminal and POS. In fact, the EMV device actually returns the data in the clear to the POS system, putting the system at risk, even after the POS developer went to great lengths to encrypt everything prior to EMV. Most chip-and-PIN cards still have the magnetic stripe data encoded and will for a very long time, leaving the stripe data vulnerable to theft as always.
“Datacap’s experience over the past five years with developing EMV solutions for Canada suggests that early adoption will only occur with the major retailers, while SMBs will take a wait-and-see attitude. Perceived implementation costs, confusion over actual requirements, nonuniversality of solution options across processor platforms, and unknown financial benefits for adopting EMV keep SMB merchants from fully engaging.” — Terry Zeigler, president/CEO, Datacap Systems
“Unfortunately EMV does very little to protect against data breaches. But that’s not really its primary purpose. EMV does provide mechanisms to authenticate and validate cards, preventing thieves from duplicating or counterfeiting cards. Before an EMV transaction is authorized, there are certain elements that must be passed, or ‘in the clear.’ This includes items such as PAN and card verification value for integrated circuit cards (iCCV). Some will argue that EMV does little to protect card data because compromised PANs could be used in card-not-present transactions. But card-not-present environments leverage additional protections such as card verification value (CVV), address verification systems (AVS), and more.” — Russ Harty, SVP key accounts and partner channel, Merchant Warehouse
What Aspects Of EMV Are Causing Confusion Or Slowing Progress Of Merchant Upgrades?
“The progress is being slowed by the fact that consumer adoption is low, causing little market pressure, combined with the fact that it is hard to make the merchant invest in new technology — POS terminal replacements, software upgrades, processor certification — especially when they are not seeing the immediate costs benefit. The card brands and acquirers are pushing EMV — however, there has to be more pressure to change merchant behavior.” — Shelley Plomske, VP of product, Total Merchant Services
“The biggest source of confusion with regard to EMV is around debit cards, which stems from the initial delay while key players solved the issue of how to make EMV work in compliance with U.S. debit regulations. Ongoing, keeping up with the technology is going to be the most time-consuming part, which is why it’s so important that merchants have a vendor they can trust to explain what they need to know about EMV as things continue to progress, while helping them navigate through the process.
“According to a recent report by the Aite Group, by the end of 2015, 70 percent of U.S.-issued credit cards will be chip-enabled, while an estimated 41 percent of debit cards will be chip-enabled. Those sound like aggressive numbers to me that will require a steep ramp-up in production and deployment.” — Allen Friedman, director of payment solutions, Ingenico Group
“Once you look at EMV from a per-financial perspective, you find that there is not a strong ROI for implementing EMV. When you compare the cost of equipment, the cost of training a staff, the cost of upgrading a POS system to handle the new file forms, and other costs to implement EMV, and compare that to the return, there is not a solid business case. But merchants must look at two factors:
“Since the liability shift begins for merchants in October 2015, a retailer must consider the chargeback losses that can be attributed to card fraud and estimate what those levels of card fraud will be after the liability shift begins. Markets such as Canada and the U.K. have seen reductions in card fraud at EMVpayment- accepting merchants and fraud growth in those that do not accept EMV, as well as in card-not-present environments.
“Another consideration is customer perception. What will my customers think of my establishment for not accepting chip cards if major retailers such as Walmart, as well as other local SMB merchants, accept chip cards? Concern for security has been stated in several mobile payment studies as to why a percentage of consumers do not use their mobile phones for financial transactions. Although we see that number declining, it does show that consumers are aware of the risks and will most likely respect businesses that are like-minded.” — Michael English, executive director, product development, Heartland Payment Systems
“The cost of EMV migration and the complexity of migration are widely acknowledged as major barriers to the adoption of the new standard as a whole. Purchasing new or upgrading existing terminals and POS systems is an expensive undertaking and a contributory factor as to why the U.S. is years behind the rest of the world in adopting the technology.
“Confusion over support for EMV with processors and the certification required has caused concern and confusion. In a mature EMV market such as the United Kingdom, an EMV certification can take anywhere from 10 to 16 weeks to complete, assuming that no major issues occur along the way. Many industry experts have also expressed concern that processors do not have enough support in place to take a large number of ISVs and merchants through the certification process at the same time.” — Jeremy Gumbley, CTO, Creditcall
“EMV isn’t required right now and will not actually be required for quite some time into the future, if ever. The October 2015 liability shift doesn’t mandate use of EMV; it just makes the non-EMV merchant liable for transactions made with fraudulent cards. It’s just not that clear to the merchant what the risks of that liability shift are and how they compare to the costs of the EMV upgrade. It’s also not clear whether the requirements will be predominantly chip-and-PIN or chip-and-signature. That’s left up to each card issuer, leaving the card-acquiring entities (merchant and bank card acquirer) unsure of the most cost-effective implementations, though it’s likely that the merchant has to prepare for the worst-case scenario in their implementation strategies.
“In addition, there are a lot of EMV terminal manufacturers and acquirers claiming that their products and services are ‘futureproof,’ which is a bit of a stretch when the processors have yet to define which terminals they will initially certify and support.” — Terry Zeigler, president/CEO, Datacap Systems
“It’s not clear right now who must make the first step toward EMV adoption. Banks, card issuers, merchants, and consumers are at a sort of impasse when it comes to EMV. In the U.S., the banking lobby is a very powerful group that favors the status quo. However, the new EMV regulations are likely to push everyone toward adopting this more secure technology in 2015.” — Russ Harty, SVP key accounts and partner channel, Merchant Warehouse
How Real Are The Liability Shift And Potential Risks Facing Merchants, ISVs, and VARs?
“If a merchant or business decides not to employ EMV — and therefore has a weaker, less secure system in place — it will be held liable in the case of a chargeback, if it clears a fraudulent transaction that would have been prevented by using EMV. And merchants can be subject to penalties from card brands for any breaches that occur.
“Merchants who tend to process only small transactions may decide they’d rather take the chargeback risk than invest in upgrading their payment infrastructure. But we expect most merchants — especially the big ones — to go ahead and make the switch to EMV.
“It’s worth noting that EMV technology alone doesn’t prevent a breach. Instead, it makes card data less valuable — thieves can’t clone it to sell duplicate cards, so they tend to not target EMV payment systems. We have seen firsthand the ‘fraud migration’ that occurs in EMVadopting countries. What that means is that fraudsters will move to the path of least resistance. If a terminal is newer and more secure and is EMV-enabled, they will likely forgo that device and look for an older, lesssecure device to commit fraud against. Merchants who don’t upgrade to EMV will be at much greater risk to be targeted for breaches because they will be seen as easier marks.” — Allen Friedman, director of payment solutions, Ingenico Group
“Very real. With what happened at Target and other retailers, the card brands are going to hold tight to the deadline of October 2015 for the liability shift.” — Michael English, executive director, product development, Heartland Payment Systems
“Given past mandates and penalty threats, unless there is a breach, the threat is very, very low.” — Shelley Plomske, VP of product, Total Merchant Services
“The threat is the shift of liability going to the party, issuer or acquirer and merchant, not supporting EMV or who has the least amount of support for EMV. This is very similar to when PCI Council began to fine for PCI breaches. Until a breach occurred and the Associations started to give out their respective fines, no one fully understood the ramifications. PCI breaches brought out the need for breach insurance, so perhaps we will begin seeing the same for EMV insurance for merchants. Currently, most U.S. merchants are not in position to support EMV, so this liability shift could open a flood gate for chargebacks and miscreant behavior for those using an EMV-ready card.” — Rick Taylor, CEO, BridgePay Network Solutions
“We believe that the threat is real and that the penalties of noncompliance will be handed down to those who are not ready. For that reason, it is our belief that a large push of unprepared VARs may transpire midway through 2015.” — Bill Lodes, director of developer partnerships, TSYS