The Green Sheet Online Edition
December 12, 2011 • Issue 11:12:01
EMV, are we there yet?
I was thinking recently about how the new Europay/MasterCard/Visa (EMV) initiative from Visa Inc. could help sales agents boost sales of EMV-enabled terminals to new and existing clients. I asked GS Online MLS Forum members if they were selling EMV terminals or taking a wait-and-see attitude.
CLEARENT was the first to reply. He posted, "Two issues I have with the present push for EMV: 1. Although most ISOs, ISAs, and MLSs [merchant level salespeople] will claim they want to prevent fraud, it's a hard sell to a mom-and-pop merchant who uses a terminal and swipes cards. These types of clients don't see a fraud risk unless they get hit. 2. There are not enough cards issued for the benefit of EMV.
"The latter has been the issue for 15 years when the argument first was presented about smart cards. In 1997 it was the wave of the future. The cost of replacing all the terminals, along with the costs of issuing all new cards, has precluded the rollout.
"Until the marketplace and economy improve, and until banks feel that their revenues have leveled off to an unacceptable level, I don't see either merchants or banks willingly making this investment. It may happen but not in the near- or mid-term."
JESTEP added, "We've been sending chip-enabled terminals when available. Most cost only a few dollars more than their nonchip counterparts. "As far as actually moving to EMV ... It seems to me that unless merchants and, more importantly, cardholders want chip and PIN, it will not ever take hold in the U.S. Banks have little incentive since merchants and processors bear the largest cost of fraud. However, banks will solely bear the cost of issuing EMV cards, which may be nothing compared to replacing existing terminals, but if they don't have to do it, they won't.
"Two of my banks that previously issued chipped cards have since stopped issuing them and went back to standard ones. It seems to me that we are moving away from PIN or chip/PIN authentication rather than toward it, which will be further illustrated when Durbin's regulation settles in.
"News and even logic might tell otherwise, but there has been no compelling movement in the U.S. that would actually suggest we will be making a change anytime soon. The wild card in this would be if the government mandated that the U.S. must move to EMV, which given the overzealous nature of our current administration, it's not something I would throw off the table."
GMARTIN responded, "My two cents, for what it's worth. Chip and PIN will be here within the next five years [with] decent market penetration within the next three. I have always said EMV/smart card will not work here, and that it was just a sales ploy to earn equipment sales. Recently, I've changed my mind on this matter due to the following. First, and most important, is Visa's recent announcement of a liability shift from banks to merchants. This will be a huge motivating factor on the bank's end to issue EMV cards. Second, we are the last to take on EMV, so as time goes on, we will see more card fraud, as the criminals will take the path of least resistance.
"Third is Visa's announcement of the relaxation of PCI reporting for merchants that have both NFC- and EMV-capable terminals at their locations. While this will not really affect small or medium-size businesses to much extent, it will drive the larger chains toward EMV, and the rest will follow.
"Fourth, I would not be surprised at all if the Fed doesn't allow for a penny or two added to regulated interchange for EMV transactions to push us toward a more secure transaction environment. This would be within the scope of the Durbin Amendment, as it allows for fraud prevention compensation.
"I have been putting out EMV-capable terminals for the past three years, unless a merchant insists on a refurbished terminal. The prices are now low enough that there is no significant investment, and I believe this is the best way to keep ahead of the curve going forward."
CCGUY believes there are issues to address. "These technologies are not set in stone with a 'standard,'" he wrote. "I can remember seeing the Hypercom road show and the ICE terminal with a smart card reader, and the Talento with the smart card reader. Where are those terminals now? That was 10 years ago.
"I recall that I once lost a sale based on the smart card reader. The merchant leased a 'smart card' Talento for $79 for 48 months. When the first AmEx customer came in and it did not work, the merchant went nuts. The guy who sold it was nowhere to be found. I went over, put it in demo and it worked. I then told the merchant that his terminal was not going to work. 'Why, asked the merchant?' My answer, 'There is no smart card network.'
"If you get too far out in front of what is going to happen, merchants will have terminals that are not set up for the new standard. One thing, improvements move slowly. Just like PIN pads and 3DES [encryption], how long did that take? And there were a few pretender PIN pads in between. I now have a few hundred PIN pads collecting dust."
CLEARENT added, "We are also forgetting one other component. Are all authorized vendors programmed to receive the data? If they have not built the network and downloads for smart card data reception, all our conversations are moot."
GMARTIN shared further thoughts. "From what I understand, the programming to accept and process EMV cards is not in place as of yet," he noted. "I have heard that there is a 2013 deadline for this to happen.
"It shouldn't be too much of a stretch to implement as most processors have a presence in Europe and already have the capability, albeit to possibly different standards from whatever is implemented here."
I believe the standard for EMV should not be much of an issue, since it's controlled by EMVCo LLC. There are four equal partners in this company: MasterCard Worldwide, Visa Inc./Visa Europe, American Express Co. and JCB International Co. Ltd. Standards for EMV are also being integrated into security standards being developed by the Secure POS Vendor Alliance.
Fox Business reported on an article from CardRatings.com on Aug. 22, 2011 ( www.foxbusiness.com/personal-finance/2011/08/18/emv-chip-technology-coming-to-credit-card-near/.) The article said a number of prominent financial institutions are now issuing EMV cards to affluent clients who frequently travel abroad.
My question is, Why should the standards in the United States differ from those in Europe, Canada or South America? U.S. banks are issuing cards that will work in Europe and elsewhere. With the card brands creating the standards, I would expect the standards for EMV chip cards to be universal.
I don't believe new standards will render older terminals useless. Wireless routers use the standards A, B, G and N. While A and B are incompatible, G is backward compatible with B, and N works with G. It is not good practice to create new standards that will make the current equipment obsolete.
Visa issued a press release Aug. 9, 2011, stating its intention to accelerate EMV chip migration and adoption of mobile payments (http://corporate.visa.com/media-center/press-releases/press1142.jsp). Following is a summary of Visa's initiatives:
- Expand the Technology Innovation Program (TIP) to merchants in the United States. Effective Oct. 1, 2012, Visa will expand TIP to the United States, which will eliminate the requirement for eligible merchants to annually validate compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) for any year in which at least 75 percent of the merchant's Visa transactions originate from chip-enabled terminals.
To qualify, terminals must be able to support both contact and contactless chip acceptance, including mobile contactless payments based on near field communication technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program.
Qualifying merchants must continue to protect sensitive data by ensuring their systems do not store track data, security codes or PINs; they must also continue to adhere to the PCI DSS as applicable.
- Build processing infrastructure for chip acceptance. Visa will require U.S. acquirer processors and sub-processors to support merchant acceptance of chip transactions by April 1, 2013. Chip acceptance will require service providers to carry and process additional data associated with chip transactions, including the cryptographic message that makes each transaction unique.
Visa will provide additional guidance as part of its biannual Business Enhancements Release for processors to certify that their systems can support EMV contact and contactless chip transactions.
- Establish a counterfeit and fraud liability shift. Visa plans to institute a U.S. liability shift for domestic and cross-border counterfeit card-present POS transactions, effective Oct. 1, 2015. Fuel-selling merchants will have an additional two years, until Oct. 1, 2017, for automated fuel dispenser transactions. Currently, POS counterfeit fraud is largely absorbed by card issuers.
After the liability shift, if a contact chip card is presented to a merchant who has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant's acquirer. The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip terminal) provides the dynamic authentication data that better protects all parties.
The United States is the only nation that has not committed to either a domestic or cross-border liability shift associated with chip payments.
Visa's August release also featured this input from larger retailers:
"As the leading global foodservice retailer, McDonald's already has a great deal of experience with chip technology, including in the U.S. where we have deployed contactless chip terminals to help us serve our customers even faster,' said Dave Weick, Chief Information Officer and Senior Vice President, Shared Services at McDonald's Corp. "We're pleased that Visa has provided a roadmap that will allow us to move towards the next generation of payment technology, while at the same time take advantage of the security benefits of EMV chip and dynamic authentication."
Kevin Knight, Executive Vice President for Nordstrom Inc., said, "Visa's plan to encourage chip adoption and lay the groundwork for mobile payments is a positive development. We appreciate their efforts to promote improved technology so that our customers have more reliable and secure card use and payment for their purchases."
George Peabody, Director, Emerging Technologies at Mercator Advisory Group Inc., stated, "There is no security silver bullet. But smart cards and smart phones using EMV adds a strong layer for payment transaction security as well as online banking, access to medical records and more. The rollout of EMV in the U.S. gets much needed dynamic data into the authentication mix. This is a welcome step toward lowering fraud at the point of sale and online. It's time."
With the initiatives set forth by Visa, and larger banks implementing chip-based cards for certain cardholders, now may be the time to consider selling EMV-capable terminals. Remember, what you do today, determines your tomorrow.
Bill Pirtle is the President of C3ET Credit Card Consortia for Education & Training Inc., a joint venture with Theodore Svoronos of Merchant University. Created to establish a comprehensive training program for ISOs and merchant level salespeople, C3ET is working with industry experts to produce a training guide to be published in early 2012. Bill's email address is firstname.lastname@example.org. He welcomes all connections on Facebook and LinkedIn.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.