The Green Sheet Online Edition
May 13, 2013 • Issue 13:05:01
Impact of EMV and NFC on acquiring
There has been a lot of talk lately about how Europay/MasterCard/Visa (EMV) and near field communication (NFC) chip cards are going to impact the industry. Most of this has been directed at consumers and merchants; the impact it will have on the acquiring community has not been discussed.
Let me assure you, this impact is going to be significant from both an operational and a risk management perspective. Those who have been around enough years to have experienced the conversions to Derived Unique Key Per Transaction- and "truncation"-capable terminals know what you're in for when it comes to upgrading terminals for your entire portfolio and the resistance that will come from your merchants: I just upgraded my terminal five years ago. Why do I have to do this again? You're just trying to rip me off. If you joined the acquiring industry after these conversions occurred, welcome to the party.
From a risk management perspective, there will be some gains, but new risks are associated with the migration. The biggest risks will be related to fraud migration to the card-not-present (CNP) and e-commerce channel, and the shift of fraud liability to the party that has the least secure technology at the POS.
This initiative is not all doom and gloom from an acquiring standpoint. Some relief is built into the card company mandates. It will also facilitate the ability for acquiring entities to integrate closer with their merchants by offering value-added services, such as couponing, loyalty and data mining services. In the end, these will increase both customer retention and revenue.
Defining EMV, NFC and duality
The EMV standard was developed to ensure global interoperability for chip-based payment transactions. The key element of EMV involves the inclusion of dynamic digital data in every transaction. This makes these types of transactions extremely secure and reduces the risk of fraud.
NFC is a short-range, high-frequency wireless communication technology commonly used in contactless cards and mobile phones, as well as for passive radio frequency identification (RFID). Mobile payment applications include retailing, public transportation ticketing and interactive advertising.
Duality, in this context, is the ability to accept either EMV or NFC transactions through the same POS device. All card brand mandates require that merchants be able to accept both EMV and NFC in order to be exempt from fraud liability, to reduce Payment Card Industry (PCI) Data Security Standard (DSS) validation requirements, and to participate in MasterCard Worldwide's Account Data Compromise (ADC) relief program.
How EMV and NFC transactions work
The transaction flow with EMV and NFC payments is much the same as the traditional transaction flow, except for the addition of dynamic authentication and the chip technology that allows the issuer to transmit a unique card verification value with each transaction. This makes it virtually impossible to counterfeit the card if the transaction data is stolen.
While this technology is only available in the card-present environment at this time, it should be noted the card companies are working with computer manufacturers to expand dynamic authentication into the e-commerce space in the near future.
Implications for the acquiring community
The acquiring community needs to consider several issues when facilitating the transition to EMV- and NFC-capable payment acceptance technology. These include the following:
- Upgrade of terminals to support EMV, NFC: As mentioned before, merchants will resist this change. Many will not see the value in migrating to an EMV/NFC-capable terminal and will not want to pay for the upgrade.
To compound matters, the merchants that are going to resist the most are the merchants who can least afford to absorb the fraud liability they will incur by not migrating to an EMV/NFC capable device. So the messaging for this initiative is going to be paramount, from both account retention and risk management perspectives.
Another hidden gem in this technical migration is that going forward, terminal upgrades are going to happen more regularly, and merchants will have to purchase new terminals more often to keep up with the advancement in technology.
While this may increase lease revenues, it will also impact support costs and may require upgrading the resources currently used to support your merchants.
- Increased attacks in CNP space: The card brands have documented that as EMV/NFC use reaches critical mass (more than 60 percent) in a market, both hackers and fraudsters move from the card-present to CNP targets. Thus, it would be wise to examine your merchant PCI compliance validation strategy and recalibrate the definition of "high risk" in your portfolio to include e-commerce merchants (if you have not already done so). You may also want to encourage your e-commerce merchants to consider enhancing their fraud detection tools within the next year or so, so they are in place well ahead of the anticipated market shift.
- Liability shift: Merchants who haven't migrated to an EMV/NFC-capable terminal by Oct. 1, 2015, will be liable for all fraud that occurs within their establishment on cards that are EMV or NFC capable. This represents a significant change for card-present merchants, and must be clearly communicated before the shift, so merchants understand the implications of not upgrading prior to the Oct. 1 deadline.
While we are still a few years away from this deadline, it wouldn't hurt to start thinking about how you will handle the funding of merchants who have not upgraded, considering the additional risk they will pose to your portfolio.
- Account data compromise protection: MasterCard stated that starting Oct. 1, 2013, merchants who have migrated to EMV/NFC-capable solutions will qualify for a 50 percent reduction in card reissuance and fraud reimbursement.
This benefit will increase to a 100 percent reduction on Oct. 1, 2015. To qualify for this benefit, a merchant must have had at least 75 percent and 95 percent of their transactions as of October 2013 and October 2015, respectively, originate from an EMV/ NFC-terminal over the previous 12 months.
- Reduction in PCI DSS validation requirements: All card brands have agreed to waive PCI DSS validation requirements for merchants that have migrated to EMV/ NFC environments, are in good standing relative to their PCI DSS validation, and have not experienced an account data compromise within the last 12 months.
Remember, although the card brands waive the annual validation requirement for qualifying merchants, all merchants must maintain ongoing PCI DSS compliance. Acquirers retain full responsibility for merchants' PCI DSS compliance, as well as responsibility for any fees, fines or penalties that may be applicable in the event of a data breach.
All participants in the payment system must continue to protect sensitive static card account information (including PINs) vigilantly and adhere to industry data security standards such as the PCI DSS, PIN Transaction Security and the Payment Application DSS.
EMV/NFC implementation timeline
Following are important past and future milestones in the U.S. transition to EMV/NFC payment acceptance technology:
Oct. 1, 2012
American Express Co., Discover Financial Services, MasterCard Worldwide and Visa Inc. eliminate the requirement for eligible merchants to annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant's transactions originate from chip-enabled terminals.
April 1, 2013
Visa and MasterCard require that all acquirers and sub-processors make the necessary changes to their systems to ensure they are able to fully process EMV transactions.
Oct. 1, 2013
MasterCard sets ADC relief for merchants who process more than 75 percent of their transactions from an EMV/NFC-capable terminal - 50 percent reduction in card reissuance and fraud reimbursement to issuers.
Oct. 1, 2015
AmEx, Discover, MasterCard and Visa intend to institute a U.S. liability shift for domestic and cross-border counterfeit card-present POS transactions. This liability shift will mean that the entity with the lowest form of technology in the transaction will be liable if the transaction turns out to be fraudulent. For instance, if a fraudulent transaction occurs and the card involved in the transaction was either issued as an EMV- or NFC-capable card and the merchant is not EMV/NFC-capable, then the merchant will pay for the fraud.
Oct. 1, 2015
MasterCard increases ADC relief for merchants that process more than 75 percent of their transactions from an EMV/NFC capable terminal - 100 percent reduction in card reissuance and fraud reimbursement to issuers.
Oct. 1, 2017
AmEx, Discover, MasterCard and Visa expand liability shift to be effective for transactions generated from automated fuel dispensers.
Jim Bibles, Vice President, Business Development at Aperia Solutions, is highly regarded as a payments risk expert. He has excelled at developing and implementing risk-based compliance tools and programs for acquirers and ISOs of all sizes and is widely considered to be an expert in the field Payment Card Industry Data Security Standard compliance. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.