GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Fed looks to online real-time payments, eventually

Patti Murphy
ProScribes Inc.

News

Industry Update

Who's to blame for Apple Pay fraud?

Lack of EMV readiness continues, EMVCo steps up

Mobile World Congress 2015 extols innovation, inclusion

Visa Checkout used by 3 billion, plans worldwide expansion

Technology experts weigh in on future of POS

Features

EMV 101 for merchants

Every second counts

ISOMetrics:
What's trending in payments?

Views

The bygone era of clicks

Dale S. Laszig
DSL Direct LLC

Embedding generosity in the fabric of payments

Thom Aldredge
World Gift Card

EMV implementation details urgently needed

Ken Musante
Eureka Payments LLC

Education

Street SmartsSM:
Goodbye until hello

Tom Waters and Ben Abel
Bank Associates Merchant Services

Use big-data resources to better serve, retain merchants

Billy Hubbard
Swipely

Mobile payments: Enabling merchants for today, preparing them for tomorrow

Michael Gavin
Cayan

Company Profile

Signature Card Services

New Products

PCI-validated, comprehensive security package

SecurePCI Validated P2PE
ANXeBusiness

Two-sided mobile solution for buyers, sellers

InvisiPay
InvisiCorp., Inc.

Inspiration

A different sort of snow job

Departments

Readers Speak

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

March 23, 2015  •  Issue 15:03:02

previous next

EMV implementation details urgently needed

By Ken Musante

Everyone knows everything about EMV (Europay, MasterCard and Visa), right? I've sat through conference calls from hardware vendors and security consultants; they all relay similar information. In October 2015, a liability shift will occur such that in the event of a counterfeit card chargeback, the entity with the least secure processing environment will absorb the liability.

This means if our merchants aren't EMV compliant and a counterfeit card chargeback occurs, and the card is an EMV card, our merchants will be liable. Thus, we should identify all card-present merchants who are likely to accept counterfeit cards and ensure they are upgraded.

Quick service issues

This task appears to be linear. We would out-sort all card-not-present merchants, and likely out-sort any quick serve merchants, like bagel shops and bakeries, because their requisite speed of service would be interrupted by having customers insert EMV cards for the length of their transactions.

Further, many quick serve merchants don't have consumer-facing terminals and would have to change their front counter and telecommunications wiring. While this ultimately is the right decision, such merchants shouldn't be the first movers; they'll have the fewest incidents of counterfeit cards, and the risk per incident is relatively low.

Chip and signature, chip and PIN

Further complicating matters is whether we should encrypt and supply PIN pads. This is dependent upon how issuers implement EMV and how processors process each transaction. I've tried to corroborate exactly how chip and PIN transactions will flow versus chip and signature transactions, and I've received differing responses from equipment manufacturers, security vendors and processors.

Additionally, it would help to know what percentage of issuers will adopt chip and signature versus chip and PIN. According to a recent article from Krebs on Security, http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/, Julie Conroy, a fraud analyst with Aite Group LLC, said that, by and large, Visa Inc. is pushing chip and signature and MasterCard Worldwide is promoting chip and PIN. The Obama Administration, too, is promoting chip and PIN.

If all issuers were adopting chip and signature, the procedure for merchants would be similar for all cards. Because some will be chip and PIN, however, merchants and acquirers must be prepared for both situations. It isn't clear how the transaction will be processed and how the liability will flow if a chip and PIN card is presented to a merchant who doesn't have an encrypted PIN pad for online debit or only has an internal PIN pad that isn't configured for online debit.

For example, if a chip and PIN card is presented to a merchant without a PIN pad, what response does the terminal give? What happens to the liability? The equipment manufacturer I spoke with said this depends upon how the processor responds. The security vendor didn't have a definitive answer. The most complete answer I received came from Alex Whetstone of Select Bankcard, who stated, "The card will have a CVM [cardholder verification method] priority list on the chip. This list is determined by the issuer. For example, it might have as top priority offline PIN, then online PIN, then signature, then 'no CVM.'

"The terminal also has a CVM list, and the terminal and the card compare lists and pick the highest priority CVM that matches on both lists. So, in the case of a terminal with no PIN pad, signature would be the highest priority CVM for the terminal, and it would use that. The exception would be, and I'm unclear on whether or not issuers will do this, if the card's CVM list did not include signature at all, then obviously the transaction would not be allowed."

Let's hope all issuers' CVM includes signature as a default, as it gets really odd if that is not the case. When the card is chip and PIN and the terminal doesn't have a PIN pad, liability shifts to the merchant even if the merchant is EMV capable, because the merchant has the least secure method. It goes to reason that if the card is chip and signature, the liability remains with the issuer if the merchant has an EMV reader, regardless of whether the merchant has a PIN pad.

It is further complicated if a chip and PIN card is presented to a merchant who is chip enabled and has a PIN pad that isn't encrypted for online PIN transactions. The most detailed answer I received about this was, again, from Whetstone. Speaking specifically for his processor, he stated, "Since the card and the terminal are in direct contact, no encryption is needed. However, not all EMV transactions are done offline. Online transactions still send the PIN to the host, just like a mag-stripe transaction, so the PIN has to be encrypted in order to be transmitted with our particular processor."

PIN validation

The two types of PIN validation, online and offline, are as follows:

Complexity grows with specific terminal types, but my point is we are six months away from the liability shift and most folks, including me, still don't know exactly how we should tool our merchants. Vendors are hosting conference calls but not providing specific advice. Processors are still in the development phase.

So ask your vendors for specifics, for instance: what happens if the cardholder forgets his or her PIN, how does the processor know that no PIN was transmitted because of a forgotten PIN, and what happens if the merchant has a malfunctioning PIN pad?

Ken Musante is President of Eureka Payments LLC. Contact him by phone at 707-476-0573 or by email at kenm@eurekapayments.com. For more information, visit www.eurekapayments.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems