The Green Sheet Online Edition
March 23, 2015 • Issue 15:03:02
EMV implementation details urgently needed
Everyone knows everything about EMV (Europay, MasterCard and Visa), right? I've sat through conference calls from hardware vendors and security consultants; they all relay similar information. In October 2015, a liability shift will occur such that in the event of a counterfeit card chargeback, the entity with the least secure processing environment will absorb the liability.
This means if our merchants aren't EMV compliant and a counterfeit card chargeback occurs, and the card is an EMV card, our merchants will be liable. Thus, we should identify all card-present merchants who are likely to accept counterfeit cards and ensure they are upgraded.
Quick service issues
This task appears to be linear. We would out-sort all card-not-present merchants, and likely out-sort any quick serve merchants, like bagel shops and bakeries, because their requisite speed of service would be interrupted by having customers insert EMV cards for the length of their transactions.
Further, many quick serve merchants don't have consumer-facing terminals and would have to change their front counter and telecommunications wiring. While this ultimately is the right decision, such merchants shouldn't be the first movers; they'll have the fewest incidents of counterfeit cards, and the risk per incident is relatively low.
Chip and signature, chip and PIN
Further complicating matters is whether we should encrypt and supply PIN pads. This is dependent upon how issuers implement EMV and how processors process each transaction. I've tried to corroborate exactly how chip and PIN transactions will flow versus chip and signature transactions, and I've received differing responses from equipment manufacturers, security vendors and processors.
Additionally, it would help to know what percentage of issuers will adopt chip and signature versus chip and PIN. According to a recent article from Krebs on Security, http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/, Julie Conroy, a fraud analyst with Aite Group LLC, said that, by and large, Visa Inc. is pushing chip and signature and MasterCard Worldwide is promoting chip and PIN. The Obama Administration, too, is promoting chip and PIN.
If all issuers were adopting chip and signature, the procedure for merchants would be similar for all cards. Because some will be chip and PIN, however, merchants and acquirers must be prepared for both situations. It isn't clear how the transaction will be processed and how the liability will flow if a chip and PIN card is presented to a merchant who doesn't have an encrypted PIN pad for online debit or only has an internal PIN pad that isn't configured for online debit.
For example, if a chip and PIN card is presented to a merchant without a PIN pad, what response does the terminal give? What happens to the liability? The equipment manufacturer I spoke with said this depends upon how the processor responds. The security vendor didn't have a definitive answer. The most complete answer I received came from Alex Whetstone of Select Bankcard, who stated, "The card will have a CVM [cardholder verification method] priority list on the chip. This list is determined by the issuer. For example, it might have as top priority offline PIN, then online PIN, then signature, then 'no CVM.'
"The terminal also has a CVM list, and the terminal and the card compare lists and pick the highest priority CVM that matches on both lists. So, in the case of a terminal with no PIN pad, signature would be the highest priority CVM for the terminal, and it would use that. The exception would be, and I'm unclear on whether or not issuers will do this, if the card's CVM list did not include signature at all, then obviously the transaction would not be allowed."
Let's hope all issuers' CVM includes signature as a default, as it gets really odd if that is not the case. When the card is chip and PIN and the terminal doesn't have a PIN pad, liability shifts to the merchant even if the merchant is EMV capable, because the merchant has the least secure method. It goes to reason that if the card is chip and signature, the liability remains with the issuer if the merchant has an EMV reader, regardless of whether the merchant has a PIN pad.
It is further complicated if a chip and PIN card is presented to a merchant who is chip enabled and has a PIN pad that isn't encrypted for online PIN transactions. The most detailed answer I received about this was, again, from Whetstone. Speaking specifically for his processor, he stated, "Since the card and the terminal are in direct contact, no encryption is needed. However, not all EMV transactions are done offline. Online transactions still send the PIN to the host, just like a mag-stripe transaction, so the PIN has to be encrypted in order to be transmitted with our particular processor."
The two types of PIN validation, online and offline, are as follows:
- Offline PIN: The PIN value is stored securely in the chip. During authorization processing, if a PIN is required, the terminal (POS device) can transmit the PIN entered by the cardholder to the card for verification in two ways: plain text and enciphered. With plain text, the PIN is delivered to the card by the terminal in the clear. Since the card and the terminal are directly connected to each other this is considered to be acceptable from a security standpoint. With enciphered, the PIN is delivered to the card by the terminal encrypted using an RSA key provided by the card.
- Online PIN: The PIN validation value is stored on the host – First Data Corp., MasterCard, Visa, STAR, etc. During authorization processing, if a PIN is required, the terminal (POS device or ATM) transmits the PIN to the host encrypted in a PIN block. This is the standard PIN offering available for mag-stripe transactions.
Complexity grows with specific terminal types, but my point is we are six months away from the liability shift and most folks, including me, still don't know exactly how we should tool our merchants. Vendors are hosting conference calls but not providing specific advice. Processors are still in the development phase.
So ask your vendors for specifics, for instance: what happens if the cardholder forgets his or her PIN, how does the processor know that no PIN was transmitted because of a forgotten PIN, and what happens if the merchant has a malfunctioning PIN pad?
Ken Musante is President of Eureka Payments LLC. Contact him by phone at 707-476-0573 or by email at email@example.com. For more information, visit www.eurekapayments.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.