By Ken Musante
Eureka Payments LLC
Everyone knows everything about EMV (Europay, MasterCard and Visa), right? I've sat through conference calls from hardware vendors and security consultants; they all relay similar information. In October 2015, a liability shift will occur such that in the event of a counterfeit card chargeback, the entity with the least secure processing environment will absorb the liability.
This means if our merchants aren't EMV compliant and a counterfeit card chargeback occurs, and the card is an EMV card, our merchants will be liable. Thus, we should identify all card-present merchants who are likely to accept counterfeit cards and ensure they are upgraded.
This task appears to be linear. We would out-sort all card-not-present merchants, and likely out-sort any quick serve merchants, like bagel shops and bakeries, because their requisite speed of service would be interrupted by having customers insert EMV cards for the length of their transactions.
Further, many quick serve merchants don't have consumer-facing terminals and would have to change their front counter and telecommunications wiring. While this ultimately is the right decision, such merchants shouldn't be the first movers; they'll have the fewest incidents of counterfeit cards, and the risk per incident is relatively low.
Further complicating matters is whether we should encrypt and supply PIN pads. This is dependent upon how issuers implement EMV and how processors process each transaction. I've tried to corroborate exactly how chip and PIN transactions will flow versus chip and signature transactions, and I've received differing responses from equipment manufacturers, security vendors and processors.
Additionally, it would help to know what percentage of issuers will adopt chip and signature versus chip and PIN. According to a recent article from Krebs on Security, http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/, Julie Conroy, a fraud analyst with Aite Group LLC, said that, by and large, Visa Inc. is pushing chip and signature and MasterCard Worldwide is promoting chip and PIN. The Obama Administration, too, is promoting chip and PIN.
If all issuers were adopting chip and signature, the procedure for merchants would be similar for all cards. Because some will be chip and PIN, however, merchants and acquirers must be prepared for both situations. It isn't clear how the transaction will be processed and how the liability will flow if a chip and PIN card is presented to a merchant who doesn't have an encrypted PIN pad for online debit or only has an internal PIN pad that isn't configured for online debit.
For example, if a chip and PIN card is presented to a merchant without a PIN pad, what response does the terminal give? What happens to the liability? The equipment manufacturer I spoke with said this depends upon how the processor responds. The security vendor didn't have a definitive answer. The most complete answer I received came from Alex Whetstone of Select Bankcard, who stated, "The card will have a CVM [cardholder verification method] priority list on the chip. This list is determined by the issuer. For example, it might have as top priority offline PIN, then online PIN, then signature, then 'no CVM.'
"The terminal also has a CVM list, and the terminal and the card compare lists and pick the highest priority CVM that matches on both lists. So, in the case of a terminal with no PIN pad, signature would be the highest priority CVM for the terminal, and it would use that. The exception would be, and I'm unclear on whether or not issuers will do this, if the card's CVM list did not include signature at all, then obviously the transaction would not be allowed."
Let's hope all issuers' CVM includes signature as a default, as it gets really odd if that is not the case. When the card is chip and PIN and the terminal doesn't have a PIN pad, liability shifts to the merchant even if the merchant is EMV capable, because the merchant has the least secure method. It goes to reason that if the card is chip and signature, the liability remains with the issuer if the merchant has an EMV reader, regardless of whether the merchant has a PIN pad.
It is further complicated if a chip and PIN card is presented to a merchant who is chip enabled and has a PIN pad that isn't encrypted for online PIN transactions. The most detailed answer I received about this was, again, from Whetstone. Speaking specifically for his processor, he stated, "Since the card and the terminal are in direct contact, no encryption is needed. However, not all EMV transactions are done offline. Online transactions still send the PIN to the host, just like a mag-stripe transaction, so the PIN has to be encrypted in order to be transmitted with our particular processor."
The two types of PIN validation, online and offline, are as follows:
Complexity grows with specific terminal types, but my point is we are six months away from the liability shift and most folks, including me, still don't know exactly how we should tool our merchants. Vendors are hosting conference calls but not providing specific advice. Processors are still in the development phase.
So ask your vendors for specifics, for instance: what happens if the cardholder forgets his or her PIN, how does the processor know that no PIN was transmitted because of a forgotten PIN, and what happens if the merchant has a malfunctioning PIN pad?
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next