The Green Sheet Online Edition
October 26, 2015 • Issue 15:10:02
Assessing the U.S. EMV rollout - Part 1
We wanted our Advisory Board to weigh in on the official launch of EMV (Europay, MasterCard and Visa) in the United States. So we asked them the following questions about the state of EMV implementation in the United States:
- What has your business done to roll out EMV to the merchants? What seems to be working well? Have you encountered any problems with your rollout?
- Do you expect an uptick in card-not-present (CNP) fraud? If so, what steps is your company taking to mitigate it?
- Do you think EMV is going to be effective in securing the U.S. payments system?
- What advice do you have for agents regarding EMV and their merchants?
Following is a portion of their responses. The remaining perspectives shared by Green Sheet Advisory Board members will appear in The Green Sheet, Nov. 9, 2015, issue 15:11:01. Many thanks to the industry leaders who took time out from their busy schedules to address these questions.
Mike Fox, CPP, Group ISO
- We started rolling out EMV-ready terminals over two years ago. Although we felt we were getting "ahead of the game" by doing so, many of the processors we work with have taken longer than expected on the EMV Rollout/Roadmap schedules. Some processors still don't have applications ready to load into many of the EMV-capable terminals. I've also seen some processors change their plan of action on what EMV terminals they are going to support moving forward, costing ISOs and agents thousands of dollars in replacement costs.
- My initial thought is yes, but there are so many other security methods/precautions used already for CNP and online payments than are available for retail sales that I don't believe the "uptick" will be as big as many may be thinking. If so, what steps is your company taking to mitigate it? Fraud software and databases, card brand fraud deterrent systems like VBV and MCSC, even just requiring the basics like AVS and CVV/CVV2 will still deter much of what the EMV fraud is focused on stopping. We have to remember that this EMV rollout is meant to prevent just a portion of fraud in a retail environment.
- In my opinion, to an extent, yes. Chip and PIN will reduce card-present fraud a bit more than chip and signature, yet a recent article that I read has shown most issuing banks are choosing to go with chip and signature as of now. This may change over time, but in the end the issuers have control of this.
- First and foremost; I'd recommend acting first, call your merchants and educate them, offer them options and make sure they are competitive. If you don't, someone else will. Stock up on EMV/NFC-capable terminals, as they are already on back order at some suppliers; check with your processors' certifications on their platforms, and make sure they have applications ready and available for the terminals you choose to move forward with, expect merchants to be fed false information about EMV, and have a solid plan of action if you already don't for how to address and educate your merchants.
Ben Goretsky, USA ePay
Is everyone ready? Not even close! Platforms, hardware manufacturers, gateways and processors all may be close but are not 100 percent there. Whether it's not having support for full contact and contactless EMV or support for all card brands … the general consensus is that most entities in our industry are not ready.
Can you blame them? Only 38 percent of U.S. cardholders have an actual EMV-supported card in their wallet, so why cause such a panic in the industry? EMV, in theory, may be a great thing, but personally I don't see it really picking up at least for another two to three years when merchants get the proper education about it (not a scare tactic like most ads are toward the merchants today … Are you ready?!?! ) and not until the actual consumer is more familiar with chip cards; maybe we can get the amount of cardholders who actually have one up to 50 percent in 2015.
The rollout has mostly been scare tactics from ISOs battling ISOs for business. What better way to get a merchant to switch processors and solutions than to scare them into thinking that if they don't support EMV by a certain date, that they may get fined, not be able to process "new EMV" cards or worse, incur an increased amount of fraud. Merchants are already in the dark most of the time about what our industry has to offer, and now we use scare tactics as a selling tool?
And what is all this for, really? To secure transactions. To stop another "Target" attack. Oh, please! What most people have forgotten about the original EMV solution is that it was chip and PIN, not chip and signature. What's the point? Half of what is supposed to make it secure is gone. But don't worry; no one ever fakes someone else's signature, right? EMV with no PIN is like having a safe without a lock on it: it may look secure, but if you take the time to try to open it, everything is there for the taking. Is it more secure that current MSR swipes? Yes. Is it the fix-all for security in the retail environment? Don't think so.
Final words of advice … ISOs, stop panicking! Stop sending your merchants into a frenzy and stop worrying about this Oct. 1 deadline. Inform your merchants about what EMV really is. Educate them about it, and make sure they understand what they will need to do and how you will help them do it. Oct. 1 will come and go and on Oct. 2 everyone will realize that it's just business as usual. EMV is going to happen, but a lot of entities are not ready, so take the time to learn, educate and deploy when ready.
Allen P. Kopelman, Nationwide Payment Systems
- We have sent out emails, called merchants, sent newsletters, articles – the cost of the machines is what merchants don't want to deal with, but as the date is here, now they are reacting, and the cost of some of the equipment has come down in price, which has been helping a bit.
- Card-not-present fraud has always been an issue. In Canada, they have a device that gives the cardholder a one-time use code that they give to the merchant over the phone or enter in on the Internet. That would work great. Why they are not following that in the USA is beyond me. Seems simple – the devices are about $3 each.
- EMV is not going to work – with just chip and signature. We need to move to chip and PIN as soon as possible. Fraudsters are going to figure out how to get around chip and signature and move to the Internet – and without a PIN online for MO/TO and Internet transactions. Right now the EMV solution is a bandaid.
- Call merchants, visit merchants, talk with them and educate them. We keep putting out news stories, etc. It has been somewhat effective, but many merchants have POS systems, and they are waiting on the POS companies, who seem to be far behind.
Additionally, the certifications are moving slowly for the POS companies. Tips are a big issue as well. No one can agree on this at all: tip with the sale - tip adjust: who is going to allow it; who is not going to allow it. There is a lot of bad info out there from POS companies, associations, etc. Merchants are not ready. POS companies are not ready. We have talked to most of the POS vendors, and they are still waiting for solutions to be certified. We have even seen some hardware installed, but it is not certified and not ready to use in most cases, but the hardware is at the location and the merchants are just swiping cards.
Merchants are also not interested in paying for the terminals, but they are quickly finding out that free machines are not really free – once they read the contracts and see the additional fees. Merchants are going to make the switch one way or another – either now or soon. As soon as they get a chargeback or hear about it in the news, they will be calling to get terminals.
Justin Milmeister, CPP, Elite Merchant Solutions
- We have used every means of communication possible from letters, email blasts and direct contact to connect with our client base and roll out EMV to them. We segregated our merchants based on various factors such as card-present versus not-present, volume processed, number of transactions and average ticket. We basically omitted card-not-present merchants first, then went down the line placing various levels of importance to the above factors, and from there we were able to compile a list that would allow us to address the most vulnerable merchants with the liability shift.
For example, a retail merchant that generates large tickets would be prioritized over a retail merchant with smaller tickets as an example. The reasoning for prioritizing this way is simply a merchant with an average ticket of say $1,000 has more to lose than a merchant with a $30 average ticket with the liability shift. I am proud to say a good portion of our clients are EMV ready, and that was due to lots of overtime hours logged by our staff building files and loading EMV-capable terminals to replace older non-EMV-capable point of sale devices. We are now diligently working to get the remaining clients EMV ready, and we anticipate having this completed in the very near future.
We started the process of contacting our merchants sometime ago via letter educating them on EMV and the drop-dead date of Oct. 1, 2015. We sent periodic email blasts following the letter and finally began contacting merchants directly starting around mid-year. None of these were as effective as the media, including newspapers, Internet and other outlets addressing EMV and the "liability shift." Merchants began calling us at a furious pace, concerned and, of course in most cases, grossly misinformed of the reality regarding EMV and the liability shift.
I am not going to lie. It has not been nearly as smooth as I would have liked; however, I have not heard the word "smooth rollout" by any of my colleagues in the industry with respect to EMV. The facts are roughly one out of five cards in circulation have an EMV chip, and the liability shift relates only to a small percentage of EMV cards that are fraudulent and processed in a face-to-face card-swipe environment. I believe it is going to take a few years for this country to get completely EMV ready. Further complicating the EMV rollout is the lack of EMV capable point of sale devices.
- This would certainly be the low hanging fruit, as EMV is fully adopted by merchants. I would expect an increase in card-not-present fraud but nothing outrageous.
My company is consistently communicating with our client base to educate them on what is going on in the payment processing industry, both good and bad. We recently sent our newsletter, along with an email communication, once again breaking down EMV and what it means, who is affected, and what to look out for regarding fraud.
- environment where EMV is designed to protect. My belief is the guys on the bad side are generally two steps ahead of the guys on the good side.
- Keep the merchants informed because many don't understand what EMV is all about and how they are affected. You certainly don't want your clients hearing about EMV from a competitor trying to earn their business.
Michael Nardy, Electronic Payments
- Since September 2015, we have deployed only EMV-enabled equipment on our Free Terminal program. So now that certifications are done and coming out, our merchants can simply have a download, and they are off and running EMV. Having deployed over 5,000 new MIDs last year with Free Terminal Placements, that has allowed for EMV to be a smaller impact on the portfolio. For new and existing merchants, we also have an EMV Upgrade Program for $100, which provides the merchant an EMV-enabled machine. Finally, our Clover Placement Program supports EMV, and we've had a large and positive response from our agents (and new ones too) who are interested in that program.
- We expect an uptick in CNP fraud if other countries' experience in adopting EMV is any indication.
- Educate, Educate, Educate. Learn about the real impacts of EMV on their portfolios and at their businesses.
Steve Sotis, eProcessing Network LLC
- Although most Level 1 merchants are ready, we're seeing that large populations of Tier 2 and Tier 3 merchants are not ready. Many payment gateways are working their way through the morass of testing, and waiting and testing and waiting, based upon the backlog of processor development scheduling.
To help get merchants up to speed as soon as possible, eProcessing Network has developed new EMV/MSR mobile readers for its mobile merchant market and has developed a new USB EMV/MSR card reader for its PC-based payment merchant market. Our ePNMobile app for iOS and Android is also updated for EMV compatibility.
The new ePN hardware and software work perfectly, but we, like most other gateway providers, are up against an association mandate with illogical time frames to get all things completed. With too many variables to contend with, payment gateways are continuously challenged to meet deadlines that will help limit the liability for our merchants.
Not unlike everyone affected within the payments industry, the challenges that eProcessing Network faces are related mostly to resources, time, and managing scheduling limitations with the processors facing certification backlogs due to EMV implementation timelines.
- Possibly, as history has shown how e-commerce fraud increased after EMV was implemented in other countries. However, ePN started in a CNP environment, so we are fairly well-equipped to contend with spikes in CNP fraud activity, and have the infrastructure and experience to help reduce security breaches of sensitive customer data.
As we've maintained for almost 20 years, eProcessing Network manages fraud effectively with the use of custom fraud protection software and tools within the ePN secure network. Our software works seamlessly "behind the scenes" on behalf of our e-commerce merchants.
- It is a strong beginning. EMV implementation as it stands, (chip and signature is primarily used in the United States) will help to mitigate card-present fraud in the United States; it's virtually impossible for thieves to replicate the chip. Chip and PIN, however, will help drive fraud down on the issuing/retail side as it becomes the more accepted form of acceptance, and will greatly benefit the card-present environment. CNP will be the focus going forward until browsers and smartphones can seamlessly use strong authentication routines with fingerprint authentication embedded within apps and browsers.
- Remain calm. At the time of the deadline, only 18 percent of Visa cards issued have the chip embedded, and a fraction (.034 percent) of the 8 million merchants have implemented EMV-accepting terminals into their transaction payment routine. Oct 1, 2015, is just the first in a series of milestones to come, so SMBs need to actively partner with their ISO, processor and/or POS providers to understand what their business needs to become EMV ready.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.