The Green Sheet Online Edition
September 12, 2011 • Issue 11:09:01
What does Visa's U.S. EMV push mean?
We are all students in the payments industry. And Visa Inc. recently upped the ISO and merchant level salesperson (MLS) education ante by pushing the U.S. market to adopt Europay/MasterCard/Visa (EMV) contact and contactless chip technology. Visa stated this will "help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile payments by building the necessary infrastructure to accept and process chip transactions that support either a signature or PIN at the point of sale." An EMV card uses a computer chip rather than a mag stripe for transaction authentication. ISOs now must quickly discern what EMV means, how it works, and when and where the technology should be installed.
The EMV card
EMV chips are embedded as a matter of course in cards used throughout Europe and much of the rest of the world. Such cards use "dynamic authentication" to verify that a given card being presented for payment is, in fact, valid. Mag stripe cards, almost universally used in the United States, are considered less secure than EMV cards because they rely on "static" data in the magnetic stripe to authenticate cards.
"Dynamic authentication is the key to securing payments into the future," Visa Chief Enterprise Risk Officer Ellen Richey said. "Adding dynamic elements to transactions makes account data less attractive to steal and takes more merchant systems out of harm's way, shrinking the battlefield against criminals. The migration to chip technology will be an important security layer and a critical step in a comprehensive strategy to use dynamic authentication across all markets and all channels."
For cardholder verification, Visa said it will continue to support a range of methods globally, including signature, PIN and no-signature for low-value, low-risk transactions. "In the longer term, we expect that the use of static verification methods such as signature and PIN will be reduced or eliminated entirely as new and dynamic forms of cardholder verification are implemented," Visa stated.
EMV has been shown to improve card security. When Australia introduced EMV technology a few years ago skimming fraud fell 25 percent - the first drop ever seen in skimming statistics there. Also, the European ATM Security Team reported a 55 percent drop in ATM fraud after chip-and-PIN technology was introduced there.
This doesn't mean EMV technology is invulnerable to fraud. For example, in 2010, researchers at Cambridge University hacked into a chip-and-PIN card and forced it to bypass the cardholder verification requirements (in this case a PIN), allowing them to execute fraudulent transactions in real-world tests. Also driving Visa's emphasis on EMV adoption is that the technology can be used securely with ISIS, the mobile platform created by AT&T Mobile, Verizon Wireless and T-Mobile in an effort to set the standard for mobile phone payments.
The largest credit card companies, Visa, MasterCard Worldwide, Discover Financial Services and American Express Co. are backing ISIS, which now competes with other mobile payment schemes launched by technology industry giants like Google Inc. and PayPal Inc. It is not clear at this early date in the mobile payments revolution which current technology, if any, will win the race for mobile payments dominance.
Paul Martaus, President of payment systems research consulting company Martaus & Associates, said, "The chip card is an anachronism; it's not important. What is important is that Visa is a member of ISIS. They are trying to come up with mobile commerce standards everybody can rely on. EMV authorization can be adapted to mobile. The next step is the adoption of end-to-end encryption."
Boon to ISOs
Ken Musante, President of Eureka Payments LLC, a processing and acquiring business with an emphasis on card-not-present and wireless payments, said there is a general feeling the move to EMV will help ISOs. "This will be beneficial to ISOs because more merchants will be able to accept payments," he said. But the customers won't rush to embrace the technology, he added. "Retailers will wait until the deadline to acquire this technology," he said. "The demand will drive down the price. The new Visa policy will only help ISOs."
Martaus also feels the Visa mandate will be a boon to ISOs. "There are 6 million merchants out there who need to adopt the technology," he said. "What is happening right now across the board is processors and a ton of ISOs are charging $50 per month for merchants to be PCI compliant. They charge for upgrades to keep them compliant, and they charge more if they are not compliant. This is a strategic move from Visa. Ninety percent of the transactions come from big-box stores."
However, EMV still has value for the smaller merchants, Martaus stated. "Visa can't make them go with EMV," he said. "But if they want to save money, this is the way to go. If I were an ISO, I'd be all over this. 'Pay me $200, and I'll stop charging you $50 a month to be PCI compliant.' Who wouldn't want to do that?"
According to Cindy Merritt, Assistant Director of the Retail Payments Risk Forum at the Atlanta Federal Reserve Bank, ISOs and MLSs should keep in mind merchants may balk at paying for new EMV terminals.
"The merchant community in particular has rightfully expressed concerns over the infrastructure investment costs for card acceptance terminals," she said. "While they acknowledge the need to migrate to a more secure payment system that does not rely on outmoded magnetic stripe card technology, they understandably want a future-proof investment strategy." Merritt added that Visa's plans to accelerate chip migration, and the adoption of mobile payments "may just provide the clarity in direction and sufficient incentives to get merchants moving" to embrace EMV.
U.S. Merchant Services founder, President, and Chief Executive Officer Steve Norell said merchants should have been educated regarding EMV advantages years ago. "The ISOs need to help merchants see the value in preventing fraud rather than seeing the return on investment right away," he said. "The sales of POS terminals mean revenue."
Norell noted that Visa's attempt to introduce chip-and-PIN into the United States 13 years ago failed - and some ISOs fell with it when they tried to frighten merchants into adopting the chip-and-PIN technology before merchants understood the program or were ready for it. He also said Visa may face too many roadblocks for EMV implementation in the United States unless the company "really comes down heavy making [EMV adoption] mandatory at the ISO level."
PCI incentive, liability shift
To encourage EMV adoption, Visa is offering the Technology Innovation Program (TIP). "TIP will eliminate the requirement for eligible merchants to annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant's Visa transactions originate from chip-enabled terminals," Visa stated.
POS terminals must accept both contact and contactless payments, including near field communication (NFC) and mobile payments, to qualify. The merchant must also demonstrate compliance with all other goals and requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) to be eligible for TIP compliance relief. "By encouraging investments in EMV contact and contactless chip technology, we will speed up the adoption of mobile payments, as well as improve international interoperability and security," Visa Global Head of Product Jim McCarthy said.
To further promote EMV adoption, Visa is instituting a fraud liability change. After Oct. 1, 2015, fraud liability will shift to merchant acquirers for any counterfeit card-present POS transactions on non-EMV compliant POS systems. Currently, as long as a merchant has correctly entered a card into the system, the card issuer is liable for counterfeit card-present POS transactions.
"The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip terminal) provides the dynamic authentication data that helps to better protect all parties," Visa said. The United States is the only country in the world that does not have a chip payments liability shift, Visa noted.
Potential PCI wrinkles
Panoptic Security CEO Tim Cranny, whose company specializes in PCI DSS compliance, believes EMV should be adopted because, even though it has security flaws, it is an improvement over mag stripe technology. But he is not in favor of TIP.
"It is a genuine mistake for Visa to say if you do this you don't need annual PCI verification," Cranny said. "Letting merchants slide on validation is a mistake. What is needed is a new, friendlier SAQ [self-assessment questionnaire]. They need to make validation easier rather than make it go away."
Approved scanning vendors (ASVs) test POS systems for PCI DSS compliance. Andrew Weidenhamer, Audit and Compliance Manager for SecureState LLC, an information security management firm and ASV in Cleveland, noted that EMV technology is not bulletproof.
"There are still potential holes," he said. "If a major vulnerability surfaces, it could be a potential problem." Weidenhamer also noted that installing EMV technology won't reduce the scope of PCI compliance, but it will reduce costs because the business will not have to annually revalidate compliance for Visa.
"Although I am all for advancing technology which makes processes more secure, the notion that just because organizations are using more secure technology, they don't need to be formally audited, seems to be a bit ridiculous," he wrote in a recent blog post. "I think it is probably safe to assume that if a company is not required to have an on-site assessment performed, there is a very good chance they will become complacent in keeping up with the evolving PCI DSS."
Steve Robb, Vice President of Operations for ControlScan Inc., a PCI compliance company focusing on small to midsized businesses, said EMV adoption "is likely to occur quickly for the large multinational companies but adoption will take much longer, if ever, for smaller companies. I think this announcement causes confusion at the merchant level. There's no immediate savings for them. It doesn't make them PCI compliant."
Martaus believes TIP will have a positive impact. "Based on the fact that merchants have been screaming for quite some time to relieve them of PCI burdens every year, this does that," he said, adding that it doesn't eliminate liability for merchants, acquirers or issuers.
"It just gets rid of the paperwork," he noted. "Some of these big-box merchants are paying $10 million to $20 million to be PCI compliant every year."
The future of payments
Despite Visa's EMV push, many experts believe there are no indications that EMV will win out over other forms of secure payments in the fight for consumer preference. Rod Hometh, President and founder of RocketPay LLC, which specializes in global e-commerce and international merchant acquiring, believes the current explosion of technology needs to sort itself out before the market can determine where the industry is headed.
"I think overall we are entering an era in payments where we are making significant technological advancements," Hometh said. "This technology is directed to Level 3 merchants, which is many ISOs bread and butter." A Level 3 merchant is considered a midsized business processing between 20,000 and 1 million e-commerce transactions a year (see sidebar).
#h4 Merchant levels and PCI DSS validation requirements
Following are descriptions of established merchant levels, along with their respective PCI DSS compliance validation requirements:
- Level 1 comprises all merchants, regardless of acceptance channel, who have Visa and MasterCard transactions totaling 6 million and up per year, as well as any merchant who has experienced a data breach.
- Validation requirement: Annual onsite review and report on compliance prepared by a qualified security assessor (QSA), or an internal audit signed by a company officer, in addition to a quarterly network security scan done by an approved scanning vendor (ASV).
- Level 2 comprises all merchants, regardless of acceptance channel, whose Visa and MasterCard transaction total is from 1 million to 6 million per year.
- Validation requirement: Completion of PCI DSS self-assessment questionnaire (SAQ) annually and a quarterly network security scan and compliance certification done by an approved ASV.
- Level 3 comprises all merchants whose Visa and MasterCard e-commerce transaction total is from 20,000 to 1 million per year.
- Validation requirement: Completion of the SAQ annually and a quarterly network security scan and compliance certification done by an approved ASV.
- Level 4 comprises all merchants who do not fall into the other levels: merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, as well as all other merchants processing up to 1 million Visa or MasterCard transactions per year.
- Validation requirement: Completion of an annual SAQ is recommended. A quarterly network security scan done by an approved ASV is required of merchants who have networks.
Hometh believes educating merchants and ISOs about the new technologies is the key to developing market strategies. "People are going to need to know where they are going to go to get the cleanest, most robust lines of communication on the subject," he said. "ISOs and acquirers are going to have to do a much better job educating merchants and consumers."
Hometh predicted early adopters of the right technology will have a significant advantage. "Those who are prepared and stable will dominate the market," he said, adding that determining the "right" technology can be tricky.
Hometh thinks it is important to be sure ISOs, MLSs, merchants and acquirers keep their options open. For instance, the move to mobile payment is so new the hardware and software are still evolving. "We really don't know where payments are going to be in two years," he said.
Hometh said the winners are likely to be the ones with the deepest research and development pockets who can produce products that integrate most easily with other devices.
The role of ISOs and MLSs
Hometh believes that, no matter what technology wins out, ISOs and MLSs will remain central to the payments industry and they will have to know what impact new technology will have on their merchants.
"The alternative payments companies like Google and PayPal are looking at consolidating the payments market, but they don't understand the market well enough yet to know what is going on," Hometh said. "If they participate in payments at Level 2 [1 million to 6 million transactions annually] and Level 3 merchants, the ISOs are the way in."
He predicted ISOs will soon be focusing more on introducing suite packages and applications to Level 1 merchants (more than 6 million transactions annually) because soon there may be no terminals - processing will be handled with swipes through devices attached to smart phones or tablets.
The good news for the U.S. market is that EMV technology has already been tested in much of the rest of the world, he added.
"I don't see the U.S. market worrying about how to take chip cards for very long," he said. Hometh expects Visa will further incentivize its move to EMV and that MasterCard will jump in with its own EMV push soon, along with its own incentives to foster a transition to EMV.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.