The Green Sheet Online Edition
March 10, 2014 • Issue 14:03:01
The EMV clock is running
W ith a drop-dead deadline of October 2015 looming over U.S. adoption of Europay/MasterCard/Visa (EMV) technology and recent breaches involving major retailers, proponents of EMV are ratcheting up the rhetoric. Senior executives from both Visa Inc. and MasterCard Worldwide put the card industry on notice that there is no time left to debate the move from mag stripe to chip and PIN authorizations for securing U.S. credit and debit card payments.
Also, the National Retail Federation released an infographic in February 2014 explaining to members and consumers why they should embrace chip and PIN technologies. "You wouldn't want to rely on a signature to get cash out of an ATM, so why rely on a signature when you use a credit or debit card?" Craig Shearman, Vice President of Government Affairs Public Relations at the NRF, asked in a Feb. 25 blog post discussing the group's position on EMV.
EMV refers to a set of standards for securing card payment data that is widely used in Europe and Asia. The underlying objective is to ensure global interoperability and acceptance of secure card payments. The acronym refers to the original creators of the standard, Europay (now part of MasterCard), MasterCard and Visa. All the major card brands now back EMV.
In the 15 years since it was introduced, EMV has evolved from a chip card specification; it now includes several other enabling technologies, such as EMV contactless. In January, EMVCo, the technical body that oversees the EMV standards process, launched a new initiative to standardize payment tokenization. Tokenization replaces a payment card account number with a unique token, which ensures that merchants and processors do not store payment card information.
Christina Hulka, Chair of the EMVCo board of managers, described tokenization as a natural next step for EMV. "We recognize that applying EMVCo's expertise in identifying and implementing a common infrastructure in this area will make online and mobile transactions simpler and safer for all payment stakeholders," she said in a statement about the project.
At present, however, the focus is on getting everyone on board with chip and PIN interoperability, and the United States has been a major holdout. A timetable for U.S. migration set April 2013 as the date by which all merchant acquirers had to be able to support merchant acceptance of EMV chip cards. A liability shift from issuers to acquirers will begin October 2015 for counterfeit card fraud losses originating at non-EMV compliant terminals. Acquirers can be expected to pass on those losses to noncompliant merchants who become breached.
In an open letter published by CNBC.com on Jan. 30, Chris McWilliams, President of North American Markets at MasterCard, took banks, merchants and others to task for "posturing and finger pointing" over recent data breaches and EMV migration. "[N]ow is the time to migrate to EMV in the U.S.," McWilliams wrote.
MasterCard Chief Executive Officer Ajay Banga echoed those comments the next day during an earnings call. According to a transcript of the call, he said, "We've got to get ahead of this going forward. Otherwise you're going to have this keep coming. The more often it happens the worse it feels."
Visa CEO Charlie Scharf delivered a similar message during that company's Jan. 30 earnings call. Recent high-profile card data breaches (like those involving the retailers Target Corp. and Michaels Stores) have been "terribly unfortunate" and should be taken as a wake-up call, Scharf said. He then added, "Visa is committed to ensuring our network operates at the highest level of security available and will continue to move the industry toward the adoption of new safeguards, including EMV chip and tokenization."
George Peabody, Senior Director at Glenbrook Partners LLC, said he's not surprised by the rhetoric over EMV, or that it has found its way to corporate boardrooms. "It's amazing, really, how the reputational costs of prior breaches, although significant, have not reverberated across the culture in a big way," Peabody said. "I think everybody recognizes now that damage to the brand can be a lot worse than financial damage."
Shifting fraud to CNP?
EMV, however, is no silver bullet. "There needs to be a change, and EMV is certainly a strong way to address one particularly pernicious type of attack," namely data breaches, Peabody said. But it isn't effective when the merchant being breached operates in a card-not-present environment.
In fact, most experts expect CNP fraud to skyrocket after the U.S. migration to EMV. "We've seen this trend," said Anush Amiryants, Executive Vice President at Signature Card Services, headquartered in Los Angeles. "It's been the same every place EMV has been deployed."
To protect against that outcome, Signature and other ISOs are encouraging online merchants to implement additional security with tools like 3D Secure (previously known as Verified by Visa). MasterCard, JCB International and American Express Co. also have adopted 3D Secure (under their own names, for example, MasterCard Secure Code and J/Secure). "For now this is the only solution available as an additional security layer for online transactions," Amiryants said.
Meanwhile, the push is on to get EMV terminals into millions of brick-and-mortar stores that are using outdated hardware – essentially any terminals installed before 2007, when EMV devices started rolling off production lines. Some ISOs and acquirers are giving away EMV-compliant terminals, concluding that the liability costs far outweigh the cost of the devices. "But there are many ISOs out there who can't afford to do that," Amiryants noted.
Signature has been giving away devices since June 2013. Every new merchant the company has boarded since then has received an Ingenico EMV device free of charge, Amiryants said. The same policy applies when merchants send non-EMV compliant terminals in for servicing.
Signature also has trained call-center employees to encourage customers to accept free EMV-compliant terminals, no matter what their reason for calling. "We explain to them why they need EMV, that it's simple [to use] and it's not going to cost them anything," Amiryants said. "We tell them the faster they do it the better."
Despite the heavy push, Amiryants estimated that only about 40 percent of Signature's merchant base is EMV compliant today. "October 2015 just doesn't seem realistic," she said, referring to the EMV deadline for terminal compliance.
If the deadline is missed, it could prove costly to merchants, as well as to their ISOs and acquirers, should there be breaches, said Barry McCarthy, President, Financial Services at First Data Corp. "Visa and MasterCard have been very clear that they are not moving away from the liability shift that occurs in October 2015," he said. "October 2015 is a firm date. It's going to stick."
Meeting the deadline may seem a monumental task, but high-profile breaches like Target's drive home the gravity of the situation. "EMV would have helped in those situations," McCarthy said. He pointed out that some older terminals can be retrofitted for EMV compliance. For example, he said two of First Data's older terminals (the FD 100 and 200) incorporate a USB port that can be used to support EMV protocols.
Security doesn't stop at EMV
Just how much protection EMV will provide against card fraud is unclear, however, since, at least for the foreseeable future, chip cards will also include mag stripes containing sensitive account data. That's why additional security steps, like encryption and tokenization, will remain important offers for ISOs and acquirers. "Security is much more than EMV," McCarthy said.
Peabody agreed. "Security is about layers, and this is adding another layer," he said of EMV.
End-to-end encryption and tokenization also have received much attention.
First Data offers a solution, TransArmor, that combines hardware-based encryption with card-based tokenization to protect data from the point of entry through the entire processing stream. Using token numbers in place of cardholder data virtually eliminates the possibility that card data will be stolen. Merchants can use the token later to access the data for business and/or marketing purposes.
(On the issuing side of the card business, First Data teamed with Oberthur Technologies, a leading provider of smart cards, to get more EMV-compatible cards in the market, McCarthy noted.)
Ingenico, a leading provider of smart card terminals, has been betting big on EMV, and it seems to be paying off: in 2012 the company said it had shipped 5 million EMV terminals. In February 2014, Ingenico reported it had shipped its 5 millionth contactless EMV-compliant terminal.
Several leading U.S. acquirers and ISOs have agreements to help develop or have been certified to distribute Ingenico's Telium line of EMV compliant devices. These include Total System Services Inc., Heartland Payment Systems Inc., POS Portal and Vantiv LLC. Heartland, which sets up merchants with its proprietary E3 terminal (supporting end-to-end encryption) said in 2013 it was teaming with Ingenico to manufacture POS terminals that support EMV as well as end-to-end encryption.
The Durbin effect
One of the biggest obstacles to widespread implementation of EMV terminals has been an unintended consequence of the Durbin Amendment. Aside from capping allowable interchange on debit card payments, the Durbin Amendment also directs the Fed to require that debit card issuers provide for merchant choice of clearing networks. That's not an easy task because every debit card network has proprietary network technologies and application identifiers (AIDs). And the debit card networks haven't been keen to share AIDs with each other and the major card brands.
That's beginning to change, however. A group representing the leading debit card networks and using the moniker DNA (for Debit Network Alliance), was recently formed to address this challenge. Its recommendation: the DNA will own and govern a universal standard and license it to AmEx, Discover Financial Services, MasterCard and Visa. That was followed in short order by an announcement from Visa and First Data that they would be collaborating on an AID that meets the challenges of both EMV migration and Durbin. (First Data owns the STAR debit network; STAR is also a member of the DNA.)
Visa said the new common solution will support issuer choice and flexibility, as well as merchant routing choices, without costly reprogramming. McCarthy believes the arrangement between First Data and Visa will speed marketplace migration to EMV. "This is really a major step forward," he said. "We think it's a good model [of cooperation] for issues like this that are purely technical."
Of course, the Fed's implementation of the Durbin Amendment remains clouded in legal arguments. A 2013 federal court ruling faulted the Fed's rulemaking under the Durbin Amendment and ordered the Fed back to the drawing board to come up with a lower debit interchange cap. U.S. District Court Judge Richard J. Leon also took issue with the debit network routing provisions the Fed imposed through its rulemaking (contained in Regulation II). The Fed is now appealing the court ruling.
Despite the legal complications, experts in the field believe it is critical to get ISOs and merchants on board with EMV. "We need to be focused on the education side of this," Amiryants said. This means not just getting merchants on board but getting them to understand why it's so important. "ISOs have got to educate merchants about this. Merchants will pay you back with respect and loyalty," she said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.