The Green Sheet Online Edition
February 23, 2015 • Issue 15:02:02
EMV readiness becomes a numbers game
The deadline by which most retailers must have EMV-compliant payment terminals in place and working is fast approaching. And depending upon who is running the numbers, the U.S. marketplace is either well positioned or seriously unprepared for the new security regimen.
EMV (for Europay, MasterCard and Visa) is an international standard for the interoperability of chip cards and chip-reading POS devices that's intended to protect card data from being hacked at the POS and throughout the acquiring stream. Under a migration schedule backed by major card brands, most merchants should be using EMV-compliant terminals by Oct. 1, 2015. (Gas stations with pay-at-the-pump terminals have two additional years to comply.)
Thereafter, if payment card data captured using noncompliant POS terminals becomes compromised, the noncompliant merchant who ran the cards becomes the de facto cause of the breach and is on the hook for all associated losses.
In October 2014, the Payments Security Task Force predicted that "at least 47 percent of U.S. merchant terminals will be enabled for chip-card acceptance" by the deadline. Visa Inc. and MasterCard Worldwide created the task force, whose members include representatives of banks, credit unions, processors, acquirers and merchants. Its estimates are based on forecasts from acquirers who together handle about 80 percent of U.S. card purchases.
A recent report from the consultancy Boston Retail Partners predicted EMV terminal deployment is about to spike, with 650 percent more retailers planning to support EMV transactions by October than were ready last fall. "Retailers recognize the severity of this real risk [of being hacked] and are making it a top priority for 2015," said Ken Morris, a principal with the firm.
However, according to the Merchant Advisory Council, only 15 percent of an estimated 13.9 million POS devices at U.S. merchant locations are EMV compliant. And Avivah Litan, Vice President at Gartner Inc., said the migration is going so slowly that merchants and acquirers should be prepared to support both EMV and mag-stripe transactions for at least another five years.
A January 2015 ACI Worldwide survey undertaken on behalf of the National Retail Federation revealed that just 12 percent of retailers are compliant. An additional 19 percent said they were confident of having EMV-compliant devices at their checkouts by October.
Globally, figures released by EMVCo show 30 percent of all card-present transactions using the six major card brands were done with chip cards between June 2013 and June 2014. EMVCo is a technical body owned by American Express Co., Discover Financial Services, JCB International, MasterCard, China UnionPay and Visa. Its data reflects authorization traffic reported by acquirers.
It's not that retailers aren't concerned about card data breaches. "Data breaches are top-of-mind for retailers," said ACI Vice President Lynn Holland, who noted that most retailers are spending (or planning to spend) more on payment security. "[Y]et a sizable number of those surveyed are not fully prepared for meeting EMV timelines," she added.
As for EMV-compliant cards, the EMV Migration Forum (a cross-industry advocacy group created by the Smart Card Alliance) said about 120 million Americans had received chip cards as of early February.
Appearing at the SCA payments summit, in early February, Kimberly Lawrence, Senior Vice President of Global Corporate Initiatives at Visa, predicted EMV cardholder numbers will increase nearly five-fold this year. The result: chip cards will represent about 71 percent of credit cards and 41 percent of debit cards in Americans' wallets by year end, Lawrence said.
Those numbers mesh with projections released in 2014 by the consultancy Aite Group LLC. Lawrence added that by Visa's count, nearly 80 percent of credit cards in U.S. consumers' wallets today are from issuers certified by Visa as EMV-ready.
AmEx recently said all of its card products are now available in EMV. Karen Czack, AmEx Vice President, Global Chip Products, revealed during the SCA's payments summit that the card company is also moving to dual interface chip cards, which can support both contact and contactless payments.
On the acquiring side, most EMV terminals support both. "Almost everything we deploy supports both," said Jeffrey Bohlin, Director of Product Development at Worldpay Inc.
Cost a big impediment
Some analysts have warned that EMV could slow the checkout process, making merchants nervous. But the most talked-about impediment to EMV adoption is cost. Javelin Strategy & Research estimated that the combined costs for issuers and merchants that migrate to EMV-compliant cards and terminals will ultimately exceed $6.8 billion.
Compliance costs are especially high for gas stations. "Most of the pay-at-the-pump technology out there is really outdated," said Impact PaySystem LLC President and Chief Executive Officer Dee Karawadra, who has agents selling into that vertical. To achieve EMV compliance the devices and support software all have to be replaced; it also requires upgrades to supporting technologies and peripherals.
AmEx is offering to help merchants defray the cost of migrating to EMV terminals. It has earmarked $10 million and is offering payouts of $100 to qualifying merchants who have upgraded their terminals, provided they apply for the money by April 30, 2015. To qualify, merchants must have less than $3 million in annual AmEx charge volume.
Prices increase with sophistication, but some EMV-compliant terminal models retail for under $200, and individual peripherals for under $100. According to experts, gas stations can spend $2,500 to $4,000 for each pump that has a card reader. For grocers the outlay can run as high as $1,000 per lane.
Several ISOs and acquirers are offering free or discounted EMV devices as incentives for clients and prospects to become compliant. Taking a different approach, Heartland Payment Systems Inc. is providing free one-year warranties against breaches for clients running payments through its Heartland Secure line of terminals. (After the first year an $8.33 per month fee kicks in for each covered device.) Heartland Secure terminals, in addition to being EMV compliant, support encryption and tokenization.
In its January 2015 announcement about the warranty, Heartland stated that if the encryption component of a Heartland Secure device fails, leading to a breach, Heartland will reimburse merchants for any resulting fines, fees or assessments they have to pay to card brands, issuers and acquirers.
Combining EMV with encryption and tokenization makes for a powerful weapon against card data threats, said Michael English, Heartland's Executive Director of Product Development. "Through encryption and tokenization, a merchant eliminates clear text card data, so if their network is breached there is no card data to steal and monetize," he said.
All the leading device manufacturers and leading acquirers support both encryption and tokenization, as well. "While EMV is getting lots of attention, it's not the Holy Grail, or even the first or second line of defense against credit card hackers," said Perry Kramer, Vice President at Boston Retail Partners. "A multitiered approach, with a combination of encryption, tokenization, and EMV is the key to a successful payment security platform."
Interest in encryption and tokenization, as well as EMV, has grown with the proliferation of high-profile data breaches, Litan noted. "Although these three security technologies have been around for years, interest in them soared after [recent high profile breaches], and many enterprises have adopted much more aggressive implementation timetables than they would have otherwise," Litan wrote in a recent blog post. "However, in the march to rollout these enhanced security systems some vulnerabilities and conflicts have surfaced."
Criminals are discovering these vulnerabilities and using them to defeat EMV controls, Litan said. She predicted that at least 5 percent of card issuers will sustain fraud losses this year due to improper EMV implementations.
Experts also expect an onslaught of card-not-present (CNP) fraud as more chip cards hit the market. "What we've seen in every market where EMV has been introduced is that fraud migrates to the lowest hanging fruit," Bohlin said.
In the U.K., for example, nearly 70 percent of dollars lost to card fraud are CNP transactions, according to the UK Card Association. In France, card fraud was pretty evenly split between card-present and CNP transactions in 2007. By 2011, following the adoption of EMV in France, CNP fraud accounted for nearly three-quarters of the total, according to the Paris-based Observatory for Payment Card Security.
Bohlin said tokenization can help contain CNP fraud, especially online card fraud. A multipurpose security technique, tokenization can be used to secure data at rest (for example, in a database) and in transit (for example, during processing).
Apple Pay employs tokenization. Instead of storing a user's card number, a token formatted to mimic an actual card number is generated by the device and used to identify the user. The token is stored on an encrypted chip within the iPhone that can communicate with near field communication-enabled devices.
Educating clients and upselling
Many acquirers and ISOs are ramping up education efforts to get clients onboard with EMV. Karawadra said he's planning a telemarketing campaign to explain the EMV requirements and make pitches.
Worldpay has been running a multipronged education program, and when necessary, is connecting clients with experts in EMV planning and implementation. Most of the programs are focused now on Level 4 merchants, Bohlin said. "Larger merchants have been more receptive," he said. "Smaller merchants are still getting their hands around it."
Bohlin added that adapting to EMV will become a necessity as more chip cards get issued and more merchants move to EMV and fraud migrates down market. "Some merchants may not want to be the first, but they certainly don't want to be the last guy to go to EMV," he said.
Also, given that security is a moving target, solutions like EMV will need to be upgraded. Acquirers should have plans for facilitating these upgrades along with new apps, remotely, to minimize customer service headaches, Bohlin said.
One pitch being used to get merchants on board with EMV is that EMV eliminates many of the hassles of complying with the Payment Card Industry (PCI) Data Protection Standard (DSS). However, a recent survey conducted on behalf of the Merchant Acquirers Committee found that may not matter, because many merchants still are not PCI compliant.
The survey revealed that PCI compliance rates remain below 70 percent across all merchant levels; at 39 percent, the PCI compliance rate is lowest among Level 4 merchants, said Dr. Branden R. Williams, a technology and information security consultant who conducted the survey for MAC.
EMV is also getting significant attention in the press, as two of the biggest disrupters in the merchant acquiring space – PayPal Inc. and Square Inc. – disclosed plans for EMV card readers to support mobile payment acceptance by micro merchants. PayPal plans an updated PayPal Here reader that can support both EMV and contactless mobile payments in Apple, Android and Windows operating environments later this year. Square started accepting preorders in January for its next-generation device, which supports EMV.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.