By Naga Jagadeesh
In "Your EMV transition: It gets better," The Green Sheet, Feb. 13, 2017, issue 17:02:01, my colleague Bob Olson and I described how technology frameworks can make your EMV implementation easier, faster, safer and cheaper. That's great, but let's face it: you're not in business to be the cheapest or the fastest. You're in business to compete, sell, prosper, delight your customers, and so on, while also being secure and compliant. (Not exactly parenthetically, that's what the entire country needs – growing companies offering good jobs, better products and steady innovation.)
Yet here we are in 2017, with many of the best information technology (IT) people consumed by the complexities of EMV (Europay, Mastercard and Visa) compliance. Whether you are a merchant, a merchant services provider, ISO or independent software vendor, many of the IT resources you need to innovate and enable your ambitious growth goals are focused on EMV.
As one executive of a large, rapidly growing, consumer-focused company put it, "Look, we want the anti-fraud benefits of EMV as much as anybody. But when I think of all the innovations we are delaying – faster payments, integrated loyalty programs, data analytics, transportation logistics – I really worry about losing our competitiveness, with IT focused mostly on EMV."
It is easy to lose perspective on EMV's anti-fraud value when its implementation hampers your ability to embark on empowering IT initiatives. But fraud is huge, and it exacts an enormous price from merchants today. According to The Nilson Report:
The enormity of those statistics underscores two things: the heavy liability of exposure for all parties involved and therefore the importance of accelerating EMV implementation. And at this stage of EMV implementation, when things are still rocky and faulty, it's easy for things to go wrong, creating liability exposure. It would be unwise for companies to delay EMV compliance.
Needless to say, merchants and other companies are anxious to find ways to limit their liability. One way is to limit their exposure to information they do not need to complete a transaction – such as the cardholder's primary account number, PIN, CVV, full track data from the magnetic stripe or EMV chip data. With EMV, all of that can be delegated straight to the semi-integrated module (pre-certified for a processor) where it can remain unseen and untouched and securely transmitted to the processor.
Currently, merchants are exposed to that data in multiple ways when they perform full integrations or reprogramming. Once exposed, they incur enormous obligations and liability they neither need nor want.
There is another all-too-familiar source of unwanted liability. A customer's card fails or the chip reader is slow, customer get antsy and starts bailing out of line, so the sales person says, "Just go ahead and swipe" without having taken additional steps to verify the card is legitimate. If that purchase turns out to be fraudulent, that's entirely the merchant's liability.
The remedy for such needless exposure is the proverbial "black box" – or semi-integrated system. As in other IT areas, the EMV black box provides the merchant with a pre-certified device or a middleware or a software development kit equipped with standard integration points, without requiring the merchant to know or understand or access any of its internal workings, other than knowing they have been fully certified by the appropriate bodies.
Instead of "knowledge is power," the semi-integrated solution motto is "lack of knowledge is safety."
The semi-integrated solution keeps the merchant immune to sensitive data. When a card is inserted, the black box reads the data and processes it independently of anything within the merchant's control. It brings back the authorization and returns the sensitive data. When the merchant is audited, the use of the black box shrinks the Payment Card Industry audit scope only to aspects the merchant actually touches. All necessary changes can be pushed through the black box, without any user parties having to see or touch sensitive data.
Not only does this offer protection from liability, the EMV semi-integrated solution also preempts extensive integration and customization by each merchant's IT team – and the subsequent testing and certification of each process. In the absence of a semi-integrated system, IT people must load new software on the back-office systems, then they have to go through a lengthy, somewhat arduous, but very important certification process. This cannot be fobbed off on the inexperienced. And, of course, the experienced are hard to find and always overbooked.
Companies that choose the EMV semi-integrated path can immediately free up their IT resources for growth- and customer-oriented advances that also have massive fraud-reduction potential such as cybersecurity and omnichannel integration. Today, with disparate, unconnected channels, fraud management systems have multiple points of potential failure and experience difficulty responding in real time. Once they have a common funneling point for fraud management systems to access, they can prevent catastrophic losses like those caused by the Target and Home Depot breaches.
Additionally, EMV's semi-integrated solution helps companies retain their best IT resources. For now, the supply of EMV expertise falls short of demand, but EMV IT experts know there will come a time when their expertise will be in less demand. It is not surprising that many will soon prefer to devote their efforts to IT specialties that have stronger staying power, for example, artificial intelligence, data analytics.
Companies exist to prosper and compete and not lose their competitive edge by spending all their cycles on achieving EMV compliance. Semi-integrated EMV systems, built as pre-certified solution packages, enable all parties in the EMV compliance chain to shift their best IT resources back to priority business goals and still achieve safe, rapid and full EMV compliance.
Naga Jagadeesh is Vice President, Payment and Loyalty Solutions for U.S.-based ThoughtFocus, the consulting, software engineering and business process management firm. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next