February 7, 2017

Executive Insight: Don’t Be Misled by False Claims About EMV

Executive Insight: Don’t Be Misled by False Claims About EMV

By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation

The U.S. payments industry has been talking about EMV for years, but it’s still the subject of a lot of inaccuracy and misinformation. I’d like to make a few comments about something that I read recently.

The Quote That Started It All
I came across this article about the U.S. EMV rollout in Digital Transactions. While reading it, my initial thought was, “There’s nothing new here. They’re simply documenting how the EMV rollout went (and still is going) for many U.S. merchants.” Then, in the final paragraph, I read a quote from Molly Wilkinson, executive director of the Electronic Payments Coalition, a lobbying group based in Washington D.C. that represents card networks and issuers:

“Merchant groups have known about the transition to EMV cards for five years, but
instead of getting their act together, they have tried to delay, obfuscate, and reject
this solution – all while leaving customers exposed to hackers and counterfeiters.”

This statement has so many flaws that I’m not sure where to start, and it clearly demonstrates the ignorance of the coalition – or is altogether pushing a blatant lie. Please allow me to dissect this quote one piece at a time.

My First Qualm: Merchant Groups
Let’s start with the mention of “merchant groups” in the quote. Simply put, these are advocates for the merchants, not tools for the card brands’ mandates. They have no control over what the networks support, the various requirements of physically performing an EMV transaction, or the certification requirements of EMV solutions. In fact, merchant groups have little to no role in the supposed five-year preparation window. I’ll delve deeper into this later. But, I would be interested in hearing exactly how these merchant groups supposedly delayed or obfuscated the U.S. EMV rollout.

My Second Qualm: The “Rejection” of the “Solution”
Now let’s discuss this so-called rejection of the solution. There were certainly valid reasons for the objections to the EMV rollout strategy. In my opinion, the largest factor of the U.S. EMV rollout failure was a lack of forethought by the card brands and EMVCo in recognizing the differences in the U.S. marketplace when compared to the way payments work in the rest of the world. EMV for the most part has been a great success in Europe and it was assumed that the EMV “blueprint” could be lifted from Europe and plopped into the U.S. as-is. The problem here is that the European blueprint included a thorough end-to-end testing of the “solution ” – but the solution here is much more complex.

In Europe, a majority of the EMV solutions are simply stand-beside terminals with little or no integration to POS/PMS systems, so certifying a couple of terminal solutions with the limited number of banks in each country is no big deal. However, here in the U.S., there is a diversity of banks, processors, and terminals unseen anywhere else in the world, and a majority of the marketplace here uses fully or semi-integrated solutions with the POS. This translates into an exponentially larger number of “solutions” to certify in the U.S. compared to Europe’s deployment of EMV .

My point is not that one continent’s payments practices are better than another’s, but that they are significantly different – and EMVCo and the card brands failed to recognize this. The blame certainly doesn’t fall on merchant groups, who were simply the bystanders in this situation.

My Third Qualm: The Five-Year Window
Let’s revisit the five-year EMV preparation window. The card brands scheduled out various deadlines mandating when banks and processors should be EMV ready, as well as a liability shift for merchants on October 1, 2015. There were multiple issues here. First of all, as long as a processor could demonstrate a working EMV solution (I’m unsure if certification was required or not at this point), then the mandates were considered to be met. For many processors, their host specifications supporting EMV were not published to their integration partners (like gateways) until around May or June of 2015, just a few months shy of the liability shift date for merchants.

Knowing all of this, it certainly appears that service providers were given an impossible deadline. Most EMV solutions initially took between 4-12 months to certify. It’s a little better now, but not by much. Assuming the specs were published in May, allowing for a 30-90 day development cycle plus a six-month certification, means the average “solution” would have been certified and production ready no earlier than February or March of 2016 – this is a good 4 or 5 months after the EMV liability shift.

Then, we have the October liability shift date itself. Why October? Who picked it? This was just before the holiday shopping season when most merchants (at least larger ones) have technology freezes in place, since it’s their busiest time of year. To me, this seemed like an objectively poor choice to impose this liability shift.

The Cherry on Top
Going back to the quote in question, here’s the doozy: “all while leaving customers exposed to hackers and counterfeiters.” This propagates the misbelief that EMV secures payment data, which it absolutely doesn’t. EMV is a card-present authentication mechanism only. Authentication guarantees (relatively speaking) that the card is authentic and was not forged; it does not stop criminals from stealing the account number and expiration date as it flows through in the clear. You must add point-to-point-encryption (P2PE), sometimes also referred to as end-to-end-encryption or E2EE, to secure the data at physical points of sale, and tokenization to further protect that data in storage – which is why Shift4 requires this type of layered security in our EMV implementations. The U.S. was already making a shift to P2PE, but the problem was that incorporating EMV meant a new batch of uncertified terminals entering into the solution certification chain. In this respect, EMV has actually delayed the adoption of technologies that can give merchants stronger payment security.

As you can see, EMV cannot be brought to the U.S. by taking what worked in Europe, throwing it into our complicated payments industry, and planning on working out the kinks later. It boggles my mind that it is such a headache a year and a half later. With just a little more forethought and careful planning, many of these lingering issues could have been avoided.

For the most accurate and reliable take on EMV, visit our extensive EMV site.