April 5, 2016
Executive Insight: EMV – 6 Months Later
By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation
If you are in the payments industry, you probably cannot remember the last time you went a full day without hearing this word. I certainly can’t.
And, if you are anything like me, EMV has likely given you more than your fair share of headaches and maybe even a few sleepless nights.
For years, EMV in the U.S. was discussed in the future tense. Merchants would talk about what things will be like when EMV is implemented. You would think that with all of the preparation, everyone would have been ready when it came, right? Not even close.
April marks six months since the liability shift, and I’d like to give my two cents on how U.S. EMV is going. I’ll give you a sneak peek – it’s not going to be pretty. As a whole, the implementation of EMV and its liability shift was a disaster, and the payments industry is still trying to get to where it purportedly should have been last year.
So, kick off your shoes and let me tell you a story – the story of EMV.
Chapter 1: A Brief History of EMV
Our story begins in 1995. The movies Braveheart and Casino were all the rage, AOL and beepers were considered cutting-edge technology, and the first version of EMV had just been released by EMVCo, an organization made up of and regulated by the world’s leading card brands. You see, even though it is just making its way to the United States, EMV technology has been around for more than two decades and has already become commonplace around the world, including most of Europe – the “E” in EMV does stand for Europay, after all. In fact, EMVCo claims that 33% of global transactions last year were processed using EMV cards.
So why is the U.S. so late to the game? The U.S. market is extremely complex for several reasons. First, the sheer size of the market and the number of individuals and groups involved made EMV an enormous undertaking. Most nations have a handful of government-backed banks that govern payments; in the U.S., there are hundreds. Also, many merchants outside the U.S. use independent, standalone payment terminals, while most U.S. merchants have more complex, integrated payment systems. Finally, EMV is much more than a simple new feature; it is a complete paradigm shift for the industry. The rules for payment processing changed, and EMV certification requires a great deal of coding and system restructuring.
In the U.S., sights were set on the liability shift date of October 1, 2015. The card brands expected – or at least hoped – that all U.S. merchants would be EMV-ready by this date. It was a slow start, given the fact that roughly 8% of U.S. merchants were actually accepting EMV cards on day one. This number has since grown, but the majority – especially small to medium-sized businesses – were left behind.
Chapter 2: The Empty EMV Promise
EMV was touted as a new technology that was going to propel the U.S. into the next generation of secure payments. It came during “the year of the data breach” and was billed as the panacea to prevent another Target- or Home-Depot-level breach. Unfortunately, this is not what EMV was designed to do. EMV covers only one area of payments – card-present fraud. EMV does nothing in terms of actually securing payment data. The main function of the EMV chip is to authenticate credit and debit cards in order to prevent the use of lost, stolen, or counterfeit cards.
A potential side effect of EMV is that, while it reduces card-present fraud, we may see a rise in card fraud and data breaches in card-not-present environments where EMV cannot be used. Hackers are a very adaptable bunch. If you lock a door, they will try to climb through a window. To stay protected, merchants need to be one step ahead of the bad guys. It’ll be interesting to see if fraud in e-commerce businesses increases in the U.S. because of EMV, as it has in other markets where EMV has been adopted.
It is easy to pick on EMV because it is new, but I think it has potential to be a valuable addition to the payment space once it gets past its growing pains. Time will tell, but as it stands six months later, EMV has yet to make the impact on the industry that many thought it would.
Chapter 3: The Many Ways U.S. EMV Went Wrong
Now to the big one. The promises that EMV still hasn’t delivered.
The biggest folly in the EMV rollout is how difficult it has been for most merchants to adopt it. The certification process alone takes months. Large big-box retailers with virtually unlimited influence and resources had little problem getting set up by October 1, while everyone else has been left with a huge uphill battle.
To add to the confusion, several processors have jumped the gun by adding new requirements to their EMV certifications midstream. For example, Visa suggested a policy – after the October liability shift date, mind you – that merchants who want to process EMV should also be equipped to accept NFC (near-field-communication) by 2018. The processors heard this and took it as “do it now!” This meant that ISVs, device manufacturers, and service providers who were in the middle of their EMV certifications had to go back to the development process to incorporate more than a dozen additional use cases supporting contactless forms of payment in their coding before they could complete their certification. This knee-jerk reaction by the processors is further delaying merchant adoption of EMV today for the sake of supporting contactless EMV which, by Visa’s own admission, is still years away.
I’m seeing another concerning trend in the industry. As merchants scramble to find an EMV solution as soon as possible, their acquirers take advantage of the situation by pushing them into installing standalone terminals. While these standalone solutions may work as a “quick fix” for merchants, they provide a long list of significant disadvantages, including added costs, more work, and a higher risk of a data breach. As we’ve advised merchants before – take the time to do EMV right.
The marketed purpose of EMV promised to make things easier and safer. Merchants would get hit with less fraud and fewer chargebacks, and consumers could have one more security barrier between them and the hackers that want their card numbers. Why, then, are payments providers having such a difficult time getting through the certification process? The complexity of the U.S. payments market combined with the short and unrealistic lead time that the industry was given to prepare has led to significant and costly confusion.
As of right now, it seems like EMV has caused the industry more problems than it has solved. In the words of Obi Wan, “You were the chosen one. You were supposed to bring balance to the Force, not leave it in darkness.”
Chapter 4: The Lessons We Learned
Now that the dust is settling after the liability shift date, let’s take a look at what we can learn from it. The bottom line is that EMV is not the security cure-all that it was marketed to be. Most merchants have shiny new terminals, but are they really more secure than they were before EMV? The sad truth is – no. At least not if they haven’t taken the additional steps necessary to ensure that their environments have a comprehensive security solution in addition to EMV’s added authentication capabilities.
The best approach to EMV is to think of it as one piece in your payment security “suit of armor.” You can have the best helmet around, but it does you very little good when someone is attacking your legs. Merchants should layer additional solutions on top of each other to protect as many entry points as possible. Modern payment processing environments are becoming more complex and unique, and there simply isn’t one magical solution that will cover every access point you have.
Merchants who rely solely on EMV leave their environments so vulnerable that it is a near certainty that they will be breached at one point or another. Like I said, EMV protects against card-present fraud; it doesn’t do anything related to card data security in your systems or network. In fact, some EMV terminals actually push card data in cleartext on the back end – so much for security! For this reason, we strongly urge our merchant customers to use EMV with point-to-point encryption (P2PE) and tokenization solutions. We call this the payment security trifecta.
- Tokenization is a technology that Shift4 knows a thing or two about, given the fact that we invented it in 2005. Our TrueTokenization® solution replaces cardholder data (CHD) with a random, alphanumeric value, or TrueToken®. This token does not have a one-to-one or mathematical correlation with the card number, and therefore cannot be unencrypted and used for future fraudulent transactions in the case of a data breach.
- P2PE is a vital layer of security for any card-present payment processing environment, including mobile points of sale. Shift4’s True P2PE™ encrypts CHD at its first point of interaction with the payment terminal. By doing this, the actual card data never enters or travels through the merchant’s payment system.
- EMV helps to prevent instances of card-present fraud by using a microchip to authenticate the card or cardholder.
With these three technologies working together, merchants are able to protect their card data from every direction. Merchants have so much to lose from a data breach – time, money, customer trust in their brand. Why would they not do everything they can to protect themselves? The more solutions a merchant can employ, the better equipped they will be against the bad guys.
I recently went to a sandwich shop that had an EMV terminal. There was a piece of paper sticking out of the EMV slot that read “Sorry. Not Yet.” This should not be happening in April. Six months is more than enough time to implement a piece of technology that we’ve been talking about for years. How was this mishandled so badly?
From my perspective, the card brands are trying to do too much too soon with EMV. The priority should have been to first get it out in the wild, and then fill in the cracks with new features and updates. Instead, merchants were left in the dust while their service providers jump through hoop after hoop trying to certify. Meanwhile, millions of EMV terminals go unused. This is not a case of trying to walk before we can run; we’re trying to fly a jet before we’re potty trained.
EMV has promise – when it’s part of a complete solution. Shift4 can help you implement the full trifecta and we can do it today. We currently support EMV with five processors and more are expected in the coming weeks and months. Call us and let us get you on the path to EMV AND true security.