June 2, 2015
Executive Insight: Take the Time to Do EMV Right (Part 1)
By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation
U.S. a Unique EMV Market
Four years ago, when the major issuing banks announced their timeline for transitioning to EMV in the U.S., payments industry insiders knew that the U.S. EMV migration would be more complicated than previous implementations around the globe had been. Accounting for more than half of the world’s payment transactions, and being an unregulated payments space, the U.S. market encompasses a wide variety of payments industry players, from merchants, processors, and payment terminal manufacturers to independent software vendors, merchant banks, credit and debit card issuers, and more. The sheer magnitude and unique consumer market lends itself to making the U.S. EMV migration much more complex than implementations in other countries.
Some Organizations Seek to Generate Fear
Now, as issuers and merchants in the U.S. are adopting EMV, we’re seeing frequent reports that large numbers of U.S. merchants are “unaware” of or “unprepared” for EMV acceptance. Industry trade groups are contesting different aspects of the U.S. EMV liability shift, processors need more staff to process certifications, and on top of all of this – we are learning that EMV won’t solve all of our security problems, namely the data breaches that retailers and others have been plagued with in recent years.
The thing is, these complications in the U.S. EMV migration process were to be expected and had been noted by many experts in the field following the first announcement of the migration in 2011. Since that time, there have been numerous predictions that the U.S. will slowly migrate to EMV, with an estimated completion date of approximately 2020. Yet, as is typical in the way things work, when issuers, merchants, acquirers, or even consumers start worrying that the U.S. may be “behind” and that merchants may be slow to adopt EMV, a variety of industry players have sought to capitalize on this divide, creating a not-so-comical Chicken Little scenario. The result has been that many merchants are getting pressured to make large investments in implementing EMV the wrong way simply to be able to accept EMV cards according to a perceived “mandate” and by a perceived “deadline.”
Yes, EMV is coming. But no, the sky isn’t falling. I can’t express this enough. The EMV liability shift date is coming and – still – the sky isn’t falling.
Remember: EMV Implementations Must Be Done Correctly to Bring Value
This isn’t to say that EMV doesn’t have a purpose and place in improving how we authenticate transactions at the point of sale. It absolutely will help to prevent the use of fraudulent cards in stores much better than traditional magnetic stripe cards. However, EMV is not 100% secure, EMV implementation is a complicated process, and upgrading payment terminals can be expensive. Implementing EMV right the first time is important. Merchants need to know that if someone is pressuring them to make a large investment or sign a new contract as a component of their migration to EMV, it is essential to take a step back, consider what’s being proposed, and consult their business operations and legal teams appropriately in order to take the precautions necessary to make the truly correct move for their business – not what organization A, B, or C is trying to sign them up for to become EMV-capable exactly by October 1, 2015.
As Hall of Fame basketball player John Wooden once proposed: “If you don’t have the time to do it right, when will you have time to do it over?” and he adds to the sentiment with, “Be quick, but don’t hurry.”
The True Nature of the EMV Liability Shift
EMV marketing ploys, especially after the Target and Home Depot breaches last year, have exacerbated the confusion surrounding EMV. And, as the EMV liability shift date gets closer – which at this time is absolutely not a mandate – the various parties pressuring merchants to adopt EMV urgently are creating a misplaced sense of panic, leading merchants to adopt the quickest EMV solution possible, not necessarily the correct solution.
For example, in some cases:
- Merchants are being urged to adopt EMV solutions that don’t incorporate point-to-point encryption (P2PE) or tokenization. These technologies can help prevent breaches and simplify PCI compliance. Further, they can help prevent sensitive payment card data from being stolen in the first place, which is the primary source of counterfeit cards. Additionally, the implementation of these systems may in fact put merchants in harm’s way, as some of the solutions may expose networks and other POS infrastructures to card data and change their PCI-DSS landscape.
- Merchants are being pressured to move from an integrated payment solution to a standalone solution simply because an organization they work with has certified for EMV with a standalone payment terminal, but not an integrated payment terminal.
In either of these cases, how would moving to a solution that further exposes the merchant’s environment to breaches or that removes key time- and money-saving accounting and security functionalities be a move forward? The possibility of moving to a poor implementation of EMV is especially concerning when all merchants get in return is protection from a very specific segment of fraud that they may not be liable for anyway.
After all, the key shift in liability at stake with EMV is from the card issuers to the acquirers, also known as the merchant banks where merchants hold their accounts – not directly to the merchants themselves. If a merchant bank is not supporting EMV as of October 1, 2015, then that merchant bank will assume the liability. However, if the merchant bank is EMV capable, then the fraud liability remains with the card issuer.
Merchant Banks Need Their Merchants to Be EMV Ready
How does a merchant bank become EMV ready? The merchant bank must make sure that all technologies related to EMV are certified, able to process and pass all data elements, and perform the processes necessary to accept an EMV payment. In practical terms, this means that the merchant holding an account at that bank must accept EMV cards and use an EMV-capable processing solution in order to “make the merchant bank EMV ready.” This is why some merchant banks are calling merchants and pressuring them to get ready for EMV fast.
Check Your Contracts – Are You Liable?
But, the fact is that EMV may not even be accounted for in a merchant’s current contract. It is very possible that this type of fraud was traditionally considered “zero liability” (liability that was just part of the issuer doing business) and that a merchant’s agreements do not reflect or even anticipate this type of fraud. This means that, based on a merchant’s current contracts, it may not even be possible for the merchant to shoulder the responsibility for that fraud – unless that merchant signs a new contract that waives their protection from it. This is one very important reason why merchants need to be wary of any schemes that require them to re-sign a contract or get into a new contract related to updates for EMV, because any new or updated contract may also be asking the merchant to sign up for more liability than their current contract allows for.
Next month, I’ll go into more detail about the nature of the fraud liability shift and describe the actions merchants can take to ensure that their EMV implementation not only authenticates cards, but also helps to lower their breach profile as part of a true security solution. In the meantime, be wary of any organization forcing a single option for EMV on you – telling you that you must use this one type of device, be ready by this exact date, implement EMV without encryption and tokenization, etc. In these cases, one has to wonder whose benefit the organization is really looking out for, because no two merchant environments are exactly the same.