July 7, 2015

Executive Insight: Take the Time to Do EMV Right (Part 2)

Executive Insight: Take the Time to Do EMV Right (Part 2)

By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation

Last month, we talked about how some organizations are pressuring merchants to rush into EMV solutions instead of urging merchants to take the time to adopt a strategic approach to EMV. This month, I’ll review some of the nuances of the EMV liability shift and recommend a thoughtful approach to security using the trifecta of point-to-point encryption (P2PE), EMV, and tokenization.

EMV Fraud Liability Remains Murky
The largest segment of fraud the EMV liability shift relates to is counterfeit card fraud. This is because according to Visa®, whose logo is on the largest segment of credit and debit cards, the liability shift pertains only to counterfeit fraud, not to fraud from lost or stolen cards. The problem is, merchants haven’t historically had access to this type of detailed fraud information (e.g., whether the card used at their location to commit fraud was counterfeited, lost, or stolen), and it is very difficult to pinpoint.

The approach to EMV in the U.S. by the card brands appears to be stating that there is “no end in sight to data breaches.” And now, merchants are expected to shoulder a burden to implement a technology that will in most cases only protect them from a very specific segment of fraud that they as merchants cannot qualify or quantify. This is concerning for a few reasons:

  1. EMV chip cards have a particular element in the track called the “discretionary data area” that identifies those cards as EMV capable when swiped. Those tracks can be compromised, and the payments industry must anticipate that many will be.
  2. The card brands do not appear to have made a distinction between a “traditional swipe track” and those EMV swipe tracks for the purpose of tracking fraud.
  3. A fraudster could create a counterfeit chip card by using card stock, a fake chip that will fail to read, and a counterfeit track. Because the payment device will be unable to read or write to the fake chip, the device may ask for the counterfeit card to be swiped as a fallback.

Considering this scenario, as in other cases, it remains unclear where the liability will fall. Is an EMV swipe fallback with a counterfeit card, if accepted, part of this fraud liability shift? If the merchant is EMV capable, does the liability remain with the issuer because EMV was attempted or fall to the merchant bank or the merchant because it was a swiped transaction? It’s anyone’s guess at this point.

Who Will the EMV Liability Shift Benefit?
One can’t help but question whether the liability shift itself is an attempt to completely divert liability away from those organizations that both issue cards and serve as a merchant bank. After all, those are the organizations that are already issuing the largest numbers of EMV cards. Traditionally, one side or the other would have shouldered the burden of this type of card fraud, but EMV is possibly increasing the profitability for these large banks that are both issuers and merchant banks by lessening their liability, allowing them to simply wash their hands of it even in cases where liability remains unclear. This lack of clarity is only furthered by organizations advertising that the EMV technology is foolproof, which it isn’t.

Who Will Shoulder the Greatest Burden?
As the liability shift deadline approaches, there are three groups that may stand to shoulder the greatest burden: merchants, small card issuers, and small merchant banks. Merchants cannot qualify or quantify counterfeit fraud, but must invest in EMV-compliant terminals and system solutions at a substantial cost. Further, merchants may potentially and inadvertently sign agreements that bind them into the very liability shift that may not have been theirs to accept.

On the other hand, small issuers and co-issuers are also burdened with the costly retooling of the cards they have to issue. EMV cards are much more expensive to produce than traditional magnetic stripe cards. And, if they move to issue contactless EMV cards, these can cost up to two times more than a non-contactless EMV card. Finally, small merchant banks, independent sales organizations (ISOs), and agents have very little control or say over the makeup of the payments industry and stand to lose the most by this liability shift if they cannot effect change or get their merchant customers prepared for EMV.

EMV Is Authentication, Not Security
As we discussed last month, some organizations are putting a lot of pressure on merchants to get ready for EMV immediately as though the liability shift date in October will bring an onslaught of fraudulent charges. However, this is probably unlikely, as after EMV is “in the wild” it is much more likely that fraud will result from poor implementations of EMV, e-commerce, and other card-not-present scenarios. Whether the industry wants to accept it or not, the U.S. EMV migration will take years. Therefore, merchants should get ready for EMV, but when they do, they shouldn’t do it out of fear, uncertainty, or doubt. EMV is a complicated authentication tool, and it needs to be implemented correctly. Merchants must make a concerted effort to become EMV compliant the right way, as a step in the path to true security, not as a security solution in and of itself.

What Merchants Can Do to Implement EMV Correctly
EMV technology was created more than two decades ago and doesn’t account for the proficiency with which hackers, some of which are now working in large groups and are backed by nation-states, are compromising payment systems today.
Therefore, a well-thought-out EMV solution requires the use of layered security to protect sensitive cardholder data. We recommend covering all bases: remove that sensitive data from the merchant environment entirely by layering EMV with the security of P2PE and tokenization. This ensures that you can accept EMV cards, but that your environment is also protected from becoming the source of a breach.

Here are some tips regarding what to look for when seeking support during your EMV migration:

  1. Use a solutions company, such as Shift4, which takes a mindful and business-oriented approach to security and compliance. Even before PCI and EMV, Shift4 has always balanced the business needs of its merchant customers with their need to securely process transactions. The end result is our supply of best-in-class payment solutions that optimize business processes and provide unrivaled security with compliance as a side effect.
  2. Implement tokenization. It is essential to remove all card data from the merchant environment and place the burden of storing that sensitive data on a proven and vigilant organization that considers the security of their merchant customers’ transactions its primary job. To do this, merchants must implement a “security” or “storage”-based tokenization solution like Shift4’s TrueTokenization®, which protects the merchant’s environment by replacing sensitive cardholder data with non-decryptable information that is meaningless to hackers. This type of payment data tokenization differs from the recently popularized consumer-based “payment token” solutions, such as is found with Apple Pay™ and other mobile payment providers. While these sister solutions do provide merit from the consumer level, merchants need to ensure that their environment is protected with a comprehensive tokenization solution.
  3. Implement P2PE. No matter the payment type, it is important to encrypt all transactional material from the time it is keyed, swiped, inserted, or tapped (such as when using mobile payment solutions like Apple Pay). Merchants should use a device that encrypts at the point of interaction so that no transactional information is ever in the clear and exposed to hackers. This reduces much of the PCI-DSS burden, a burden that still remains with EMV, no matter what the press or the merchant banks are telling the world. Again, EMV would not have stopped the breaches at Target or Home Depot, nor will it prevent future breaches.
  4. Implement EMV. Though it’s true that Shift4 has very real concerns over the tactics used by some in our industry to drive the EMV payment hype, it doesn’t mean that EMV doesn’t have merit for authenticating card-present transactions. As part of the merchant advocacy stance and commitment to overall merchant protection that Shift4 truly believes in, we urge merchants to implement EMV in a strategic fashion with the layered security you need in spite of the pressures and interference you may be fielding from third parties.

Shift4’s Solution for EMV
When a merchant accepts EMV credit and debit cards, card-present transactions are authenticated, but when a merchant uses tokenization and P2PE alongside EMV, true security begins. Here is what will happen during an EMV transaction when a merchant implements it using Shift4’s layered security solution for EMV:

  1. The EMV chip authenticates the transaction. In the case of a chip and signature EMV card, this virtually ensures (but does not guarantee) that the card is genuine, and in the case of a chip and PIN EMV card, this verifies (but does not necessarily guarantee) the card and the cardholder are genuine.
  2. Our True P2PE™ solution encrypts all data at the point of interaction, when a consumer’s card interacts with the payment device, including any data that results from processing an EMV transaction.
  3. Our TrueTokenization solution protects data at rest, ensuring card data is never held in the merchant’s environment, which reduces the merchant’s PCI scope and also protects them from experiencing brand-damaging breaches. Our TrueTokenization solution ensures this data is protected while still allowing the merchant to perform business as usual, including returns, recurring billing, and incremental authorizations.

By adding P2PE and tokenization to your EMV solution, your EMV implementation will not only authenticate cards, but also help to lower your breach profile. This is the type of solution merchants should aim for, and if an entity is putting the pressure on you to do something different, you have to question who they are really looking out for. Be careful out there. And, as always, if you ever have any questions, Shift4 is here to help.