January 4, 2012

Executive Insight: US EMV – A Necessary Evil?

A New Payment Process
Those who have traveled to Europe in the past few years or to Canada within the last year or so, know there is a new payment process that uses a microchip on the card to communicate the payment capabilities of the card to the point of sale, and then uses a PIN (personal identification number) to authenticate the cardholder as the owner of the card. The nickname for this process is “Chip and PIN,” but its official name, “EMV,” tells us much more about the process’ history.

EMV stands for Euro Pay, MasterCard, and Visa – the three organizations that initially promoted this payment method. They were looking for a methodology whereby they could control credit card capabilities and also confirm the user of the card all at the point of sale. Further, they wanted the card to be able to control the behavior of the point of sale in some cases to facilitate things like faster micropayments (automatic approvals under the $20 threshold) and to allow for payments where real-time telecommunication was not readily available (essentially having the chip confirm that it had sufficient balance to pay for the transaction even though the POS couldn’t communicate with the processor to verify the information).

EMV payment transactions were also heralded to be more secure than swiped payment transactions (though the process was breached in Europe shortly after it was implemented). To be honest, with the use of technology like Shift4’s TrueTokenization® and even some End-to-End encryption technologies, both cardholders and merchants are better protected against swiped cardholder information breaches than they would be with EMV and its PINs.

The Canadian Frontier

Over the last few years, the Canadian Government has embraced EMV, mandating that all merchants implement it as a replacement for swiped cards and for their Interac debit process. Canadian merchants will be allowed to support swipe and Interac only until 2015 (remember that date, it will come up again later). This is so that Canadian merchants can continue to do business with travelers from the United States and other countries that still use credit cards with magnetic strips.

The trouble with this mandatory implementation is that EMV requires specially programmed terminals or specially programmed devices connected to point of sale systems. These terminals and devices have to go through a rigorous certification process before they can be made available to merchants. First, there are processor-specific certifications, and once they pass the processor certification, they must also pass individual certifications for both MasterCard and Visa. (While American Express was a late adopter of EMV, to date no American Express certification is required.)

Like terminals, middleware and/or gateways must go through a similar set of certifications. Each of these certifications must be performed with a specific terminal. That means if we plan to support five terminals on five processors we have to go through 25 certifications with processors, 25 certification with MasterCard, and 25 certifications with Visa. Oh, and add to that the fact that (at least for now) each POS must go through a beta testing with each terminal it is to support. “Red Tape, thy name is EMV.”

If someone asked us to rate the complexity of EMV using a scale of 1 to 100, swiped credit cards would be a 1, PINned Debit (US Style) would be a 4, PINned Debit (Canadian Interac) would be a 10, and EMV would be 100.

That being said, and especially when we consider the amount of work relative to the market size of Canada (only 11% of the US market), it is understandable that the adoption rate of EMV (Chip and PIN) among US companies remains very low. To put it in perspective, when we complain to the processors we are interfacing to for EMV that they are taking too long to return certification results, we are told that it is not financially feasible – based on the size of the Canadian marketplace – to increase their staff sufficiently to accommodate the number of certifications that they are currently doing.

Closer to Home

Given that the EMV process was originally developed for Europe, and that although Visa and MasterCard are larger organizations, Euro Pay is named first in the EMV acronym, we have to assume it was mostly an European initiative. It seems quite remarkable that the United States, the country that led the way in the credit and debit card development, would become a follower with EMV. But that is exactly what’s happened.

Recently, though, Visa made a unilateral statement announcing EMV in the United States and announcing a deadline of 2015 (that date sound familiar?). Can you imagine the amount of programming that will have to be done to implement this? Think how slow it is going now, in a market 89% smaller than the US market; and then think how many more processors, terminals, and POS companies will support EMV in the US. It’s going to be a mess.

Also, Visa has said that if merchants process 75% of their transactions via Chip cards, they will not be required to go through PCI-DSS validation. (How they can authorize that without collaboration from MasterCard and the other brands remains to be seen.) And they have decided that US EMV will be Chip only, not Chip and PIN. (Yes, merchants will be able to use the less secure Chip-only solution, and then put their own reputations on the line because they didn’t validate their security.)

The whole situation sounds like an exercise in futility, doesn’t it?

The Good News

Luckily, there is a light at the end of the tunnel. Because of Shift4’s unique Universal Transaction Gateway (UTG) capability, POS application providers that now support US Debit can support Canadian Debit, Canadian EMV, and will be able to support US EMV without making any significant changes to their software. Basically, those with certified interfaces to Shift4 will be able to do 1/20th of the work to gain 100% of the capability. Merchants that use software interfaced to Shift4’s DOLLARS ON THE NET® will get US EMV support as a part of their existing agreement; no new fees, no new rates. Also, because Shift4’s solution will continue to use TrueTokenization for security, merchants can rest assured that they remain secure.

To guarantee that you are ready for US EMV, make sure you are using Shift4’s DOLLARS ON THE NET and that the POS/PMS software you are using is interfaced to DOLLARS ON THE NET. Also, make sure that you don’t purchase EMV devices without checking with Shift4 (remember each device must be independently certified).

One last thing, don’t purchase an end–to-end solution from anyone other than Shift4 as there is no guarantee the terminals or devices that currently support end-to-end will be viable for US EMV.

Don’t worry. We’ll be ready, and we’ll make sure you’re ready, too – no matter what they throw at us.