Though much of the rest of the world has been using EMV chip cards for years, the U.S. has yet to replace magnetic stripes on credit and debit cards with microchip technology. A few years ago, this outlook began to change. The major card brands, Visa, MasterCard, Discover, and American Express, announced their intent to migrate to EMV beginning with a liability shift date affecting most merchants in October 2015. Then last year—what became known as “the year of the data breach” after Target, Home Depot, and other high-profile U.S. merchants became victims of large-scale data breaches—many organizations were quick to point their fingers at the lack of EMV as a cause. Those in support of EMV were quick to pose the technology as a cure-all for breaches, and the industry responded. Even President Obama signed an executive order designed to speed the U.S. government’s adoption of EMV cards and encourage U.S. merchants and payments players to do the same.
U.S. merchants, processors, payment terminal manufacturers, independent software vendors, merchant banks, credit and debit card issuers and other players are migrating to EMV cards as the October 2015 liability shift date fast approaches. While EMV does offer security benefits to merchants, alone the technology won’t solve all of today’s security problems, namely the data breaches that have plagued retailers and others in recent years. It’s important that merchants cut through the hype surrounding EMV and ensure their service providers and partners work with them to create a truly secure payment solution that supports EMV and their business operations.
Many Voices, Little Clarity
Some EMV marketing tactics have caused confusion, particularly the ones that have capitalized on the Target and Home Depot breaches. As the EMV liability shift date gets closer—which at this time is not a mandate—those organizations that are pressuring merchants to immediately adopt EMV are creating a misplaced sense of panic, leading merchants to adopt the quickest EMV solution possible, not necessarily the correct one.
Some acquiring banks and merchant services providers (MSPs) have compelled merchants to deploy EMV solutions quickly without taking the time to incorporate point-to-point encryption (P2PE) and tokenization. These technologies help prevent breaches and simplify PCI compliance by removing sensitive payment card data from the merchant environment entirely. This helps prevent sensitive payment card data from being stolen in the first place, which is the primary source of counterfeit cards. The implementation of systems that don’t employ EMV with P2PE and tokenization may in fact put merchants in harm’s way, as it may expose their networks and other POS infrastructures to card data and change their PCI DSS landscape.
Similarly, a number of merchants have been pressured to transition from an integrated payment solution to a standalone solution, simply because an organization they work with has certified for EMV with a standalone payment terminal, but not an integrated payment terminal. This move may get them ready for EMV by the liability shift, but by sacrificing key integrated payment functionalities that save them significant time and money.
Things to Consider
The cost of implementation versus the benefits of a particular solution for the merchant’s business operations is a factor to consider. How could an EMV implementation that further exposes their environment to breaches be considered a move forward? Why would they even consider sacrificing the key time- and money-saving accounting and security functionalities of an integrated payment solution? The risk of moving to an implementation of EMV that does not strategically support an organization’s business operations is especially concerning when all merchants get in return is protection from a very specific segment of fraud that they may not have much risk for and may not be liable for anyway—the liability for counterfeit fraud.
One point that often goes overlooked is that a merchant’s current contract with their acquiring bank or MSP may not even take EMV into account. It is entirely possible that counterfeit fraud was traditionally considered “zero liability” (which is liability that was just part of the issuer doing business) and that a merchant’s agreements do not reflect or even anticipate this type of fraud being shifted to themselves. This means that, based on a merchant’s current contracts, it may not even be possible for the merchant to shoulder the responsibility for fraud as it relates to EMV—unless that merchant signs a new contract that waives their protection from it. This is one very important reason why merchants need to be wary of any proposals that require them to re-sign a contract or get into a new contract with their acquirer or MSP related to updates for EMV; any new or updated contract may also be asking the merchant to sign up for more liability than their current contract allows.
Paying the Price
When it comes to bearing the burden of transitioning to EMV, not all participants will shoulder equal weight. There are three groups likely to feel the most pain as the liability shift deadline approaches: merchants, small card issuers and small merchant banks. Merchants must invest in EMV-compliant terminals and system solutions at a substantial cost. Small issuers and co-issuers are also burdened with the costly retooling of the cards they issue. EMV cards are much more expensive to produce than traditional magnetic stripe cards. And, if they issue contactless EMV cards, these can cost up to two times more than a typical EMV card. Finally, small merchant banks, independent sales organizations (ISOs) and agents have very little control or say over the makeup of the payments industry and stand to lose the most by this liability shift if they cannot influence change or get their merchant customers prepared for EMV.
Important Elements in EMV Implementation
Though EMV seems relatively new to the U.S., the technology has actually existed for more than 20 years. Consequently, it doesn’t account for the proficiency with which hackers, some of whom are now working in large groups and are backed by nation-states, are compromising payment systems today.
A layered approach to protecting sensitive cardholder data is the best way to implement EMV. Here are three crucial elements to include for truly secure payments:
1. P2PE: No matter which payment type is used, all payment card data should be encrypted from the time it is keyed, swiped, inserted or tapped (such as with mobile wallets). Merchants should use a device that encrypts at the point a payment terminal interacts with a card so that no payment card data is ever in the clear and at risk of being stolen by a savvy hacker. This shrinks the merchant’s cardholder data environment to the secure device level, reducing much of the PCI DSS burden—a burden that remains with EMV. Again, EMV alone would not have stopped the breaches at Target or Home Depot, nor will it prevent future breaches.
3. EMV: EMV is better at authenticating card-present transactions than magnetic stripe cards, so getting ready to accept EMV cards is an important step to take on the path to true security. However, merchants should ensure they implement EMV in a strategic fashion with layered security.
EMV adoption is a complex issue. Merchants need to carefully examine current contracts and those that come up for renewal regarding EMV liability. They also need to question solutions that expand their breach exposure while promising to assist with the transition to EMV. By adding proven security measures such as P2PE and tokenization to any EMV solution, merchants can authenticate cards with EMV while also reducing their susceptibility to data breaches by removing sensitive data from their environment entirely.