U.S. retailers are now actively being steered towards adoption of the global EMV standard. Visa, MasterCard and Discover have each issued announcements and outlining how they envision this shift to occur. Details of this migration effort are still being filled in, but retailers have plenty of incentive to start planning for it.
With their market presence, these card brands certainly will be able to bring the U.S. payments industry along in this effort. Discover and MasterCard have indicated that the acquiring infrastructure must be ready for EMV in 2013 and that in the latter part of 2015 liability for fraud will shift onto the shoulders of acquirers and retailers.
That liability shift is a powerful motivator. Currently, card issuers build the cost of card-present fraud into their business models, where it’s hidden from view although undoubtedly built into the fees and costs they impose on acquirers and retailers.
According to Visa, “With this type of liability shift, the party that is the cause of a chip-on-chip transaction not occurring (i.e., either the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud losses.” In all likelihood, acquirers will pass the cost of that liability down to non-conforming retailers.
Visa and MasterCard are not relying solely on the fear of fraud liability, but are also offering retailers incentives that reduce auditing and assessment requirements for retailers who achieve targets for converting their terminal base.
One of the key issues, although currently murky, is the role of PIN in this new EMV payments environment. There’s a common misperception that EMV is synonymous with “Chip and PIN” but that is not accurate. Chip and PIN is just one flavor of EMV that has been widely adopted and was implemented in the UK under that name in the past decade. But some countries have opted for a “Chip and Signature” approach.
Both Visa and MasterCard have indicated they view chip-enabled “dynamic authentication” as a valid means of EMV card authentication. Visa has given clear signals that it sees dynamic authentication as the preferred model of authentication, in which additional data is exchange between the chip on the card and a network database.
MasterCard has clearly indicated that it views Chip and PIN as the most secure form of EMV and has talked about a “liability hierarchy”, in which the party with the weakest form of EMV will bear the cost of any fraud. For example, if a retailer’s payment device can process Chip and PIN, but the issuer has issued a Chip and Signature card, the issuer will be liable for resulting fraud costs if the transaction is made using Chip and Signature. Meanwhile, Discover’s stance on this issue is that it is “choice-centric, meaning the company will not restrict any channel, verification process or transaction type.”
The Merchant Advisory Group, which includes major retailers such as Walmart, Sears, Target and CVS Caremark, has firmly indicated its support for Chip and PIN over Chip and Signature.
Whichever mode of EMV is used, the net effect will lower reduction in chargeback fees. An additional benefit, and one that makes retailers much more amenable to the migration, is that the terminal upgrade cycle will foster the adoption and integration of contactless and NFC payments. In fact, Visa and MasterCard are both requiring that retailers who want to take advantage of the migration incentives adopt “dual mode” terminals that accept both contact and contactless/NFC EMV transactions.
Crossing the Chasm
A big positive for U.S. retailers contemplating the EMV migration is that the majority of the world has already made the transition: adoption of EMV cards now stands at more than 40% around the world, excluding the U.S., and EMV acceptance device adoption is at more than 70%, according to EMVCo, the organization responsible for maintaining and enhancing the EMV specifications.
For large retailers, the return on investment will be obvious. Many are already eager to adopt NFC in order to take advantage of the broader range of benefits, but simply need more hard evidence for the business case. The liability shift and opportunity to eliminate some PCI security assessment costs will likely provide the hard facts that justify the upgrade costs. As Visa put it, “Merchants qualifying for TIP can reap meaningful savings through the reduction of costs associated with annual PCI DSS validation, and will have the opportunity to re-invest those savings into additional payment technology infrastructure to support dynamic data processing.”
For smaller merchants, it may be difficult at first to make that business case because most are not currently required to conduct annual audits. However, acquirers do have the ability to require such audits even with Level 4 merchants, and as those acquirers invest in the EMV infrastructure, it’s hard to imagine that they won’t require their smaller merchants to go along for the ride. In addition, smaller merchants without EMV could face potentially overwhelming losses from the liability shift.
EMV migration in the U.S. does not have to be costly and difficult. EMV card-acceptance devices are readily available – as a global supplier, VeriFone, for example, has been selling in overseas markets EMV-capable versions of the payment devices it provides in the U.S. Additionally, dual interface PIN pads will enable retailers to adapt older non-EMV systems to the new payment requirements.
Retailers should not expect that EMV alone is the magic bullet in making card transactions secure. EMV provides a significant leap forward in one key area, which is preventing the cloning of credit and debit cards. EMV authenticates the card and the cardholder (if used with PIN), but EMV does not encrypt the transaction data, so even if an EMV card and an EMV terminal were used to make a transaction, all of the details could still be transmitted “in the clear” or stored on a server somewhere where a criminal might be able to intercept the data and exploit it. That’s why we are vocal proponents of using end-to-end (also known as point-to-point) encryption and tokenization of card data to ensure that any information stolen in a breach would be completely unusable.
With the coming shift in liability for fraud costs, and in light of growing evidence that card fraud is increasingly migrating from EMV countries to non-EMV countries, VeriFone encourages earliest adoption of this critical payment technology to assist in building a complete defense against criminal elements. In our view, EMV Chip and PIN is the most secure method of EMV and enables retailers and acquirers to position themselves at the most advantageous position in the liability hierarchy and therefore achieve maximum protection.
Paul Rasori currently serves as VeriFone’s Senior Vice President of Marketing. He has global responsibility for all Financial Payment Systems marketing efforts and oversees the global product management, global marketing programs and all local demand generation marketing functions across North and South America, EMEA and Asia Pacific regions. Click here to learn more about VeriFone.