EMV: Much Done, Much More To Do
By Matt Pillar, chief editor
January 2017 Innovative Retail Technologies
As we head into year two of them great EMV migration, here’s a look at where we’ve been — and where EMV will take us next.
Depending on whose numbers you trust, it’s estimated that somewhere between 35 and 45 percent of merchants are now EMV-enabled. Visa and MasterCard report that some 50 percent of the cards issued in the U.S. are now chip cards. Steve Cole, senior product manager for security and fraud solutions at Vantiv, says the general retail, supermarket, and drugstore verticals are leading the charge. “These segments had the largest exposure to the card brands’ counterfeit liability shift, as they sell goods like gift cards that are highly sought after by the criminal element,” says Cole. Table-service restaurants, he says, are still lagging behind due to a lack of pay-at-the-table traction in the U.S. “There is also a mistaken belief in the market that tip adjustments can’t be made on EMV transactions. In general, this is not true,” says Cole. “MasterCard does have a rule that adjustments can’t be made on chip-and-PIN transactions, but they are the only brand that has this rule and all of the brands allow adjustments on chip-and-signature transactions.”
Jim Raftice, president of U.S. and Canada at EVO, says his company has seen tremendous reception to EMV implementation across all market segments, with many small- to medium-sized businesses following the lead of the top tiers. He EMV: Much Done, Much More To Do agrees with Cole’s assessment of the growth opportunity for EMV adoption in mobile and pay-at-the-table models. “These segments, which include restaurants and other service-oriented businesses, have unique customer engagement requirements that have made EMV especially complex for these merchants.” Raftice says collaboration with Verifone and Dejavoo Systems has lead to the introduction of both stand-alone and semi-integrated solutions to ease EMV migration for these merchants, enabling them to facilitate more complex EMV workflows including post-authorization tip adjustment, and the opening and closing of bar tabs with EMV cards.
"There is also a mistaken belief in the [table-service restaurant] market that tip adjustments can’t be made on EMV transactions. In general, this is not true."
Steve Cole, senior product manager for security and fraud solutions, Vantiv
No Time To Rest On EMV Laurels
While chip cards and EMV terminals are still working their way into the market, significant deadlines loom. In April, MasterCard will extend its lost/stolen liability shift to contactless transactions, where merchants will be liable for the fraud if the contactless card or consumer device is PIN (personal identification number)-preferring, but the merchant does not support PIN. This will apply to any merchant that accepts contactless transactions. Cole also notes that in October, the liability shift for AFDs (automated fuel dispensers) goes into force. “This shift will impact the more than 120,000 merchants who sell fuel,” explains Cole. “It has raised significant concerns in that market as the process to upgrade the payments module in a fuel pump is much more complicated and costly than replacing a retail POS terminal.” He says a fuel-dispenser payments module upgrade alone can cost as much as $5,000, and some pumps will require a complete replacement.
Raftice points to other upcoming requirements, most notably the migration from SSL (secure socket layer) and early TLS (transport layer security) v1.0 to a secure version of TLS. “While all processing and third-party entities were required to provide a TLS 1.1 or greater service offering by June 2016, the PCI (Payment Card Industry) Security Standards Council extended the cutover date for existing merchants to June 2018,” he says. “The new date provides additional time to migrate to more secure protocols, but waiting is not recommended – particularly for online and e-commerce merchants who are most susceptible to SSL exploits and attacks.”
Raftice also says merchants need to be aware of the MasterCard BIN (bank identification number) expansion. In addition to the familiar 5-series BINs currently provided, MasterCard is implementing an additional range of 2-series BINs. “Acquirers were required to upgrade their systems to be compatible with the new 2-series BINs by October 2016,” explains Raftice. “Beginning in 2017, cards with the new 2-series BINs are expected to be issued, meaning all merchant POS terminals and related systems must be ready to accept and support the new 2-series BIN range cards.”
Finally, Raftice points to the new QIR mandate for Level 4 merchants. “In an effort to mitigate small merchant breaches, Visa has established new data security requirements to ensure small merchants take steps to secure their POS environments,” he says. “According to Visa, forensic investigators have identified links between improperly installed POS applications and merchant payment data environment breaches.” As a result, beginning in January, all existing Level 4 merchants are required to use PCI-certified QIR (qualified integrator and reseller) professionals from a list of approved companies for servicing POS applications and terminals.
"Based on what we’ve seen occur in our European markets following the shift to EMV, we do expect to see a migration in attempted fraud toward card-not-present (CNP) transactions."
Jim Raftice, president of U.S. & Canada, EVO
Has EMV Pushed Fraud To CNP?
Raftice and Cole have differing takes on the impact of EMV on CNP fraud. While Cole cites a CreditUnionTimes report that the quarter-over-quarter fraud rate jumped by over 60 percent in the first half of 2015, Raftice says the most dramatic shift to CNP fraud has yet to come. “Based on what we’ve seen occur in our European markets following the shift to EMV, we do expect to see a migration in attempted fraud toward card-not-present [CNP] transactions,” says Raftice. “However, current tracking in the U.S., including chargeback monitoring and fraud reporting, indicates this simply hasn’t happened yet due to slower adoption of EMV.”
In response to — and anticipation of — these attacks, Cole says he’s seeing increased merchant interest in a number of authentication and fraud prevention strategies to detect and prevent online fraud. “On the authentication side, tools like device authentication, one-time passwords, and biometrics are being researched and employed,” he says. “Fraud prevention uses the merchant’s proprietary data and transactional data to score transactions from a risk perspective, and validation services like AVS [address verification service] and card security codes to validate the legitimate cardholder is using the card.” He says merchants are also employing point-to-point encryption and tokenization to prevent the theft of card data from the start.
At EVO, Raftice says the implementation of new global security products like 3D-secure enhanced security surrounding recurring and subscription-based payments, and the introduction of new online risk prevention and data protection tools can help merchants reduce the time, cost, and complexity of PCI compliance.
Mitigating EMV’s Extended Processing Time
One of the biggest early complaints around EMV has been the extended time it takes to complete a transaction. In a way, it feels like a step back into the age of dial-up. But Cole says there are a number of steps merchants can take to reduce the customer’s time-in-lane. “The four major card brands have all introduced specifications for faster EMV processing,” he says. These specs include “Quick Chip” (American Express, Discover and Visa) and “M/Chip Fast” (MasterCard). “The objective of these solutions is to improve the speed of the transaction — or at least, the perception of the speed of the transaction — while maintaining the counterfeit fraud protection of EMV,” explains Cole. This is accomplished by allowing earlier card insertion and reducing the actual time the card stays in the payment terminal. “In order to allow the cardholder to insert their card earlier, the merchant uses a placeholder, or pseudo, transaction amount to create the transaction cryptogram, which is the key to preventing counterfeit fraud. Because the cardholder doesn’t have to wait for the final amount to be known before inserting the card, the merchant can offer customers an experience much more similar to the magnetic stripe ‘swipe ahead’ process,” says Cole. The faster EMV processing solutions also eliminate some of the nonessential EMV features, such as issuer script processing. This means that the card doesn’t have to remain in the terminal until the response message is received from the issuer.
An efficient configuration and a streamlined workflow go a long way toward minimizing the amount of time it takes to complete a dipped transaction versus a swiped transaction, says Raftice. “With many merchants still slow to adopt and consumers still adapting to new processes, several of the kinks have yet to be worked out between retailers and cardholders,” he says. Raftice believes the most influential factor in the perceived time it takes to complete an EMV transaction is that the chip card must remain in the reader until the authorization response is received from the issuer. “For consumers used to swiping their card and immediately returning it to their wallet, this new wait time for card removal has resulted in much more awareness of the total time it takes to complete a transaction.” To address this concern, Raftice says EVO is upgrading all of its terminals to support the aforementioned Visa Quick Chip for EMV and M/Chip Fast from MasterCard technologies.
Cole points out that contactless transactions are also considerably faster than typical contact transactions, and they allow the merchant to accept payment options such as Apple Pay and Android Pay. “Further, merchants should look to optimize the prompts and screens that are presented to the customer such as combining PIN prompting with the transaction total display,” says Cole. “In the U.S., EMV debit cards will have at least two payment applications on them. While the U.S. debit solution for EMV is an entire topic on its own, the screen prompting implication is that unless the merchant implements an application ‘pre-selection’ process, the cardholder will be presented with two payment options from which to choose.” In most cases, he says, the names displayed for these applications will have little or no meaning to the cardholder, which will create confusion and slow the checkout process.
As payment security goes, there’s clearly no time for merchants to rest on their laurels. The payments industry is tirelessly working to stay ahead of the criminal threat, but the solutions they’re developing are only effective if merchants keep up with them.