60 Days (And Counting) For EMV

60 days after the EMV liability shift, and everything is perfect, right? Well…not really. With many merchants still not on board, there remain some obstacles — but also opportunities — for the ecosystem in implementing the technology. Hear what Verifone and Visa had to say on the topic in a recent PYMNTS Digital Discussion.

Shutterstock

To get a status check on EMV in the U.S. 60 days after the liability shift, PYMNTS checked in with some heavy hitters for a digital discussion entitled: “The U.S. EMV Migration Shift: 60 Days In.”

MPD Managing Director Gloria Colgan was joined by three players at the crossroads of payments security: Lori Breitzke, Marketing at Verifone, Shan Ethridge, Vice President and General Manager of North America Financial Services Group at Verifone and Brian Hamilton, Senior Director of Risk Products and Business Intelligence at Visa. The conversation dug into the current payment security landscape, persistent challenges for merchants and what the future holds for securing payments here in the U.S. and abroad.

 

EXPECTATIONS VS. THE REALITY

Prior to Oct. 1 and as the EMV liability deadline approached in the U.S., it was expected throughout much of the payments and commerce industry that there would be something of a “light bulb effect” and the majority of retailers would be ready for the changeover. It turned out, however, that of 12 million merchant terminals in the U.S., only 314,000 were EMV-enabled by Oct. 1 — and not all of them were activated and in use. The card side was a bit more prepared, with roughly 250 million cards upgraded to include chips. But that’s still a small drop in the proverbial cards bucket — there are 2.1 billion cards in circulation across all networks and platforms.

“There were expectations that we would be 100 percent deployed across issuers, acquirers, processors and merchants,” says Breitzke. “It’s now obvious it’s going to take a good deal longer than that.”

So, what will it take for merchants and card issuers to get to that 90 percent adoption mark that many other countries have reached?

Hamilton articulated the state of payments fraud in the United States, pointing out that fraud today is equally distributed across card-present (the fraud that EMV addresses) and not-present fraud.

“When we look at card-present fraud,” says Hamilton, “we can see that two-thirds of [it] is counterfeit cards. This is the result of data breaches where fraudsters have gotten mag stripe data and used it to create new counterfeit cards.”

 

THE FOCUS ON COUNTERFEIT FRAUD

Lost and stolen cards actually make up a very small percentage of this kind of fraud (less than 10 percent) and are a source of fraud that continues to decline. Counterfeit fraud, on the other hand, continues to grow year over year.

Hamilton goes on to clarify that “EMV is not a silver bullet” but rather part of a layered approach that Visa believes is an effective approach to cardholder security.

“EMV is there to support counterfeit fraud and authenticate a consumer at the physical point of sale,” he explains. “It’s a robust ecosystem of checks and balances with the right protocols being employed on the right transactions.”

That ecosystem includes: Visa’s predictive analytics, which evaluate 500 data elements for each transaction in less than a second to spot suspicious transactions as they are occurring; Verified by Visa and Visa Cardholder Authentication Service for verifying riskier card-not-present transactions, as needed; tokenization measures that apply to mobile and card-on-file transactions; and progress is being made in biometrics that help to secure transactions on mobile and some pilot EMV transactions.

“It’s important to know that EMV doesn’t protect the data — that’s the job of encryption — but what it does is it devalues the data,” continues Hamilton. “Because of the cryptogram — the one-time code generated with each chip-enabled transaction — if the card is compromised at one transaction, it is virtually impossible to counterfeit that card across other transactions.” This certainly does make the card data less valuable to would-be fraudsters who often are looking for the path of least resistance in turning card data into cash. “But what can happen,” Hamilton explains, “is the card data and primary account number could be used in a card-not-present environment, and we have seen that in other parts of the world — a migration of fraud to card-not-present.”

Breitzke points out that Oct. 1 was not a true deadline or mandate but rather the date that marked the shift in liability and that merchants were in no way required to implement new EMV technology.

“It’s just a starting line,” agrees Hamilton. “It’s very much a journey to get to chip; this has been [Visa’s] experience around the world. Typically, it takes years to get to that 90 percent mark. Issuers need to continue to put more cards into the market, and on the acceptance side, merchants with high risk for counterfeit fraud tend to lead the adoption, followed by smaller merchants.”

 

HOW THINGS CAN IMPROVE

“[Payments in the U.S.] are very different than [in] any other country,” says Breitzke. “We [the U.S.] allow our financial institutions to have choices in how they issue cards; we take a risk-based approach, and because of that, there is a lot of flexibility built into the system. We also have many processors and acquirers here in the United States. We have between 10 million and 12 million merchants, there are different commerce lanes on top of that and the way we process our transactions is very different as well.” The EMV security framework has a lot of flexibility built into it to ensure all potential scenarios are accommodated.

Not to mention a lot of FIs — like 12,000 banks and credit unions. That’s a big and gnarly ecosystem to organize, and that’s before we get to the number of merchants.

Part of the lag in adoption by merchants has to do with the many steps required for implementation, as Breitzke explains.

Firstly, merchants need to get the hardware so they can accept chip cards. Then, they need the software.

“It’s easy for us at Verifone because all of our terminals already have the software built into them,” says Breitzke. “But the complexities we were just talking about make that software piece take longer.” She explains that the software must be certified by all parties involved in transacting, at which point the merchant will get updated software, which they then install in their terminal. Only once all that is complete can a merchant begin to transact according to EMV standards. She adds that Verifone’s Secure Commerce Architecture is leveraged by various acquirers to expedite the process by removing merchants’ point-of-sale software from the payment process.

Nonetheless, some merchants have been hesitant to begin accepting EMV during the busy holiday season. Not only are they less likely to implement new technology, roll out new training for staff and update critical payments systems during the holiday rush, but longer processing times on cards is also a key concern.

“We are seeing longer transaction times, with it taking up to 10 seconds to [process] the card,” says Breitzke. “Most major retailers are seeing between 1–9 seconds longer at the terminal. There is a huge desire to get that down.”

Larger merchants have been quicker to adopt new EMV standards than their smaller SMB counterparts. Ethridge notes, “I think the larger merchants have been very proactive in ensuring their staff understands how EMV transactions are processed. When you get into the small merchants, they are more focused on running their business and don’t see the value or the risk associated with EMV at this point.”

However, he adds that “we are starting to see an increase in demand for EMV-capable devices within the space over the last 60 days,” making the outlook promising for implementation across SMBs in the near future.

 

LOOKING AHEAD

While a casual observer at the point of sale might assume that implementation of EMV has been slow, early data suggests that acquirers have actually done a great job of prioritizing on their side of the rollout.

Hamilton articulates some key numbers very clearly: “We [at Visa] have 2.4 billion cards globally that are chip-enabled, 37 million terminals, 552,000 merchants enabled and 180.6 million Visa cards issued here in the U.S. Visa is closing the gap quickly.”

“On the card side,” Hamilton continues, “when we look at merchants who implemented chip, we’re seeing 60–70 percent of merchant transactions are being processed as a chip-on-chip transaction, and only 30 percent are going as mag stripe. So, when the issuers prioritized card rollout, they did a very good job of focusing on those ‘top of wallet’ cards that are getting used a lot.”

So, as EMV gets enabled and chip-enabled cards reach cardholder wallets, what areas are merchants, cardholders and acquirers still leaving vulnerable to fraud? There are a few scenarios to be aware of.

If a card is stolen, it is a chip card and the fraudster replicates the mag stripe, does it work? Hamilton says no.

“If they swiped that card because of the service code on the mag stripe, they would be told to insert that card, and it would not be able to process,” he explains, adding that the chip itself, because of the cryptogram, is “virtually impossible to counterfeit.”

Even if a fraudster were to take that chip card and use it to create a mag stripe (because it has a card number, expiration date, et al.), “the difference,” says Hamilton, “is the card validation value (CVV) on the mag stripe is different than the iCVV on the chip. It would fail CVV matching and … be declined.”

To this point, Breitzke reiterates how important multiple layers of security are: “EMV is just one piece. You need to have both encryption, tokenization and EMV to be super-secure beyond what we have today. Many merchants are moving toward employing all of those methods of security at the point of sale.”

So, how can merchants and the payments industry address all of these complexities and create solutions that are able to respond to increasingly sophisticated fraudsters?

Ethridge puts it this way: “All of the acquirers in the U.S. offer encryption and tokenization for all of their merchants; it’s just a matter of working with the acquirers to employ those features. EMV is a card authentication tool; it’s not necessarily a security tool by design. By taking the three-pronged approach and employing encryption and tokenization, which can all happen simultaneously, you’ve addressed every area you need to within your location to remove sensitive data from the point of sale.”

The digital discussion concluded with the sharing of several resources for merchants to help them monitor the security of their systems and transactions.

To view the webinar, click here.