Components: EMV: Has Its Day Come?

Jim Daly

It’s been two-and-a-half years since a Visa plan marked the unofficial start of the conversion of U.S. card payments to the EMV chip card standard. Will recent data breaches speed up the conversion’s snail’s pace?

While still a Congressman, current Chicago mayor and former White House chief of staff Rahm Emanuel famously said in 2008, in the midst of the financial meltdown, that “no crisis should go to waste.”

In the wake of December’s news about a huge breach of big-box retailer Target Corp.’s point-of-sale system that compromised card and non-card data on up to 110 million customers, supporters of chip card payments invoked Emanuel’s bon mot: Isn’t this Target breach proof, they asked, that it’s finally time for the U.S. to junk the dangerously insecure magnetic stripe and join the rest of the world in using better-protected Europay-MasterCard-Visa (EMV) chip cards?

“I think this is the further evidence we need to know, that despite all of the best defenses we put up to protect the insecure data in the system, it is never going to fully protect the data until we move to chip cards,” says Smart Card Alliance executive director Randy Vanderhoof. The Princeton Junction, N.J.-based trade group oversees the EMV Migration Forum, a cross-industry body working to spur the transition to chip cards.

The cry for chip cards got louder in January when upscale retailer Neiman Marcus Group reported a data breach. Initial reports said the breach affected 1 million or fewer cards.

But oh, if the U.S. payments ship could nimbly change course with just one crisis. The recent breaches did nothing to alter the operational and economic issues that merchants and payment card issuers will face in converting from mag stripes to EMV.

And while Target’s breach, news of which broke at the peak of the Christmas shopping season, was a true crisis for the retailer, the nationwide fraud data are more staid. Visa Inc., the biggest card network, says its U.S. fraud rate recently has been running at about 6 cents for every $100 of transaction volume (6 basis points), less than half its rate 20 years ago.

Furthermore, some security experts say even EMV cannot guarantee that a merchant won’t have a breach (Trends & Tactics, page 8).

“EMV is all about the interaction with the card and the device that reads the card,” said Bob Lowe, vice president of business development at Las Vegas-based gateway provider Shift4 Corp. in a Jan. 2 blog post titled ‘Why EMV Isn’t the Answer to Breach at Target.’

“Most EMV devices still send clear-text card numbers from the device to the POS, so the POS is getting the exact same information as when a traditional magnetic-stripe PIN debit or signature card is used,” he said. Shift4 offers transaction-tokenization services and so-called point-to-point encryption to protect card data throughout the transaction process.

‘Questionable’ ROI

None of this is to say that the U.S. shouldn’t convert to EMV, which, despite going on 20 years old and having its own weaknesses, has been proven in other countries to cut counterfeiting and related POS fraud drastically (chart, page 34.) The big question now is how long the conversion will take.

While news accounts about Target’s breach introduced the EMV acronym to Americans and even mentioned a major EMV deadline looming in October 2015, few examined the state of readiness, or unreadiness, of the U.S. payment system for chip cards. But Digital Transactions was in the midst of doing just that when Target grabbed all the headlines.

Our conclusion after talking with researchers and executives at payment processors and POS equipment manufacturers: It’s going to be quite some time before the sun sets on the last big outpost of the mag-stripe empire.

“We’re not going to see the mag stripe going away for a long time,” says Mike English, executive director of product development at Princeton, N.J.-based Heartland Payment Systems Inc., one of the nation’s largest merchant acquirers.

The obstacles to U.S. EMV implementation remain myriad, among them POS terminal replacements, software upgrades, processor certifications, and the differing needs of various merchant types.

Everyone in the card-payment chain must balance their costs for upgrading to EMV against the promised reduction in fraud expenses. Some card-present merchants may decide that their average sale is low enough to risk forgoing EMV, at least for the time being. And so far EMV has proven to be no better than the mag stripe in preventing card-not-present fraud.

“The return on investment is questionable across certain industries,” a spokesperson for Atlanta-based First Data Corp., the nation’s largest payment processor, says by email. “Some verticals, such as quick-service restaurants or petroleum retailers, may not adopt EMV.”

Deanna Karhuniemi, Toronto-based EMV product manager for the big Dallas-based acquirer Chase Paymentech, notes that a few large retailers in Canada, “a very small percentage,” have yet to make the switch to EMV despite that country’s adoption of the standard a few years ago. She says sometimes the benefits didn’t outweigh the effort.

“In some cases the fraud prevention alone isn’t going to deliver the ROI. Merchants should want to consider other business opportunities—contactless mobile acceptance, for example—in addition to EMV to increase that return on investment.”

Most new POS terminals that have been deployed throughout the U.S. in the past two years are capable of accepting EMV cards, but only after enabling software is loaded and tested. Today, the main generators of actual U.S. EMV transactions are a handful of merchants catering to international tourists and business travelers.

“I would say very, very few” merchants are accepting EMV transactions today, says Heartland’s English.

Adds Erik Vlugt, vice president of product marketing, North America, for POS terminal maker VeriFone Systems Inc.: “The vast majority of devices are EMV contact-card ready. Software-wise, with the exception of [leading retailer] Wal-Mart … there really is nobody ready. Software readiness is really minimal at this point.”

On the other end of the payments chain, credit and debit issuers have a long way to go before making EMV a fact of life for consumers. Boston-based research firm Celent, a unit of Oliver Wyman, cited a recent report from Visa saying U.S. banks and credit unions had issued 3.5 million Visa-branded EMV cards as of 2013’s first quarter.

While more than triple the 1 million cards in issue in 2011, EMV cards accounted for just 0.5% of Visa’s total U.S. card base of 660 million credit and debit cards. U.S. issuers are giving most of their chip cards to international travelers to avoid potential problems using mag-stripe cards abroad.

Monkey Wrench

All of this has many in the payments industry wondering if merchants and issuers will be ready for the big EMV deadline looming on Oct. 15, 2015. That’s when Visa said it would shift liability for domestic and cross-border counterfeit POS transactions to the party in a transaction that does not support EMV.

For example, if a customer presents a contact EMV card at a store that doesn’t have a chip-card-reading terminal—forcing the merchant to use the card’s backup mag stripe for authorization—and the transaction proves fraudulent, the merchant acquirer would take liability but invariably pass the expense on to the merchant. The other networks are going along with Visa’s deadline.

Because of the expense and complexity of replacing PIN pads and mag-stripe readers to make gasoline pumps ready for EMV, petroleum retailers have until Oct. 1, 2017, before they’re subject to the liability shift.

“Any time you touch those things, you’ve got a substantial cost,” says English of Heartland, which has a large base of petroleum merchants.

Then there is the monkey wrench of compliance with the debit card transaction-routing requirements of the Durbin Amendment in 2010’s Dodd-Frank Act. To boil a highly complex issue down to its essence: To potentially reduce their card-acceptance costs, Durbin requires that merchants have a choice of two or more unaffiliated debit networks with each debit transaction.

Meeting that requirement is much easier with a mag-stripe card than an EMV card because Visa and MasterCard Inc. own the EMV technology rights. That has forced the international payment networks into extended discussions with U.S. PIN-debit networks about access and so-called common identifiers (“Once Again, With Feeling,” September 2013).

The Durbin-EMV issue got even more complicated last summer when U.S. District Judge Richard Leon threw out the Federal Reserve Board’s rule implementing the Durbin Amendment, saying it doesn’t fulfill Congress’s intent. That decision, if upheld on the Fed’s appeal, might mean that debit cards must provide merchants with even more network choices.

Blown Deadlines?

It’s no surprise that the payments industry is alive with debate about whether most merchants will be ready for EMV by October 2015, with gas stations tagging along two years later.

“Those dates don’t have a chance of being met,” says Zilvinas Bareisis, a senior analyst at Celent.

Bareisis says he has no direct intelligence from the networks that the October 2015 liability shift will be changed, but he bases his prediction on various signals. For example, at an October payment conference in Las Vegas, a MasterCard speaker appeared firm on sticking to the deadline, but Visa “seemed to be more open,” he says.

So far the networks have been mum about any official change in the deadlines.

EMV migration seems likely to be a segmented affair, with big merchants converting sooner than small ones and whole industries converting on schedules reflecting their particular needs.

“Most mid-sized and small merchants do not yet seem to be fully aware of the implications of the shift to EMV, and they’re only beginning the process of learning about it,” says the First Data spokesperson.

‘Massive Bottleneck’

Many in the payments industry believe a successful and relatively speedy EMV conversion heavily depends on the major general-purpose networks and the PIN-debit networks agreeing on how a chip card will route debit transactions to multiple networks.

First Data, which owns the Star PIN-debit network, says current plans for debit and EMV could restrict competition.

“Any solution adopted by the industry must provide issuers with the flexibility to add or remove accepted networks on a card without requiring a card reissue, allow merchants to make debit-routing choice at their host and not at the terminal, and provide all debit networks with equal access to the EMV chip card technology without business or technology restrictions,” the spokesperson says.

Adds Karhuniemi of Chase Paymentech: “We’re really waiting to see what U.S. domestic debit will be doing.”

But Vlugt of San Jose, Calif.-based VeriFone cautions that merchants waiting too long to begin their EMV conversions could encounter a “massive bottleneck” in the process for certification by their acquirers that their new EMV equipment and software systems work with the networks. That process, which is new to the U.S., “is measured in months, not weeks,” he says.

Some industry executives and researchers also say the current incentives for merchants, especially Visa’s waiver for merchants of annual validation of compliance with the Payment Card Industry data-security standard (PCI) if 75% of a merchant’s transactions come from EMV terminals, won’t do the job.

“Frankly, we don’t think this is enough, especially given all the concerns merchants have,” Celent’s Bareisis said in a November report about U.S. EMV progress. “We think the networks will have to offer additional positive incentives to merchants.”

Karhuniemi notes that “any incentive is great” but the PCI validation relief by itself is not a big lure because U.S. merchants “still have to maintain PCI compliance.”

One carrot for merchants might be interchange relief, which the networks used in the U.K. to spur EMV adoption and in Canada to reward early adopters. So far, the networks have been silent on that topic, too, even though they have used interchange incentives in the past to spur technology changes in the U.S. payments system.

‘Competitive Issue’

Despite all the conflicting signals, acquirers and many merchants are moving ahead with EMV plans, according to Greg Boardman, senior vice president of product and software development at the North American unit of France-based POS terminal maker Ingenico S.A.

“On my side, we’ve seen no letup in the EMV activity,” he says, adding that in Canada, some acquirers tried to attract merchants through pitches about their new, stronger security.

“It becomes a matter of a competitive issue,” Boardman says. “EMV is the next big churn event that will allow people to shift market share if they’re in the right.”

On the issuing side, card-production executives recently told Digital Transactions that after taking few orders for EMV cards from issuers over the past few years, they expect a rapid ramp-up in demand this year and next (“Card Makers Look To Fill Their EMV Dance Card,” November 2013).

Still, the U.S. is moving toward EMV in anything but a uniform fashion. Perhaps the recent data breaches will prove to be the spark that lights the EMV fire.