Cover Story: Durbinizing EMV

Everyone agrees EMV cards must comply with federal law. Trouble is, nobody can agree on how to make that happen. Meanwhile, a key EMV readiness deadline looms.

By Peter Lucas

This is no time for the payments industry to be arguing over how to route EMV debit transactions, what with the April 1, 2013, deadline for acquirers and processors to be EMV-ready just around the corner.

But, because of a host of factors, including the Durbin Amendment to the 2010 Dodd-Frank Act, that is exactly what’s happening.

The dispute stems from differences over three proposals to create an industry standard application identifier (AID) for chip-embedded debit cards based on the Europay-MasterCard-Visa specifications. This standard AID is necessary for EMV cards to comply with the Durbin Amendment’s requirement that all debit cards support at least two unaffiliated networks.

Two of the proposals come from Visa Inc. and MasterCard Inc. and a third from a working group of the Secure Remote Payment Council (SRPc), a trade group representing electronic funds transfer networks.

Under the EMV chip card specifications, the AID is a string of characters that identify both the card’s network tie and the specific type of card it is, for example credit or debit. Because EMV is a proprietary standard belonging to MasterCard and Visa (MasterCard absorbed Europay in 2002), it does not allow network choice and so cannot comply with Durbin’s unaffiliated-network requirement, which went into effect April 1, 2012.

This is unlike magnetic stripes, which follow a common industry standard that dates back to the early 1960s. Mag-stripe cards can comply with Durbin because the stripes don’t dictate network choice.

A so-called common AID, however, could co-reside with the proprietary AIDs of the network brands and indicate to merchant processors that a lookup needs to be performed to see whether the merchant prefers to route transactions across an alternative network. The programming for that lookup, of course, is quite another matter, and may prove to be an intricate and time-consuming job.

Since Durbin is federal law, and makes no distinction between conventional mag-stripe cards and chip cards, all of this is a big problem for EMV. And the problem grows only bigger with the processor-readiness deadline, set by the major card brands, rapidly approaching.

‘Not Like Other Markets’

The imminent arrival of that deadline finds the debit industry embroiled in haggling over five issues: ownership of the standard; a routing rule within the MasterCard proposal; Visa’s decision not to address contactless EMV transactions in its proposal; a lack of specifics concerning the cardholder- verification methods to be used; and how long it will take the EFT networks to develop the technology needed to support what they are calling their common AID.

The bottom line for whatever common AID is adopted is that it must replicate the magnetic-stripe card environment, according to payments executives.

As if resolving those issues weren’t complex enough, rumors that Discover Financial Services, owner of the Pulse EFT network—an SRPc member—may put its own common AID on the table are gathering steam. If Discover—which remains mum about its plans, if any, regarding a common AID—does so, it will only further muddy the waters, according to payments experts.

The complexity of making EMV comply with Durbin, quite apart from the politics of network competition, could keep stakeholders arguing over which path to pursue for several months after the April 1 deadline. If that happens, it is likely to only create more headaches for the industry as Visa and MasterCard will be faced with tough decisions when it comes to enforcing compliance.

Not surprisingly, many payments executives are holding out hope that either a compromise can be reached in the crucial weeks remaining before the deadline or that Visa and MasterCard will grant an 11th-hour deadline extension.

“The U.S. is not like other markets where EMV has been implemented,” says Mary Weaver Bennett, director of government and industry relations for the Electronic Transactions Association, a Washington D.C.-based trade association for transaction processors. “Not only are there 18 EFT networks that handle debit transactions, we also have Durbin to contend with, which does not specifically address EMV and vice versa. Given the choices facing the industry right now, it’s hard to say which way it will go when it comes to a common AID.”

‘The Nuances of Debit’

Two likely scenarios exist for resolving the AID debate. The first, and most desirable, according to network executives, is that a compromise be reached on all three competing AID solutions to create a single, open AID standard. This would allow innovation at the network level in the form of complementary applications that EFT networks could sell to merchants as a point of differentiation.

“If the AID adopted is not an open standard, the rules beneath it can’t be specific to my network, which limits the kind of innovation we can offer merchants in the chip,” says Terry Dooley, senior vice president and chief information officer at the Johnston, Iowa-based Shazam Network, an SRPc member. “Instead, all participating networks would offer the same kinds of features.”

The second scenario is said to be far less desirable. If no agreement on a common AID can be reached, it is possible Visa, MasterCard, the EFT networks, and even Discover, would each move forward with their own AID, forcing issuers and processors to choose sides.

The result would be a splintered debit environment where issuers will not be able to freely change networks, as they can do now in the mag-stripe environment. Chip cards have come down in cost over the years, but they are still far more expensive to re-issue than are mag-stripe cards.

Such a scenario could draw the attention of federal regulators intent on making certain the industry is complying with not only the letter of the Durbin law, but the spirit of it (sidebar). Nor would this scenario be likely to sit well with merchants. “We want a single AID solution,” says John Drechny, senior director of payment services for Bentonville, Ark.-based Wal-Mart Stores Inc.

As the world’s largest retailer, Wal-Mart has the clout to rally its retail brethren in opposition to a multi-AID environment and choose a winner from the competing solutions. Should Wal-Mart come to terms with Visa or MasterCard, that would likely divert huge volumes of debit transactions to the bank card networks, leaving the EFT networks out in the cold.

But the EFT networks can breathe easy for the time being. “So far, none of the AID solutions proposed fully meet the needs of the merchant community, which has spelled out its needs to the payment networks,” says Drechny.

Key to resolving the impasse will be compromise by all the networks. “Any plan for EMV must be flexible to accommodate the nuances of how the EMV application selection process impacts debit routing choices,” says Patty Walters, senior vice president of merchant products and security for Vantiv Inc., a Cincinnati-based acquirer that owns the Jeanie EFT network. “The U.S. is the largest and last market to migrate to EMV and solving this issue is going to require compromise. Not everyone is going to get what they want, but from discussions so far, it appears that the stakeholders involved can find ways to work together to finalize a solution, that at a minimum, offers the same debit routing capabilities as are available to retailers today.”

How a compromise will be achieved is what’s keeping debit executives up at night. Each of the three groups proposing a common AID insists theirs is best suited to making debit EMV transactions Durbin-compliant. “While compromise is needed, over what issues it will be on is still being worked out,” says Dooley.

‘Lingering Questions’

One issue that will certainly be a focus of compromise is a controversial requirement contained in MasterCard’s proposal. In January, MasterCard offered to let issuers use its Maestro network AID as a common identifier for Durbin compliance. But it also required that all EMV debit transactions first be routed through Maestro before arriving at the final network switch.

MasterCard, which says it would not levy switch fees on these transactions, explains the requirement as a way for processors to simplify EMV testing and certification.

MasterCard released its proposal in mid-January, just as members of EMV working groups affiliated with the Smart Card Alliance, a trade group promoting chip cards, and the SRPc were convening a teleconference on the routing issue.

Participants on the call expected to hear from both Visa and MasterCard whether they would support the SRPc’s common AID. Instead, MasterCard advanced its Maestro alternative, and Visa unexpectedly backed out of the call at the last minute. After the call, MasterCard’s proposal was met with a great deal of skepticism.

What concerns EFT network executives about MasterCard’s proposal is that while MasterCard may be opening up its Maestro AID for industry use, the nation’s No. 2 payments network would retain ownership of the standard and its supporting technology.

“Having to first route transactions through MasterCard creates lingering questions about ownership of the AID and how it will be governed, and that’s tough for other networks to swallow,” says Paul Tomasofsky, president of the Westwood, N.J.-based SRPc, which within two weeks of MasterCard’s announcement rejected the offer.

Tomasofsky also points out that MasterCard’s requirement that all debit transactions first be rolled up through its network creates a single point of failure that would make it difficult for merchants to move EMV transactions to processors in the event MasterCard’s network were unavailable.

“In the mag-stripe world, network choice is available on the front-end, before the transaction is routed, which allows merchants to get around a single point of failure,” Tomasofsky says. “Our goal for EMV is to create a set of common AID parameters controlled by the industry that allow merchants to choose the network over which the transaction is routed.”

MasterCard acknowledges it will retain ownership of its AID technology, but counters that its solution does not stymie development of proprietary applications by EFT networks, such as consumer loyalty programs, which they can offer merchants.

“Our intent was to provide a solution, not suggest something else,” says Carolyn Balfany, group head for product delivery for MasterCard. “MasterCard offered the industry use of its AID because it could immediately answer the requirements for making EMV debit transactions Durbin-compliant.”

‘On the Hot Seat’

While MasterCard’s proposal didn’t go over particularly well, Visa took even more heat for its proposal, which it released early last month. Visa’s gambit is what the No. 1 network calls a “generic, unbranded” AID that the debit industry could use as its common identifier. The network offers the AID at no charge and says there is no requirement that transactions pass through its switch.

Nonetheless, the proposal met with deep-seated skepticism, particularly

at a conference last month in Salt Lake City organized by the Smart Card Alliance, a trade group for companies involved in chip card applications. “Visa was on the hot seat in Salt Lake City,” one member of the EMV Migration Forum, a subgroup of the Alliance, tells Digital Transactions. “There are a lot of questions being asked about its proposal.”

Lacking in Visa’s offer, for example, are specifics about routing and processing contactless EMV transactions. Details on that topic could be critical to future discussions, according to Shazam’s Dooley. “With mandate deadlines in April to support both contact and contactless transactions, you can’t leave the door open on contactless,” he says. “The industry needs to resolve it all at once so there is a clear view of where it is heading.”

Stephanie Ericksen, head of authentication product integration at Visa, says that while Visa’s proposal does not address contactless transactions, that point will be discussed going forward.

On the plus side for Visa, its proposal would allow card issuers the option of placing Visa’s debit app and AID, as well as the common app and AID, on their card. “It will not be a requirement that our common AID be adopted,” Ericksen adds.

Visa says its common AID will also support both point-of-sale and ATM transactions. And, issuers will have a choice of adopting Visa’s common AID and then developing their own AID if they wish, according to Ericksen.

As industry executives mull over Visa’s and MasterCard’s respective offers for a common AID, questions are being raised about the cardholder-verification methods each option will require. Options include PIN, signature, and no cardholder verification for transactions under a preset floor limit. “Choice of the cardholder-verification method plays a role in debit-routing decisions,” says Vantiv’s Walters.

Some payments executives argue that requiring no cardholder verification on EMV debit transactions won’t fly with most merchants as it increases the fraud risk on those transactions, which chip-and-PIN solutions are supposed to prevent.

“Signature is not as secure as PIN, and no signature is even less secure,” says Dooley. “The question is how to proceed on this issue without favoring one cardholder verification method over another.”

Racing the Clock

Standing in the EFT networks’ way is time—or rather the lack of it before the April 1 deadline. The argument against the EFT networks’ proposal is that their AID is likely to be built from scratch, which will require months of testing before it can be validated and rolled out, time the industry currently does not have.

“Developing a common AID from scratch is a cumbersome, time-consuming process,” says Ericksen. “What we are offering the industry is a proven AID it can use to get up and running quickly. EFT networks that adopt our AID can meet the liability shift and later develop an AID specific to their own network if they choose.”

Despite all the talk about the need for compromise, the key players in this drama are determined to defend their own their turf for now, which makes it unlikely a compromise will emerge before the sand in the hour glass runs out.

Instead, look for Visa and MasterCard to grant 11th-hour extensions to processors and acquirers for EMV compliance to allow for a common AID to be selected, which is what the Merchant Advisory Group, a trade group for big-box merchants, urged Visa and MasterCard to do in late January.

“Liability shifts for EMV can’t take place, nor can the threat of penalties for non-compliance, until the debit-routing issue is resolved,” says Mark Horwedel, chief executive of the MAG.

The liability shift refers to a switch in liability for fraud resulting from counterfeit cards from the issuer to the merchant if the merchant hasn’t installed EMV-capable point-of-sale gear. Under the major card brands’ timelines, this shift will occur for most merchants on Oct. 1, 2015.

So far, Visa and MasterCard say they have no plans for moving back the April 1 deadline. While their stance is seen by some payments executives as a bluff, since last-minute deadline extensions are part of the networks’ history, the question for EFT networks, issuers, and acquirers is whether they are willing call the card brands’ bluff.

That answer will be revealed by April 1.

Nagging Concerns About Government Intervention

Best-case scenario in the debate on the common AID: Visa, MasterCard, and the EFT networks all agree on an open AID standard to make debit EMV transactions compliant with the Durbin Amendment by April 1. Worst case, each entity creates its own common AID, which draws the attention of federal regulators.

At issue in a multi-AID environment is whether the solutions in place provide the routing choices mandated under federal law. “If the main players come up with their own solutions, then it’s going to be a question of whether those solutions provide the routing choices Durbin mandates or if the industry simply ends up primarily supporting a duopoly [in the form of MasterCard’s and Visa’s solutions],” says Mary Weaver Bennett, director of government and industry relations for the Washington D.C.-based Electronic Transactions Association. “Without complete cooperation among the networks, the federal government, which has shown an interest in this issue, could step in and set the industry standard.”

Mark Horwedel, chief executive for the Merchant Advisory Group, concurs that federal intervention is a possibility in a multi-AID operating environment. “Multiple AIDs may not provide the kind of network routing choices and competition among the networks merchants want and it is the duty of federal regulators to police the industry for compliance with Durbin if that is the case,” he says.

Still, some payment executives believe that a multi-AID environment will pass the sniff test with federal regulators. “If three AIDs are the best the industry can do, then it is absolutely better than four, five, six, etc., and certainly better than none at all,” says a payments executive who requested anonymity. “Key is that all AIDs address the routing requirements of Durbin. The United States is the only country where EMV has been rolled out where there has been no government involvement. All the parties involved in developing the AID prefer to keep it that way.”

An Alternative to EMV?

Apparently, not everyone in the payments business is happy with the fact that EMV belongs to Visa Inc. and MasterCard Inc. In January, the Accredited Standards Committee X9 Inc., which develops standards for the financial-services industry, released a letter asking payments executives if they would like to hold a meeting to discuss an open-standard alternative to EMV.

“EMV is a proprietary standard, that’s part of the issue,” says Cindy Fuller, executive director of ASC X9. Governments around the world, she says, “are looking for open, non-proprietary standards.”

The Annapolis, Md.-based X9’s letter didn’t specify any places or dates for the meeting but it asked for responses by Feb. 11. It also said the Federal Reserve would host the two-day meeting. Information about the response to the letter wasn’t available when this story went to press.

Some “stakeholders have raised concerns,” the letter said, about EMV’s age, its proprietariness, and the ability of eventual U.S. implementations to interoperate with deployments overseas. Any open chip card standard that might result from the X9 effort, the letter added, would be an alternative to the two-decades-old EMV standard, not a replacement.

While not identifying the “stakeholders,” Fuller says, “The discussion started because [EMV] is not an open, global, voluntary standard.” EMV has been in use in various places around the world for some time, including parts of Europe and Asia as well as Canada and Mexico, but Fuller says the ability of issuers, merchants, or processors to have a say in how the standard works is what is critical. “The issue is, how much input does the industry have?” she says. “Is it possible to sit at a table and raise your hand and have impact?”

The X9 committee develops standards for U.S. financial services ranging from payments to securities. Its members include payments networks, processors, payments technology vendors, providers of security solutions, merchants, and banks. Once finalized, the committee’s standards are adopted by the American National Standards Institute (ANSI).

While the committee lists 117 member organizations on its Web site, Fuller says membership actually exceeds 200.

Some executives involved in shepherding U.S. EMV adoption express surprise at X9’s effort. Before the letter appeared, “I hadn’t heard any discussion from payments-industry stakeholders that this [meeting] is something that needs to happen and we need to call on X9,” says Randy Vanderhoof, executive director of the Smart Card Alliance, a trade group based in Princeton Junction, N.J.

A sub-group of the SCA, the 100-member EMV Migration Forum, has been at work since July on ironing out EMV implementation issues. While not a standards body, the Forum has 19 members in common with the X9 committee, according to the membership lists posted on the respective organizations’ Web sites.

Still, Vanderhoof doesn’t dismiss the possible utility of the sort of discussion that might take place in an X9 meeting, if one were to be held, especially with the Fed as the host. “It would be welcome to have an open dialog about this, and [the Fed] may be the right organization to do that,” he says. But caution will be necessary, particularly with EMV already in the process of being implemented, he warns. “If it’s not broken, don’t fix it,” he says.

Key EMV Migration Dates

EMV Chip Deadlines

April 1, 2013 – U.S. acquirer processors and sub-processor service providers required to support merchant acceptance of chip transactions and process additional data that is included in chip transactions, including the cryptographic message. Visa’s ATM readiness date, however, is two years later.

April 1, 2015 – Visa requires U.S. third-party ATM acquirer processors and sub-processors to support EMV chip data.

Oct. 1, 2015 – Liability shift for domestic and cross-border counterfeit card-present point-of-sale transactions.

Oct. 1, 2016 – Liability shift for MasterCard for U.S. ATMs.

Oct. 1, 2017 – Liability shift for domestic and cross-border counterfeit card-present transactions at automated fuel dispensers and, for Visa, U.S. ATMs.

Source: Visa Inc., MasterCard Inc.