Last week, congressional leaders in Washington continued with their focus on the safety of the U.S. payments system in the aftermath of the massive retailer breaches at Target, Neiman Marcus and others. The House Committee on Financial Services held its session March 5, while the House Committee on Science, Space and Technology hearing was held March 6. The message coming out of the hearings was that the adoption of EMV cards is just one of many steps that need to be taken to secure the U.S. payments system.
Not coincidentally, MasterCard and Visa have announced the formation of a cross-industry group focused on enhancing payments system security to keep pace with the expectations of consumers, retailers and financial institutions. The companies say that the group "will initially focus on the adoption of EMV chip technology in the United States, in addition to addressing other security-related topics, including tokenization, point-to-point encryption and broader needs of the region."
Named after its original developers (Europay, MasterCard® and Visa®), this smart chip technology features payment instruments (cards, mobile phones, etc.) with embedded microprocessor chips that store and protect cardholder data. This standard has many names worldwide and may also be referred to as: "chip and PIN" or "chip and signature." EMVCo. is the standards body collectively owned by American Express, JCB, MasterCard and Visa. These companies also comprise the organization that maintains the Payment Card Industry Data Security Standard (PCI-DSS).
Under the EMV standard, a cardholder’s confidential data is more secure than on the current magnetic stripe card due to the fact that EMV supports dynamic authentication that is verified by the point of sale (POS) merchant terminal. The EMV system has been long in coming to the United States. As we know from earlier congressional hearings, Target unsuccessfully tried to implement it and, for the last few years, the payment networks have been trying to spur adoption. Uncertainty from litigation and complexity of implementation by retailers have delayed the implementation of EMV in the United States.
As a result of the high profile and the size of the most recent breaches, the timetable for adoption of EMV in the United States is likely to speed up or, stated more accurately, there will likely not be long delays. However, EMV is not the silver bullet. Experts agree that EMV would not have prevented the Target breach because the malware that attacked Target was looking for account information inside POS devices’ memories, where data is unencrypted. This information would have been compromised regardless of whether or not it came from EMV cards because it was not taken directly off the cards themselves. Most significantly, while EMV provides authentication at the POS device, it has no effect in online transactions. Thus, as more brick-and-mortar merchants implement EMV technology, we can expect higher risk for fraud and data breaches for online merchants as the fraudsters shift their focus.
There is no agreement at this time if the EMV adoption in the United States will be coupled with a PIN or a signature requirement. Cards will continue to be issued with a magnetic stripe. Also, while experts agree that a layered approach is necessary to truly protect payment data, there is no agreement on what, if any, other data protection element, such as tokenization, is needed.
The newly formed cross-industry group is just one of the ways Visa and MasterCard are trying to ensure widespread adoption of EMV. They have also issued upcoming rules and guidelines for processors and merchants to support EMV chip technology.
Visa is introducing its Technology Innovation Program (TIP) to the U.S. region, which waives an annual PCI-DSS audit if 75 percent of the merchant's Visa transactions are processed through a dual contactless and contact EMV certified device. MasterCard is introducing its PCI-DSS Compliance Validation Exemption Program to the U.S. region, which also waives the annual PCI-DSS audit if 75 percent of the merchant’s MasterCard transactions are processed through a dual contactless and contact EMV certified device.
If the waiver of a PCI-DSS audit is not incentive enough, the coming liability shift will certainly be. Under the payment network guidelines, merchants who have not made the investment in chip-enabled technology by the network deadlines may be held financially liable for card-present fraud that could have been prevented with the use of a chip-enabled POS system. When the liability for fraudulent transactions will shift depends on the card brand, but October 1 of 2015 and 2017 are key dates for Visa, and October 1 of 2015, 2016 and 2017 are key dates for MasterCard. American Express has announced October 1, 2015 for its liability shift date. Recently, the networks have reiterated their commitment to adhere to the liability shift dates.
What to Do – NOW
In the past the payment networks have either extended or completely abandoned their own timelines. That will likely not be the case this time around. Congressional attention on the retailer breaches and the impending liability shift has become a catalyst for EMV adoption. It is likely that EMV implementation in the United States will now be on the fast track; thus, it is important to start the planning process now. For issuing banks, working with card manufacturers that can produce EMV cards may become a challenge as there is a limited number of such manufacturers. For merchants, the situation is similar, as the demand for EMV-enabled POS terminals will skyrocket in the coming months.
- Develop a Business Plan for your Specific Business. For retailers, equipment upgrades will be both costly and time consuming. For some retailers, the business plan will have to include an assessment of whether the amount of fraud prevention may deliver an acceptable ROI for the cost and effort to implement this technology. Implementing EMV chips will speed up mobile and contactless payments and make them more secure. The devices that accept EMV chip cards are dual contact/contactless devices. Thus, merchants should ensure that their business plan includes capturing mobile and contactless payments, especially with respect to gift cards and loyalty/reward programs.
- Get Involved. Participate in industry-specific groups. Follow closely what the payment networks, the U.S. Congress and regulators will propose with respect to payment data security. Don’t forget about the Federal Reserve Board payment system improvement project and its ramifications for upcoming regulation and implementation of EMV. http://fedpaymentsimprovement.org/
- Don’t Wait! The first merchant in the United States to accept EMV cards in many of its stores is Walmart. Sears, Target and CVS Caremark have announced the rolling out of Chip and PIN at an accelerated pace. As market pressure builds in all segments of the payment network infrastructure, there will be pressure on resources.
- Go Beyond the Requirements. Putting in place a successful strategy that addresses both POS and online transaction security, as well as personal data security, generally will require going beyond the current requirements/recommendations. Understanding how and what new technologies can be layered in the protection of private and financial data will be a market differentiator.
Payment system security is a complex problem that cannot be solved by any single technology, standard, mandate or regulation. Consequently, a multi-faceted, business-oriented, risk-based plan is needed before the flood gates of EMV adoption open.