What is EMV & why is it important?
EMV is an acronym for Europay, MasterCard, and Visa, and represents the 1994 founders of the global standard for credit and debit payments based on chip card technology. Today, Europay is owned by MasterCard and EMV standards are set by EMVCo, a joint venture of Visa, MasterCard, American Express, and JCB (find EMV information and specifications at www.emvco.com).The terms chip cards, chip and PIN cards, and “smart cards” are used interchangeably and they are plastic cards that contain an integrated circuit (microprocessor) that contains payment related information protected by layers of security. Although it’s important to note that EMV standard allows for cardholder verification methods other than a PIN. More on that later.
Unlike mag-stripe cards that easily can be copied (“skimmed”), chip cards combat counterfeiting by assigning a dynamic value for each transaction. Worldwide deployments have shown that chip cards are more secure than traditional magnetic stripe cards used in the U.S. In the U.K., card fraud loss rate declined 48% from 2001 to 2008 with the implementation of EMV cards.
The following table shows the rest of the world is well ahead of the U.S. in deploying EMV terminals and issuing EMV cards. In fact, the U.S. is the only member of the G20 not to have adopted EMV.
EMV standards can be thought of as a payment application that resides on the microprocessor of a smart card. Which brings us to another key aspect of EMV – EMV payments are not just limited to cards. EMV payments can be made by any device that contains a microprocessor and has an EMV payment application. EMV payments can be made via contactless devices (contactless cards, watches, etc.) or personal devices like smart phones. A smart card could also be a contactless card if the issuer has enabled the dual interface (contactless cards communicate via radio frequency antenna on the chip).
There are two primary ways that EMV transactions can be authenticated – signature and PIN. The most common method of verification in global deployments of EMV is PIN, and thus the name “chip and PIN”. Although many merchants are in support of eliminating signatures as an EMV cardholder verification method in the U.S. market, both Visa and MasterCard have stated that they will continue to support signature. In addition, both networks will also support no cardholder verification (or ‘no CVV’) for low-value, low-risk transactions like payments at quick service restaurants and parking meters.
Why is EMV getting so much attention now?
Last August Visa rolled out a roadmap to accelerate EMV migration and mobile payments. The roadmap contained the following “carrots” and “sticks” to motivate participants in the payments ecosystem.
- Expand TIP – Visa will expand its Technology Innovation Program (TIP) program to merchants in the U.S. TIP will end the mandate for merchants to validate their compliance with the PCI Data Security Standard (PCI DSS) for any year where 75 percent of the merchant’s Visa transactions stem from chip-based terminals. To accommodate the Visa mandate, merchants must use terminals that support contact and contactless chip technology. “Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable,” said Visa.
- Build Infrastructure – Visa will require U.S. acquirer processors and sub-processors to support merchant acceptance of chip transactions no later than April 1, 2013. “Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique,” said Visa. Visa will provide “additional guidance as part of its bi-annual Business Enhancements Release for acquirer processors to certify that their systems can support EMV contact and contactless chip transactions.”
- Shift Liability – Visa intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions, effective October 1, 2015. Fuel-selling merchants will have an additional two years, until October 1, 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers. Currently, POS counterfeit fraud is largely absorbed by card issuers. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant’s acquirer. The acquirer will likely shift that liability down to the merchant. So this liability shift really encourages EMV adoption.
MasterCard recently announced that acquirers must support EMV transactions by April 2013 – the same timeline as Visa. MasterCard has not yet provided any specific guidance on PCI implications and liability shift, although they have begun to provide hints regarding this approach. At a Smart Card Alliance conference in February, Chief Emerging Payments Officier Ed McLoughlin explained that MasterCard has established a “liability hierarchy” to rate, from least to most secure, the different card-acceptance methods based on the interplay between the card and the acceptance device – whether it is a POS terminal or a phone. Under the system, the magnetic stripe card would be least secure and the chip-and-PIN the most secure.
So what are the benefits for the merchant and other players in the industry?
Reduction in counterfeit card fraud is the biggest benefit for all the players in the payments industry. Here are some other benefits (and costs) for merchants, acquirers, issuers, and consumers.
What are the implications and key take-away for merchants?
The U.S. is finally catching up to the rest of the world and EMV is going to be a reality within a few years. Merchants, especially retailers, should start planning for the conversion and capital expense. Here are a few things to keep in mind, in order of priority:
- any investments or upgrades in your payments infrastructure from now to the next three years should be made with EMV at top of the mind (and not just for cards, but also for mobile payments)
- identify and quantify the cost of hardware and software upgrades for EMV
build an EMV ROI analysis to frame the costs and benefits of this investment to your management
- you’ll have EMV costs from step 2
- the benefits include
- savings from eliminating PCI audits through the reduction of costs associated with annual PCI DSS validation (important for Level 1 and Level 2 merchants)
- reduced chargebacks and fraud related expense…you model reductions based on data from other countries
- potential loyalty applications (the microprocessor on a smart card and to a much greater degree on a smart phone can support loyalty programs, couponing, and offers)
- start requesting information from your acquirer and payment vendors about their roadmap, EMV support, and the costs for new hardware/software
Send us your thoughts on EMV at firstname.lastname@example.org