Abstract:
As we near the October 15, 2015 credit card processing mandate (see below) to switch to the global credit card processing standard called EMV, it’s important to understand what it is as well as what it isn’t.
EMV isn’t mandated by PCI nor does it need to be implemented to remain PCI compliant. However, EMV represents a significant security benefit. EMV provides the option for either “Chip and Pin” or “Chip and Signature”, meaning the retailer must be able capture either a PIN or a signature with each card present transaction. As opposed to more secure point to point (P2Pe) encryption technologies, current EMV processing is “in the clear” but considered safe because no sensitive cardholder data is being sent when processing transactions as they are uniquely encoded by the chip in the smart card.
We believe the proper solution is to integrate EMV with P2Pe technologies as well as tokenization so we can maximize the enhanced security to at least briefly retain tokens for subsequent transactions like returns of previous sales and potentially recurring payments.
What the October 2015 mandate effectively does is shift the liability for fraudulent transactions toward merchants and their banks. But the true incentive for retailers to adopt EMV technology is that it allows the retailer to significantly reduce their risks and compliancy costs for credit card breeches and shift the liability back to the card issuers and acquirers.
What is EMV?
EMV stands for Europay, Mastercard, and Visa and represents a credit card processing standard that began in France, is already prevalent in Europe and Canada but is quickly becoming an international standard. The standard is now managed by EMVCo LLC a public company whose membership includes JCB, American Express, Mastercard and Visa. The advantages of EMV include the ability to have multiple applications on a chip that allows for much more storage than a simple magnetic stripe, the current de facto standard in the United States. A strong advantage of EMV is that it uses a unique transaction identifier for authorization – once it’s used, it can’t be used again and is therefore of no value if it’s stolen as it changes for each transaction. Finally, it can be combined with the additional security of a PIN instead of just a signature that is seldom verified in the real world.
The Retailer’s Liability
To really understand the importance of moving toward EMV it is critical to understand the mandates and how they affect a retailer’s liability. In essence, the Credit Card companies have gotten behind the EMV standard by suggesting that any party using a less security technology (such as Magnetic Stripes) instead of EMV, is held liable for fraud and breaches. While the standards vary by card provider they universally define a retailer as compliant if 75% of all transactions are processed on hardware capable of EMV – even if the card is swiped. As a matter of fact, what the mandates do is shift the liability to any party in the channel that isn’t supporting EMV. For example, if the issuing bank isn’t paying for the more expensive chip cards and issues a magnetic card that is used by a retailer who supports EMV, it is the issuing bank, NOT the retailer, who will be liable. And the cost benefits go higher: MasterCard already offers a PCI Audit Relief program for retailers who adopt EMV, indicating a push in the direction toward easier compliancy requirements we expect to spill over to the PCI standards.
What seems to be developing is an environment where the liability goes to the weakest link in the chain – the issuing bank, acquiring bank or the retailer. While a retailer will always need to be PCI Compliant, the direct cost and energy required to remain PCI compliant goes down as additional security is added and risk is reduced. Ultimately, credit card rates will be based on compliancy. The banks have a head start on retailers but, the cost of new credit card machines is inexpensive compared to the infrastructure costs for the banks. Ultimately the benefit of better security for every retailer is protecting their client base and reputation.
For a great summary of the EMV Mandates by card company see: http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/
Chip and Signature or Chip and PIN
EMV comes in two flavors: “Chip and Signature” or “Chip and PIN”. The requirement for a PIN (Personal Identification Number) with the use of a credit card is a big part of what has prevented the US from adapting this technology. Nevertheless, “Chip and Signature” with EMV is still more secure than a magnetic swipe and signature, especially if it isn’t encrypted. Of course, the most secure method is “Chip and PIN” which is well adapted to the brick and mortar environment of specialty store retailers. Remember, “Chip and PIN” is the most secure method and can significantly reduce the costs for PCI Compliance and liability. In other words, the strongest security position is for a retailer offering the ability for their customers to use the most secure option and enter a PIN with each transaction.
Moving Across the Pond
Only in the last few decades has the US gotten used to using a PIN with debit cards. But there is serious resistance in the fine dining industries where requiring PIN codes will be expensive and burdensome to say nothing of culturally uncomfortable – at least for now. Therefore, adaptation is expected to include “Chip and Signature” as well as the more secure “Chip and PIN” options depending upon the operational environment. While restaurants will lean toward Signatures, specialty stores can easily adopt the more secure PIN methodology to further mitigate risk.
While the EMV standard was evolving in Europe, the United States has been strengthening security by encrypting the card holder information that is communicated so that if the traffic is intercepted the card information is useless (until the latest encryption key is broken, and in time they all are). With Point to
Point encryption (P2Pe), the card is encrypted by the device where it’s swiped (or entered) and decrypted by the credit card processing software (NetEPay). As long as the end points are secure, intercepted network traffic can’t be interpreted. Whereas EMV uses the chip to provide a unique transaction ID that has no value for thieves, P2Pe encrypts the traffic so that if it is intercepted it can’t be translated. Where this really comes together is in the implementation of tokenization that can allow for the reuse of a card for returns or repeat transactions.
The effect on Mobile POS
The liability shift may well slow down the movement toward mobile POS as it will lean toward the more expensive and less secure “Chip and Signature” methodology. Based on the current security requirements for Debit PIN pad devices, it’s hard to see them being affordable on mobile devices (especially consumer grade devices) while dedicated PIN pads defeats the benefits of mobile POS. But, the good news is that the EMV standard requires acceptance of both contact and contactless card processing. We expect Near Field Communications (NFC) to be a significant player in the credit card processing arena when personal cell phones represent a customer’s wallet. Yet, the industry remains young enough to cast doubt on which platform or platforms will prevail. As an industry standard prevails some retailers will want to offer their own applications and interfaces.
Summary
At Smyth Retail we are constantly evaluating better and more secure options for our clients. We believe the best solution is to combine EMV with P2Pe and have every indication that our partners are adopting this strategy. While not necessarily required for tokenization, we believe the added protection is fundamental for its implementation. Tokenization allows the retailer to save a “token” or unique code that can be used the next time the card holder information is needed – such as for a return or scheduled billing. While this token is re-issued for every transaction it does represent stored information that can potentially be used for fraudulent purposes. We expect to be able to offer this benefit to our clients while providing the most secure and fraud proof solution in the market place.
Robert Kerl says
Tim, nice clear article, thanks.
This may sound like a stupid question, so apologies if it does. But is there such a thing as “P2PE with chip-and-signature”? i.e. all card and transaction data encrypted on the PED (ironically not used for the ‘P’ element of the PED) but where the signature acts as a validation/check for the merchant that the cardholder was present.
Bob
Tim Smyth says
Bob,
It’s a great question. The first clarification is to understand two different levels of encryption: encryption of the PIN, which is within the device, and encryption of the cardholder information as it is sent to the processor. With EMV, the cardholder information is in the form of a token which generally speaking has been sent in the open because it’s valid only for a single use. This is the underlying benefit of EMV. Currently, there is no EMV requirement to encrypt EMV traffic but we, and our partners, are going to combine these benefits and encryption the EMV tokens.
Chip and Pin is preferable to Chip and Signature, and there are requirements (including the exact text) in the EMV standard when a signature is required though we are not sure when that might be when Chip and PIN is available (perhaps for a bank that doesn’t support it). Remember, that the liability is is shifted to the weakest link in the chain – if the bank doesn’t support PIN and you do, any loss is their responsibility. Likewise, if the processor can support PIN and a retailer uses Signature, the burden is reversed.
I hope this answers your question – feel free to clarify any part of this.
Tim Smyth says
Here is a good article on this subject.
http://www.independentwestand.org/emv-chip-cards-small-businesses/?mc_cid=93aec0b4a6&mc_eid=e9fcca4a8f