The nearer we get to the October 2015 EMV “Mandate” the harder the little engine works at convincing retailers to react without clearly identifying what the EMV mandate means and its implications. We are being inundated with disinformation and poor reporting on the subject and need to shed some light on the details to get the discussion back on the right track. Protecting card holder information is paramount for all retailers,and EMV does offer some security benefits, but this mandate doesn’t mean that a change must or should be implemented immediately and there might be good reason to delay its implementation.
The first myth to bust is the term “mandate”; it is simply a shift in liability for individual charge backs. If a charge back is issued for a transaction, the liability belongs to the party that doesn’t support EMV: be it the retailer, issuing bank or acquiring bank. The promise to the retailer is that if you support EMV and there is a weaker link in the chain, you won’t be liable for the charge back. If uncollected charge backs are significant for a retailer, moving to EMV quickly might pay off – but only until the issuing and acquiring banks also support EMV, at which point the current status quo returns. The only savings is an immediate but short term benefit for beating the banks to market on supporting EMV, a war soon to be lost. For most independent retailers uncollected charge backs are a pretty rare occurrence and won’t justify making the change.
In spite of claims by many that the mandate shifts the liability of “credit card fraud” it doesn’t affect a retailer’s liability for serious security breaches of either the real time card authorization process or public exposure of stored credit card information; when it comes to credit card processing liability, this is where the train derails and costs may soar to unattainable levels – but this risk continues to be the burden of the retailer along with the cost for forensic audits and penalties which could destroy many independent stores.
Many are surprised to learn that EMV is neither a PCI requirement nor does it eliminate the need for a retailer to be PCI Compliant or retain secure environments. Moving to EMV isn’t necessarily an immediate security requirement, and in some cases could be a security step backwards. EMV offers two important security protections that should be considered; unique authorization codes and the potential for a PIN as a second factor for card present transactions.
The first benefit is that every authorization for a credit card uses an authentication code unique to each transaction meaning that if the card authorization process is compromised to intercept card numbers, there is no benefit to the thieves as the authentication code intercepted has already been used. It’s a good thing, because EMV traditionally has been communicated in the open without any encryption; since the data passed can’t be used again, the concern is reduced. But the US market hasn’t stood still and arguably has a better security solution through Point to Point encryption; while credit card information is passed during transaction processing, it is encrypted so that even if the data is intercepted, the data in unintelligible (until the encryption key is hacked). The expectation is that the US model will adapt both security standards and use a unique transaction code and also encrypt the communications between the customer and processor.
Perhaps the strongest benefit of EMV will come if PINs are used in place of signatures which are seldom verified now – nothing about EMV will change that. The bad news is that only Mastercard will be supporting Chip and Pin right away and most authorization software developers (including our partners) will be focused on Chip and Signature at least for now. This is primarily due to table dining retailers who need to figure out how to bring card processing to the table. The strongest security benefit of EMV won’t generally be available for some time.
But neither of these issues really address security concerns when a card not present transaction is processed. Especially for eCommerce retailers, this is a bigger security issue for which EMV offers no improvement.
In the end, there are more important security concerns than EMV for the sake of meeting this mandate. Most retailers would benefit from spending a few hours updating their security policies and changing passwords, including their defaults.
Perhaps the biggest consideration is the longer authorization process and the cultural acceptance of EMV processing. Many are unaware that to process smart cards, the card must be left in the reader until the transaction is complete (and the unique encryption is reset for the next transaction). Just recently ATMs started returning our Debit cards before proceeding with the transaction to eliminate lost cards left in the readers. In addition to involving the customer in the authorization process, the additional security has a cost in terms of processing speed – EMV will take longer. It will also be an educational process for the consumer that will fall on the retailers to manage. Simply put, many retailers aren’t prepared for the increased complexity of EMV.
The silver lining of the move toward EMV is that part of the EMV standard requires the support of Near Field Communications (NFC) which means that the standard, as well as the devices will support mobile wallets such as Google Wallet® and Apple Pay®. With the constantly increasing prevalence of smart phones, adoption of these technologies are more likely to be a success in the US.
This “mandated” liability shift was first implemented in Europe in 2005 and was more recently mandated in Canada in 2012 where the acceptance rate is now just above 50%. Many of the early adaptors were to quickly regret the decision and many switched back once they experienced slower processing times. While EMV devices will still be able to process magnetic stripes for cards that don’t have a smart chip, if the card has a chip it can’t be swiped. Before jumping aboard, it is important for the retailer to get a good understanding of how EMV works and what the true benefits are. It is certainly on the horizon, but a wait and see approach might be the best answer for most independent stores.
This is a good time to confess that as an software provider we are ready to support EMV in time for the mandate, and expect to be early among our peers. Pure self interest on our part would suggest that we would benefit best by supporting a push to replace a bunch of devices.
Great overview of the situation here. It’s important to understand these things about the “mandate” as the date approaches. Thanks for sharing!
Another good article on this issue:
http://www.retailsolutionsonline.com/doc/priority-protecting-your-pos-0001?sectionCode=Welcome&templateCode=Single&user=2102504&source=nl:43357&utm_source=et_6214150&utm_medium=email&utm_campaign=ISRET_2015-07-07-Tu&utm_term=51F79837-695A-4A74-986B-7D0C55A7085D&utm_content=Tips%2bTo%2bLocking%2bDown%2bYour%2bPOS
It’s nice to have reinforcement out there.
http://www.retailsolutionsonline.com/doc/emv-isn-t-for-everyone-0001?sectionCode=Freeform1&templateCode=Single&user=2102504&source=nl:43263&utm_source=et_6214150&utm_medium=email&utm_campaign=ISRET_2015-06-22-M&utm_term=51F79837-695A-4A74-986B-7D0C55A7085D&utm_content=EMV%2bIsn%2527t%2bFor%2bEveryone
Good Gawd, y’all. Sigh. More to fear, I fear. I, for one, am glad that the likes of YOU are around to advise the likes of ME.