Bypassing EMV Certification, Legally

Ditching the heavy lifting of EMV certification may sound like a dream come true to the many ISVs and VARs tasked with bringing merchants up to speed on EMV compliance. But as Jeremy Gumbley, CTO of Creditcall, told MPD CEO Karen Webster, pre-certified solutions may be the best way to sidestep EMV compliance and overcome certification bottlenecks before the liability shift deadline hits.

Ditching the heavy lifting of EMV certification may sound like a dream come true to the many independent software vendors and value-added resellers tasked with bringing merchants up to speed on EMV compliance. But as Jeremy Gumbley, CTO of Creditcall, told MPD CEO Karen Webster, pre-certified solutions may be the best way to sidestep EMV compliance and overcome certification bottlenecks before the liability shift deadline hits.

By now, the challenges facing ISVs and VARs as they embark on EMV compliance are clear, and it is no surprise that the bigger the merchant, the greater the complexities.

Not only are there difficulties in navigating the devices needed to enable chip-based transactions, which come with their own set of integration requirements and quirks, but one of the biggest hurdles on the long road to EMV migration remains certification.

EMV certification in itself is ripe with complexities, but Creditcall believes it has created a solution for overcoming it: pre-certification.

“Pre-certification realistically is the only way of solving this kind of issue because the U.S. is the largest card payments market in the world. With the largest number of merchants and the largest collection of processors and other interested parties, there are a lot of moving parts,” Gumbley said.

As Gumbley explained, the “good old days” of magnetic stripe certification, which involved running a certain number of test cases before being able to move forward with processing as normal, are gone.

“Given the complexity of EMV, there is a more of a rigorous certification process. Now, that’s not to say that wasn’t rigorous under magnetic stripe, but with EMV, when you consider that each one of those cards is its own little computer, you bump into a whole manner of interoperability issues across the world,” he said.

What it really comes down to is ensuring that not only the security is there, but also that at the end of the day a chip-enabled card issued in Europe can still be accepted by a terminal or device in the U.S.

“With such a wide variety of different terminals, card types and card brands as well, interoperability is something that is important and it is born out in the certification,” Gumbley added.

This essentially makes EMV certification a much more difficult undertaking than ever before, leading to the certification bottlenecks facing the payments industry as the EMV liability shift deadline looms.

With a complex certification process and not enough resources to go around, ISVs and VARs are having a tough time helping merchants achieve what Gumbley refers to as the “holy trinity of payments security,” which is the critical combination of EMV, point-to-point payment data encryption and tokenization.

But Creditcall is looking to address this problem by offering ISVs and VARs a ready-to-go solution that can be used to achieve EMV compliance.

It may sound a little too easy, but that’s because it was designed that way and the thought process behind it has already been in the works for years.

After recognizing other certification bottlenecks with EMV migrations taking place in other parts of the world, Creditcall speculated years ago that a precertified “off-the-shelf” solution would come in handy for the U.S. market.

According to Gumbley, the solution was created to “enable an ISV or a VAR to integrate with their chosen device all of the EMV functionality into their application, which allows them to control an entry device, drive the user interface of that device and legally sidestep the issue of certification because it’s already been pre-certified through our own payment gateway.”

The solution ticks the EMV compliance, built-in tokenization and point-to-point encryption boxes, while also including a terminal management system designed to keep software and configuration updated.

“Of course it’s a viable alternative to build out your entire payment ecosystem with point-to-point encryption, tokenization and the EMV side of things, but actually it would be reinventing the wheel,” Gumbley added.

Even with the Oct. 1 deadline in place, the U.S. still has a very long way to go when it comes to widespread EMV adoption and acceptance.

As MPD CEO Karen Webster pointed out, there are still many devices that are not EMV-certified or able to accept an EMV card as well as the fact that EMV migrations always seem to take much longer than anyone ever planned.

Gumbley agreed but pointed out that while the payments industry has made strides in the move toward EMV (which he asserts can be seen by just looking at tablet-based POS solutions and the number of consumer with EMV cards in hand), the migration is expected to remain a hot button issue throughout the payments ecosystem well into the future.

“I would speculate we are still going to be talking about the last bastions of EMV or pockets of absence of EMV in two to three years’ time… 2016 is going to be a very telling year for the industry and we are going to see some significant adoption in the future,” Gumbley explained.

Given where we are now, somehow two to three years still seems awfully ambitious. But innovators like Creditcall are focused on devising solutions that help ease the friction associated with traveling over the speed bumps on the road to the EMV migration here in the U.S.

To download the whitepaper, click here.