What if enabling and certifying EMV were as easy as installing a printer driver? As ISVs come to the final leg of the race toward the looming EMV deadline, that might sound like a welcome solution to the challenges associated with becoming EMV compliant. Peter Osberg, SVP of Integrated Strategy and Product at EVO Payments International, sat down with MPD CEO Karen Webster to talk through the problems ISVs are facing now that that October date looms large and to share a solution that may sound almost too good to be true.
KW: An important channel for EVO are the Independent Software Vendors (ISVs). What are ISVs saying and doing with respect to the impending EMV migration? Are they focused on it? Is it a priority?
PO: The impending date is an evolution of secure payments in the U.S. that everybody is very much focused on, very specifically, ISVs. When I say ISVs, those would be any software developers or independent vendors, even some merchants that have their own custom point-of-sale software. And, there are three things we are hearing from them:
The first is that EMV enablement within their point-of-sale applications is critical. In fact, I would say over the last 12 months most of the product roadmaps we hear from an ISV or EMV perspective express EMV as the No. 1 initiative they are focused on.
The second thing is that as ISVs are learning more about what EMV really requires and the value it provides to their merchants, they are finding that most acquirers and processors are not fully prepared to support it from both a platform perspective as well as from a certification perspective.
The third thing, which is a consistent story but EMV brings it to a new level, is that ISVs want to make sure that as they are adding this new payment capability they are continuing to increase the security of their product.
KW: In talks with both big and small merchants, the complexity surrounding EMV integration and certification is mind-boggling. For small merchants it’s mind-boggling because they are small and any change is difficult to implement, while larger merchants face a time-consuming and expensive integration process. How are you solving for that in the ISV channel?
PO: One of the really interesting things about the migration to EMV is while it is very new in the U.S., it is a very established technology in Europe. We have a very significant European presence from a point-of-sale (PoS) perspective, which has provided us with a great deal of knowledge with regards to EMV.
One of the things that we try to explain to the ISV market is that one of its key benefits is establishing a standardization of global payments processing. Right now, most ISVs we have in the U.S. all have customers overseas but they don’t have a way to support the integrated strategy overseas. So, they are essentially doing what we did in the U.S. a very long time ago, which is providing a POS software and a standalone terminal standing next to it.
We are finding that ISVs are starting to realize the benefit of EMV aside from providing value all merchants have to have now because of the liability shift. But it’s going to really standardize their integration and payment capabilities on a global basis, which they are finding to be a very important value to their software.
KW: Do all merchant categories perceive the priority to be equal? For example, the restaurant space is an environment where implementing EMV, even if it comes embedded in a POS system, is a lot more about process change, not necessarily about payment acceptance. How are you helping ISVs internalize and rationalize that change in the face of some of the other things they may be hearing from merchants?
PO: I think it’s one of the biggest challenges that we have in the U.S., addressing the process changes. To your point, our job is to educate and to support ISVs with getting the service enabled in their workflows. The restaurant industry is a great example; EMV does entirely change their whole workflow.
I don’t know if you’ve used your EMV card at any merchant, but I use it every opportunity I can to see what ends up happening and I’m finding that at the majority of places, even the big box merchants, clerks still don’t know what to do. This is causing delays in the checkout process, which obviously no one wants to happen. I think it really comes down to the entire ecosystem, from the issuing side, processing side, acquirers side and ISV side, supporting merchants not just with the technology, but, as you called out, really the behavior change happening which is where it’s going to make or break it.
KW: Earlier you said acquirers, most of them, are not prepared to support the EMV process and certification. At this point, I’m surprised to hear that, are you?
PO: To be clear, what I’m hearing is from ISVs telling us the acquirers and processors are not ready. That’s not only from a payment perspective but also from the compliance perspective. Let me break that down.
There is a process of just the normal movement of a payload between software and the processing platform. Most processors have the ability to do that. The breakdown is happening when processors have to achieve that Level 3 certification, which includes having the hardware certified, the software certified, along with the platform processing certified; this is where a lot of the complexities happen.
KW: In some cases, it may end up being what ISVs don’t know, they don’t know that trips them up. For those listening or reading, what would you tell them they don’t know, they don’t know?
PO: There are three things:
The first is to make sure, when defining the roadmaps, that this is something their customer base has an understanding of and requires. That’s an obvious one because no ISV wants to create costs and product resources against things that their merchants don’t need.
No. 2 is around the security around the transaction, which is really critical to understand. Many people believe that just because of going from a mag stripe swipe to a chip dip means card information is not open and in the clear.
The third thing is to make sure there is an understanding around the timing and cost that goes into achieving that Level 3 certification with regard to the hardware kernel, the payment application and the processing platform. This is where EVO has really put a lot of product resources in place to simplify that.
KW: Can you explain a little bit more about how you do that? It may be the biggest concern or misconception ISVs have, that the certification is expensive and time-consuming, perhaps more of both than they have to invest. How do you help simplify that process for them?
PO: We designed our product strategy in a three-prong approach.
The first prong is a direct EMVCo certification. ISVs can bring their own software, their own hardware and deliver any services, as well as provide value-added services with that type of integration. For example, we have an ISV that sells cellphones and part of their workflow is using the card on file to have the insurance company bill the insurance premium if they buy coverage. In that scenario they need their own hardware and their own custom workflow. The downside is they have to go through the cost and time of that EMVCo certification. On average, we see the hard costs to the network range between $80,000 and $120,000, depending on how many kernels are certified and how many certification efforts are taking place. Those average numbers are also based on the assumption that the supporting processor is going to prioritize the certification.
The second part of our strategy lies with strategic third-party partners, who we will certify and then they will go out and also support the ISV community with their hardware and software compliance. It’s a one-to-many certification for us. We did an announcement at a recent trade show with our first partner in this approach, called Handpoint, which is a group out of Europe and we are really excited about them. They will be supporting us with the strategic third-party integration both in Europe and in the U.S.
The third piece, which is where we spent the better part of a year developing, is with our brand new Commerce Driver SDK product. You can think about it as essentially an installable printer driver, so when you get a new printer you just plug it in and the drivers are embedded into the operating system to find that printer and use that printer.
We have built the Commerce Driver to support iOS, Android and Windows platforms with our own hardware that comes pre-certified, so they can literally download the SDK, install the drivers, pick whatever hardware they want to support and they’re out of the EMVCo compliance process. Since we are leveraging the EVO Snap tokenization and point-to-point encryption service, they are greatly reduced from a PCI perspective.
KW: You give merchants the layered security solution that’s been talked about for some time now, which is essential to keeping cardholder data secure. It’s not just about EMV, it’s about encryption and tokenization as well and it all comes as easy to install as a printer driver; that’s interesting.
PO: Yes, that’s been the goal. We believe that if you provide simple integration tools that increase PCI scope or increase security risk for a merchant, that’s of no value. We have really invested a lot in the platform to make sure that once the integration became simple that all those other pieces were in place to make sure that the merchants are getting a very turnkey solution.
KW: It sounds like with Commerce Driver, the date that everyone is fixated on in October may not be so much of a concern for merchants and ISVs that haven’t necessarily taken the steps they have needed to become compliant.
PO: From our perspective, we are definitely ready to support our ISV partners and their merchants for that date for iOSs, Windows and Android. We just launched our Early-Mover Program at the beginning of July, and part of that program is working with some of the industry leader ISVs to work through the first integration and deployment of the Commerce Driver product and it’s been going very well so far.
KW: So Peter, how much sleep will you and your team be getting between now and October on an average nightly basis, maybe one to two hours? It sounds like you are going to be very busy.
PO: Yes, we are very busy right now with the opportunity that we have. Like I said at the beginning, which I don’t think can be understated, EMV essentially standardizes global payment processing. Our Commerce Drivers also support all our acquiring ability in Europe, which includes 49 other countries. To your point, we are pretty much working around the clock because we have customers on a worldwide basis.
KW: One final point, when you say EMV standardizes global payments processing, are you suggesting that doing business now around the world, leveraging your platform and technology, is made that much easier?
PO: That is a hidden secret of what we are doing in the U.S. The Commerce Driver SDK works for the U.S. as well as for all the areas we do acquiring in Europe. By using the same SDK and the same hardware, we have the ability to do centralized key management that includes support for a diverse channel from an IT distribution perspective. It’s a one-solution-fits-all for our markets.