Why is EMV the standard that will survive?
Why is it relevant in an environment we’re going full tilt toward mobile and away from plastic cards interacting with terminals?
How do merchants/issuers make decisions about supporting it?
What is needed in an environment where ID and authentication of users are problematic?
And that was just the first few minutes of a 60-minute live discussion on EMV – where it’s going, where we’ve been and why it’s the standard for the future. The live conversation was between Oberthur VP, Philip Andreae, and MPD CEO Karen Webster on March 4. The goal of the discussion was not to plow old grounds, but to take a look at EMV’s past, present and future in securing payments and commerce.
A BRIEF HISTORY OF EMV
First of all, asked Webster, what are those who continue to resist the shift to EMV missing?
Andreae jumped back in time to the early 1980s, when the French first embraced the chip technology to secure offline transacting – that same technology that is used and embedded in mobile phones three decades later. By 1992, the French had deployed 100 percent of the terminals and cards using the B0 Prime standard. The benefit of the chip at that time was to reduce the amount paid by the merchant to authorize transactions made in their shops. When they began roughly 20 percent of transactions where authorized online and after they completed the migration to chip less than 5-10 percent of transactions where authorized online, said Andreae, since the chip was able to authenticate the user with more certainty and therefore, reduce the potential for fraud.
In 1994, Andreae described a series of meetings in which the EMV specifications were written after European banks and other Global players decided to replace the magstripe with a technology that was future proof, and that could last over 30 years. In 1998, the U.K. ran a pilot with technology using the EMV standard – one that was a significant leap forward from what the French had created.
"What we determined we needed was a solution that was globally interoperable – that could allow each country to migrate on their own timescale, and that would work for every card in every terminal around the world,” said Andreae.
While Europe was on board, the U.S. market was a struggle for one big reason – it had the infrastructure and supporting technology to authorize transactions in an online environment.
But an EMV standard was born – one that Andreae said is anything but obsolete. Its creators recognized that it had to be durable and stand the test of time, and in his opinion it has – having undergone a number of necessary upgrades along the way.
"EMV sits on an integrated circuit, a secure element. That same technology is used in personal computers, and to power mobile phones and tablets. That technology evolves and improves – and we can add greater and greater features,” he said.
UNDERSTANDING THE EMV DISCONNECT
OK, but now, let’s talk about the disconnect, said Webster. Everyone acknowledges that EMV would not have prevented the infamous Target breach, yet all would agree that it was the watershed moment in the U.S. and the momentum to embrace EMV technology. So, if EMV wouldn’t have prevented that breach, or many of the others we’ve read about that have followed, why are we rushing to deploy a standard that doesn’t solve that offline problem – and the online problems that we will face as we ride the bullet train to the mobile and digital future?
[pullquote]“What EMV does is focus on stopping crime in the card-present space, when we are physically in the shop with the merchant – touching our card or phone to the terminal.”[/pullquote]
What happened during the Target breach? The source of the breach was a magnetic stripe card, said Andreae, presented at a magstripe terminal that could be copied and made into a magstripe card. With EMV, however, the situation would have been different.
"If fraudsters had read a chip and tried to replicate a chip transaction, they could not. That’s the power of EMV – they can copy the data, but they cannot create the cryptogram. They cannot find the secret inside the chip."
Elsewhere, the online world is growing exponentially, as are the number of consumers who shop online. The shift to card-not-present fraud in a post-EMV world needs to be addressed. But that requires a portfolio of things to be added to EMV, including tokenization and P2PE.
"The problem we have today is that we – the merchants, issuing banks, acquirers, media, regulators – were never willing to spend the time to educate the merchant and most importantly the consumer of the need to secure this new virgin territory called the Internet,” he said.
Previous attempts included SET – Secure Electronic Transactions – which when introduced required consumers to do something, which introduced friction and therefore failed. The same went for 3D Secure – merchants decided they’d rather eat the fraud than accept the consumer abandonment rate that came along with the solution.
Back to the Target breach, “On the Internet, you don’t have any of the physical security features of the plastic card, and the three-digit CVV value that’s printed on the back is often not prompted for. That CVV could not have been captured in the Target incident,” explained Andreae, who added that if all merchants prompted for CVV then the data collected would only have margin value and not been able to be used to commit fraud on the Internet.
That prompted Webster to ask: Now that it’s March and October 2015 isn’t that far away, as merchants look to prioritize their time and investments, they know mobile is coming and something they want to embrace. Shouldn’t they be investing first in tokenized infrastructure?
And although the physical and online worlds are converging, the card will persist, at the same time that the mobile phone will emerge, responded Andreae. EMV as a standard supports Apple Pay, Samsung Pay, Android Pay, and more.
So the “tokenized infrastructure,” in this case meaning infrastructure that renders data useless at the point of sale, is supported by EMV. The token that holds the randomized middle set of numbers on a given card is carried on the EMV chip – EMV, therefore, is a necessary first step.
"Tokenization itself isn’t solving the card not present problem – it’s just a piece of the puzzle. It does an excellent job at solving what’s called a ‘data at rest’ problem,” said Andreae. “If you think about First Data, Braintree, Heartland and many of the acquirers and merchants, they are already using tokenization solutions to render the data in their databases (at rest) useless."
But that data can still be captured at the point of entry.
Online, he explained, when a consumer goes to type in their card number, if the hacker gets in between that step and the sending of that number to the issuer to be authorized, the number can be stolen and used on different websites. Worse still imagine if the hacker captured the account number before the merchant requests the token from the token service provider.
“So let’s say I am using one of my EMV enabled cards and I swipe the magstripe. Am I still vulnerable?” asked Webster.
The quick answer – yes. That’s a serious problem, said Andreae, as 45 percent of total global fraud is conducted in the U.S. and only 25 percent of commerce occurs in the U.S.
But once the terminals are enabled and the cards are deployed, “EMV renders physical face-to-face transactions secure,” he said.
EMV’S FUTURE IN A CARD-NOT-PRESENT WORLD
The outcome of EMV, once deployed, is that fraud migrates somewhere else – that is, to the online world. But that’s where the future is going.
"Even though we may be standing in a physical store with our phones, transacting in the physical space isn’t always going to be about a phone interacting physically with a terminal,” said Webster. And in certain merchant classes, like restaurants, merchants are looking invest in mobile, and are not entirely sure that enough consumers will be carrying EMV cards for them to invest in supporting EMV anyway. The question, then, becomes one of practicality – especially for the smaller merchants.
In early 2000s, as the industry contemplated a future in which digital was rising, and the prospect of mobile emerging, why didn’t we invest our energies into creating a technology that would have leapt over the need to change everything, just accommodate plastic cards with chips in them? Why the need to look backward to move forward?
"We went there,” said Andreae. But we ran into barriers – first, the consumer didn’t want to have to do anything harder than usual. In this case, she’d have to tap her card on the terminal. Second, there was not and still is not a way to integrate the technology into all of the different Internet browsers.
"People are still working to create a more secure Internet, which Obama addressed this February at the Cyber Security Summit at Stanford on Feb. 13 where a significant assembly of CEOs address the question – how to deal with cybersecurity,” he said.
But a statistic published as recently as a few weeks ago said 46 percent of U.S. merchants hadn’t begun preparing for the shift, said Webster. They hadn’t done so because they don’t believe their cost of fraud is worth the investment, and they’re not convinced that enough of their customers will present EMV cards. It’s a “chicken and egg” problem.
"It always has been,” agreed Andreae. “But we believe we will have, by the end of this year, anywhere between 400 and 500 million EMV cards in circulation. That’s roughly 50 percent of total cards in market."
That doesn’t mean that the October 2015 liability shift date will prove to be earth moving. The migration will take time, Andreae said. In England, their deadline was 2005 – they had not reached full terminalization by then, and still have not. However, what’s key, said Andreae, is that locations most prone to fraud were addressed. A jeweler (yes) over a laundry mat (no), for example. But if the merchant would rather eat the fraud and accept it because the cost is acceptable, asked Andreae, why not accept it?
Webster then shifted the conversation to cost of implementing EMV for merchants and issuers – whose costs are going up and whose are going down?
While some say the overall cost to merchants would be $6.8 billion, some say $10 billion, and even some say $15 billion, what many don’t factor in is the process of “natural replacement,” said Andreae.
"As a merchant, when my device, which has a life between 5-7 years, gets old, I will replace it with state-of-the-art systems. Those POS systems will be EMV capable,” he said. “Those estimates of cost assume that merchants will magically replace everything today. They do not assume natural replacement, or the economic life of a POS system."
EMV: A SURVIVING STANDARD?
As the world becomes more digital, will it just evolve on top of EMV as it exists today, asked Webster, or will there be another acronym introduced that will replace it in the future?
The strength of EMV is in its owners, said Andreae. People will call it “a closed, proprietary standard,” but it has the support of Visa, MasterCard, UnionPay, Discover, American Express and more. It has even received new members just last year.
"If someone else has the size and scale and the inclination, I suspect a very interesting dialogue will take place,” said Andreae. “But EMV is based on an international standard. We’ve got all this foundation that’s already been globally agreed upon."
In closing the conversation, Webster brought up recent news of Apple Pay’s fraud problem. As cybercrime is an enormous business, criminals will remain completely fearless and continue to try to figure out where the vulnerabilities are in the system – and looking to steal not just card credentials but the identities of individuals who can create “new” accounts that are in fact fraudulent. Can, Webster asked, we solve for that leveraging the standards that exist?
That, said Andreae, is something we’re still figuring out. Identity and verification are top problems. What needs to be built, he said, are mechanisms that identify that consumers’ cards are their cards, and that they are themselves.
"What EMV has done is establish a global, stable standard,” said Andreae. “ And, we at Oberthur are going to make sure that the security standards that are behind all of that continue to evolve.” After all, he said, cards will be here for a long time, and mobile phones, for even longer.
“We need to find and implement a solution together that is globally compatible.”
For the full digital discussion, please view the video below.