|VeriFone: The Key to EMV|
|For Credit Card Security, Chips Beat Strips, VeriFone Says|
After essentially standing alone in resisting migration to the EMV security framework for card transactions, the U.S. now seems poised for a rapid rollout that will bring it in line with the rest of the world on a key aspect of how payment cards are authorized at the point of sale. There will continue to be differences between countries on how electronic payments are handled, but for the most part this should be transparent to cardholders.
EMV was initiated to provide a worldwide standard for interaction between integrated microprocessor (chip-based) “smart cards” and approved payment devices and ATMs. This standard encompasses credit, debit and contactless payment transactions. Until recently, the odds against the U.S. adopting EMV were viewed as overwhelming.
In August 2011, Visa announced a phased EMV migration plan for the U.S. The plan includes a Technology Innovation Program (TIP), fraud liability shift, and incentives for adoption. This past January, MasterCard announced its own EMV adoption program. Both programs incorporate similar incentives and timelines designed to encourage migration by processors, acquirers and retailers by mid-2015 (2017 for Automated Fuel Dispensers).
The U.S. resisted moving to EMV because the payments ecosystem comprised by card brands, issuers, processors, acquirers and retailers have predominantly been content with the magnetic stripe-based, online authorization infrastructure that set the U.S. apart – and for many years, ahead of international card authorization schemes.
What changed? Moreover, how will this affect the U.S. payments infrastructure?
A number of factors have converged to reduce resistance and increase support for EMV. In 2003, Visa Canada committed to EMV migration, followed in 2005 by MasterCard and the Canadian card processing association Interac.
More recently, large retailers such as Walmart and Target began advocating migration to EMV based on “Chip and PIN” cards and devices, which require EMV smartcards to be inserted into compliant payment acceptance devices on which the cardholder then enters a PIN to complete the transaction.
As more countries have adopted EMV, much of the card fraud in those countries has migrated to places that are still reliant on the less secure magnetic-stripe card technology. As reported in a recent Federal Reserve paper, markets that have migrated or are in the process of migrating to EMV chip-and-PIN have seen a significant decrease in fraud, while “overall fraud levels in the United States are trending upward.”
Finally, and perhaps the key catalyst, U.S. businesses across industries latched on to the potential for a dramatic transformation at the point of sale that is anticipated as mobile phones equipped with NFC (Near Field Communications) put electronic wallets and other applications into the hands of consumers.
New Era of NFC
NFC enables a form of contactless payment in which the mobile phone communicates with the payment acceptance device at the point of sale for the purpose of making payments, using electronic coupons, and activating promotions from retailers, merchandisers and others.
Unlike previous efforts to foster new payment technology at the point of sale, NFC promises benefits from all parties involved in a transaction–issuer and acquirer banks, retailers and consumers. Those benefits, many believe, will encourage retailers to make the investments in new point-of-sale equipment that they might otherwise resist.
With the expectation that retailers will more willingly make investments to accommodate NFC at the point of sale, it makes sense to leverage this movement by moving to EMV at the same time. Visa declared that in order to take advantage of its incentives for EMV migration, 75 percent of a retailer’s Visa transactions must originate from dual-interface EMV chip-enabled terminals that accommodate both smartcard and NFC contactless payments.
If retailers don’t move to these new dual-interface capable terminals, they eventually will become liable for fraudulent card transactions that would have been prevented if they were processed over EMV payment devices. Currently, card issuers largely absorb liability for fraudulent card transactions and build those costs into their business models.
Putting Policy into Practice
EMV was initiated to provide a worldwide standard for interaction between integrated microprocessor (chip-based) “smart cards” and approved payment devices and ATMs. This standard encompasses credit, debit and contactless payment transactions. According to EMVCo, the organization responsible for maintaining and enhancing the specification, adoption of EMV cards now stands at more than 40 percent around the world and EMV acceptance device adoption is at more than 70 percent.
These chip-based cards can support a range of applications, but the primary usage common around the world is to perform payment transactions that store encryption data for authentication. As part of the transaction authorization, the card uses the data to prove it is authentic, thus preventing the use of stolen or cloned cards.
EMV was attractive to retailers and bankers in other countries because it provided an unimpeachable method for “offline” authentication, which relies on the local payment acceptance terminal and the chip card to authenticate the card without having to access online databases that store current cardholder data.
In the U.S., relatively inexpensive telecommunications have resulted in almost complete utilization of “online” payment networks that can authorize a transaction in real time; most foreign markets avoided building that type of infrastructure due to higher costs.
Does that mean the U.S. will step back to offline authentication with the adoption of EMV? Hardly. Over the next year or two we should expect the card brands, processors and acquirers to work out the best methods for leveraging EMV with the online payment networks.
Differing Implementation Scenarios
Many people assume that Chip and PIN is synonymous with EMV, but that is not the case. In fact, Visa executive Stephanie Ericksen recently wrote, “Visa will continue to support a range of cardholder verification methods (CVMs) with EMV chip, including signature, online PIN and no-signature for low-value, low-risk transactions.”
MasterCard has to this point been more receptive to Chip and PIN, indicating that it envisions a “liability hierarchy” with Chip and PIN representing the most secure payment technique and one that provides the greatest protection against fraud liability to retailers and acquirers.
At the heart of this initial disconnect over EMV implementation is the issue of reconciling online PINs that are stored on network servers with offline PINs that are stored on the chips embedded in the cards. Consumers aren’t going to willingly adjust to using separate PINs for different uses, nor are they likely to understand where and how to use online PINs versus offline PINs, so successful implementation in the U.S. will require a simplified means of keeping these PINs in sync.
Without online PIN, according to Visa and MasterCard, EMV cards can still be authenticated in real time using dynamic authorization techniques, in which a network server is able to interact with encrypted information on the chip card to validate that it is authentic.
A key trade group, the Merchant Advisory Group, which includes retailers such as Walmart, Target, McDonald’s and Sears, has been adamant that a U.S. EMV system should utilize Chip and PIN. Over the next year or so we are likely to see disagreements and eventual compromise in how the U.S. online payment networks accommodate the traditional offline techniques of EMV. But, it now seems that migration to EMV in the U.S. is inevitable.
VeriFone encourages earliest adoption of this critical payment technology to assist in building a complete defense against criminal elements. EMV’s authentication technology ensures stronger security of the payment system and better protection of consumer data. EMV Chip and PIN is the most secure form of EMV and will provide maximum protection for retailers and others.
Vice President of Product Marketing – VeriFone
Mr. Vlugt joined VeriFone in 2004, serving as Sr. Product Manager for Customer Facing Devices. In this capacity he helped define and drive the development of the MX line of products. In 2006, Mr. Vlugt was promoted to Director of Product Management for Integrated Solutions to help drive and execute the global product strategy for integrated products. In 2010, Mr. Vlugt accepted his current Vice-President of Product Marketing position. He is currently responsible for North America product marketing, which includes the retail, petroleum, and financial channels.
Prior to joining VeriFone, Mr. Vlugt held various consumer electronics product management and technical marketing positions at TDK Corporation and ShareWave, which was later acquired by Cirrus Logic. Mr. Vlugt is a native of Holland and he obtained his degree in Computer Science and Business in Amsterdam.