Analysts have put a multi-billion dollar price tag on the move to EMV by issuers in the U.S. Yet, what we have learned from other countries is that the cost of EMV can be reduced sharply by bringing some of the activities associated with EMV production, in house. Michelle Lehouck, EMV Director for Bell ID, recently caught up with MPD CEO Karen Webster to explain how “unpacking” the EMV process can lead to a significant reduction in the cost of EMV programs, while delivering more flexibility in how they are run.
KW: Bell ID does a lot of things in the financial services sector. Give us a sense of where Bell ID fits in the EMV ecosystem.
ML: Bell ID is purely a software developer, and our worldwide experience is based on 3 sectors: ID, financial, and the mobile environment. Most commonly, people associate Bell ID’s capabilities with the financial sector – we have worked around the world with financial issuers with EMV migration, starting back when EMV came to Europe.
KW: Let’s dive into the EMV situation in the U.S. where we are on the path to the liability shift next year. There’s been a lot published about the number of cards that will be in the market by October 2015 – about half a billion cards. Is that what you’re hearing?
ML: I am hearing that, and because of my experience in the industry during the past 15 years, I can say that we are certainly on track. There’s been a lot of support from card associations like MasterCard, Visa, AmEx, and Discover to try to align the top 10-15 banks and credit unions with getting on board.
There was also the launch of international traveler’s cards a few years ago, sort of a pilot for EMV, so the top 10 banks have been dabbling in EMV for the past two years to understand the amount of people it takes to support the program, what type of budget is required, and more. But I think the numbers are right on track.
KW: I know I’ve gotten two of my cards recently in the mail, which is ahead of the expiry schedule. Is that happening a lot?
ML: Well, the banks that started the EMV pilots I mentioned a couple years ago were the top 5 banks. Because of their existing relationships with the various partners in the magstripe environment, they really leaned on them to provide them with an EMV card as almost a “Band-Aid” situation. For instance, a few years ago when we had a lot of American travelers going abroad, and their cards were being declined because they didn’t have a chip in them at all, there was the need to provide those customers with EMV card capabilities.
So, now flash-forward two years when there is an EMV date implemented for the liability shift. These banks continue with that same partnership or breaking the mold and reassessing whom they should work with to find the most economical partnership to deploy millions of cards.
KW: Are these credit cards primarily? What about the debit product – what are you hearing from issuers?
ML: The top issuers started with credit mainly because credit card issuance isn’t really impacted – they are able to use the EMV code or application to issue the cards. But for debit, there’s a vast landscape that exists – only in the U.S. do we have 17 debit networks! When EMV was created, both small and large debit networks in the U.S. were not included. It was really about the associations – creating a debit and credit scenario for them.
This caused quite a hiccup in the U.S. because most debit brands don’t have an EMV spec, and to commission someone to write a proprietary EMV spec just for the U.S. would really upset the whole scenario for EMV. It’s really become a bottleneck, and what the associations have done in the past 18 months is try to come together with a solution called the common application identifier (AID). With that, they would use MasterCard, AmEx, Visa, or Discover’s applications on the chip, but brand it with a local debit network. It’s kind of a handshake behind the curtain – but to the outside public, it will still be the primary debit brand. But for some of the smaller debit networks, it’s still a challenge to get over the hurdle.
KW: Bell ID published an interesting white paper that highlighted seven myths associated with EMV. One of them is that EMV doesn’t prevent fraud. When we’re talking about debit products, they have PINs, and fraud on PIN-based debit is low. We also know that from some recent major retail databreaches, EMV would have mitigated the consequences of some breaches but wouldn’t have prevented them all. How do you advise issuers and the community about the role that EMV plays in fraud prevention?
ML: Some large data breaches could have definitely been mitigated by EMV, but EMV could not have solved the largest data breach – that was data. The breach had more to do with the cloud environment, which is part of the EMV landscape, but because of the way the data was managed with a magnetic stripe product, there were areas of risk.
When it comes to EMV, it’s about understanding the product and technology itself. There are things built into the chip itself, as well as in the way the card communicates and authorizes itself at the POS, that act as security measures – from the way the card transacts online, offline, with and without a pin, there are a lot of levels of security built in.
Because of these measures all the way back to the way the card is made, the security levels protect cardholders, keeping them in a “watertight bubble” no matter where they are in the ecosystem. The layers of security have been consistent the past 15-18 years keeps EMV operable today in an online and offline environment. It’s almost like on a soccer field, if the ball gets by the goalie, it’s not necessarily his or her fault – it had to go through all of those people first. With EMV, a fraudster would have to get through all of those levels of security before cracking the chip.
KW: Do you think that the fact that we’re touting EMV as an impenetrable way to protect cardholder will make people out there more eager to crack into it? Is it truly impossible?
ML: I used to work at a company that hired hackers to hack ATMs, cards, chips, and more. It’s very relative – there are different levels of the EMV chip, and side-by-side to a magstripe card, it’s completely “watertight.” But in comparing different types of chips, we are looking at how much more we can add to the transaction environment and the layers of security.
Of course, there’s always a way to try to hack into an EMV chip, but what level of information are you gaining and is it dangerous? If you were able to wedge between a card and a POS during a transaction, capturing the actual conversation between chip and POS, what could you do with it? Could you recreate a card or transaction? No. There are certain ways that you could capture information, but its completely useless information.
KW: Let’s talk about another myth which is that EMV is outdated. We spent a lot of time talking about putting chips in plastic cards, yet we’re moving to a world where it will be apps, connected devices, and the cloud. We know that there are ways to protect data along that path. How do you respond to critics of EMV who say let’s accelerate that process and use other things that keep the environment secure in a way that is consistent with the direction of the industry?
ML: I have to say that the associations have a tough job because they are trying to implement a technology, a standardization that they can use in any country and in any scenario from a developing country, for example, that has no online capabilities to the U.S. or Canada that’s online all the time. The associations’ role is to make sure that when consumers spend their money, no matter what country they’re in, with a card that’s accepted everywhere with the EMV logo, that the card is consistently accepted and is able to transact without any problems.
That alone is a tough task, just putting all of that under the EMV specification umbrella. Taking it to the next step with mobile – how do we standardize mobile? Do we make all of the mobile handset manufacturers go through a certification process? Do we ask all of the Silicon providers that make the chips to have a secured element embedded in the chip? It’s been a rough road, but the best approach that the associations have had right now is taking it in a logical term. If you have a contactless EMV terminal, an EMV card with a dual-interface function with a chip and antenna, then that POS is capable or certified to take a contactless transaction for mobile. That’s what the associations have stated.
KW: You also mentioned investment and cost, and that brings me to the final myth that you talk about which is that EMV is expensive. There have been statistics thrown around that say that the cost will be billions of dollars for issuers and merchants to prepare for this transition over the next several years. Regardless of what the number is, what are your thoughts on how to keep costs in check?
ML: I think we can learn a lot from other countries like Canada and in Europe. We’ve seen that scenario two years ago where the larger banks and credit unions introduced EMV cards for American travelers going abroad. Now, two years later, we have realized that that was really expensive and we are thinking about how we could cut costs and find better partners. That’s what the rest of the world has come full circle on. What they’ve learned from it is that there are pieces that are moveable, but one that’s constant is the card plastic – you must go to a certified EMV card manufacturer to get your plastic. But things like data prep and key management, these are all things that are software deliverables that we’ve actually worked pretty hard to streamline so that the costs to the issuer can be reduced.
This is what we learn from other EMV countries that have migrated. They have looked at their business model with all of the different players – banks, card manufacturers, personalization bureaus, fulfillment centers for mailing out – to figure out what can be done differently. The majority of the spending is done at the personalization bureau, which manages and maintains all EMV profiles. That’s the most expensive part of the issuance, and once the issuer realizes that, they realize that they’re putting a lot of trust in the bureau that they’ve had for magstripe cards, but do they have the same knowledge for EMV? Maybe it would be a better idea if they had a more of a command of the budget and spending by bringing that piece in house – and that’s what the rest of the world has done.
That’s really change that we see going from EMV to magstripe. EMV is expensive on a card level, but on a personalization level, it’s even more expensive. That myth is debunked because issuers realize that they can be more in control of their spending at the end of the month from their partners.
They’re still actually using their existing partners – card manufacturers, fulfillment centers, and more – but they’re reclaiming a piece of the deliverable that’s software with a light implementation. For instance, one example of the type of software that I’m referring to is the Bell ID EMV Token Manager, light software that you’d bring in-house.
To find out four reasons why Bell ID says issuers should take control of EMV issuance, view the video below.
EMV Director at Bell ID
Michelle has over 15 years of payments knowledge, gained previously with companies such as STMicroelectronics and CPI Card Group. With practical experience of migrating European banks to EMV chip payment technology, she has significant expertise of all aspects of EMV market strategy. This includes understanding the impact of implementing EMV on a bank’s infrastructure as well as the critical success factors which need to be met when managing such a project.