The Hairball That Is EMV Certification

By now the rollout of EMV in the United States is old news, with an October 2015 deadline that seems positively ancient in the rearview mirror, and the transition itself had been telegraphed as far back as 2011, with a template stretching back across a decade especially in Europe.

Yet the transition here, stateside, has been anything but smooth. One stumbling block has been the confusion among key players, from merchants to payments processors, over the technological and compliance needs that are mandated for EMV certification.  In an interview with PYMNTS’ Karen Webster, Lars D. Pedersen, Ph. D, chief executive officer of Creditcall, noted that confusion over certification remains only part of, but a significant part of, a relatively slow embrace of EMV.

Pedersen maintained that there are five steps that must be completed in the movement toward full activation of a compliant system.  The first level, he stated, involves ascertaining that the device at the point of sale – mobile or otherwise – is able to communicate with the chip embedded on the card being used by a consumer.  “The second level,” he stated, involves the device’s “ability to communicate with the world outside of the device itself,” which in turn leads to the third level, which is the direct interaction with the payments processor so that different card types can be recognized and accepted, across both “contact” and “contactless” designations.  Key injection, the fourth step, is the actual loading of encryption data onto the terminal.  The final step, boarding, entails bringing the merchant onto the system.

Pedersen told PYMNTS the main impediment to full scale certification in the US is tied to level three certification with the processors. Many merchants, he said, have bought and begun using terminals that are in fact compliant at the first and second levels but not at the third level, meaning that magnetic stripe transactions became, and still remain, “fall back transactions,” which in turn exposes merchants using those terminals to fraud liabilities.

Against that backdrop, the sheer size of the US market presents some thorny problems for a wholesale transition to EMV, said Pedersen.  “Obviously the US market is much larger than any of the individual European markets that underwent the shift already. With the US, we are of course talking about forklifting an estate of 20 million devices, which was never going to be smooth,” he told PYMNTS. And given the fact that merchants can in fact choose not to work within the confines of the EMV shift – as opposed to, say Europe, where mandates governed transitions on a country by country basis.  And there were stopgaps abroad, he added: “In the UK, there was a period where you could use signature bypass for a few months as a training period in use of PIN. After this period the shift to chip and PIN happened overnight.”

Complicating matters in the US, according to Pedersen, is the fact that “some of the US processors have grown through a lot of acquisitions which has led to much more complicated processing platforms than what is typically the case in Europe.”

But, for Creditcall, said Pedersen, “The certifications that we do today are much faster than the early ones done before the liability shift. The industry has clearly moved up the learning curve.” Yet there is certainly room for improvement, he continued, as processors are showing “very different timelines ranging from 8 weeks to several months. This is for a level 3 certification with a device that has already gone through level1 and 2 certifications. For new devices this can be much longer… this difference comes mainly from response time differences stemming from different skill levels, how good the relationship is between [Creditcall] and the processors and their priorities.”