Like a massive tidal wave, EMV continues to roll across the world,changing the global payments landscape. Since UK banks first committedto EMV five-years ago, more than 100 countries have taken the plunge inefforts to stem credit card fraud.
But the U.S. has always remained outside the EMV plan. This,however, may be changing as fraud, technology and business is changingthe payments landscape.
Brian Byrne, head of product technology for standards andspecifications at Visa estimates there are some 730 million EMV cardsand 10 million terminals in existence around the world.
ToniMerschen, group head of chip at MasterCard Worldwide, notes that the
Single European Payments Area initiative requires 38 countries tocomplete the migration to EMV by Jan. 1, 2011.
EMV gets its name from the companies which originally created it,Europay, MasterCard and Visa. Seven years ago Europay merged withMasterCard and the new standards body was renamed EMVCo. Its membersnow include Visa, MasterCard, Japan-based JCB and its newest member,American Express.
EMVCo’s primary goal “is to facilitate global interoperability andcompatibility of chip-based payment cards and acceptance devicesthrough deployment of relevant EMV Specifications,” says an EMVCospokesperson.
EMV also goes by “chip and PIN,” because the card contains a chipand a PIN is required before a transaction is processed. But nowadays,that chip and PIN moniker may be misleading. As Byrne, points out, manycountries are foregoing the PIN part of EMV implementation, thepredominant reason being that many consumers don’t want to remember aPIN.
The country most advanced towards EMV implementation is the UK, thebanks their were the first to adopt chip and PIN, says Merschen. Othermarkets that have reached maturity for EMV migration on either cards,point-of-sales devices and ATMs include France and Turkey in Europe andMalaysia in the Asia-Pacific region, he adds.
The migration isn’t easy. Merschen says a number of infrastructurechanges are required to handle EMV. “For issuers, there are new dataelements that need to be supported by the issuer authorization andclearing host systems. Card data preparation, including key management,and card personalization also require hardware and software upgrades,”Merschen says. “On the acquiring side, the impacts are similar.Acquirer host systems must be able to receive new data fields fromterminals, which also need to be upgraded from both a hardware andsoftware perspective.”
Glitches all but resolvedIn the early days of EMV there were issues, Merschen says, such as ashortage of approved products, lack of customer and vendor expertisewith EMV and areas where the specifications left implementation options.
That was then. These issues from the early days of EMV have largelybeen resolved, says Merschen. “Robust migration processes are availableto guide the banks, merchant, and consumers in their migrationinvolvement,” he adds.
Visa’s Byrne describes the early road bumps as minor. “This cardissued in country A was having some acceptance problems in country B.In some cases, some of the older terminals wouldn’t work properly, butthat was usually due to configuration issues, fairly minor stuff.”
EMV in the U.S.?So with the U.S. sandwiched between two EMV countries–Mexico andCanada–most think it’s only a matter of time before the U.S. joins theEMV parade.
Paul Beverly, president of Gemalto North America, believes increased fraud will mandate such changes.
In an article in the spring 2009 issue of Regarding ID magazine,Beverly wrote: “The rest of the world is well on the way to EMVimplementation. Europe and Asia have long been issuing cards and …Latin America, faced with exploding credit card skimming fraud, isfully committed to EMV smart cards. .. Yet stakeholders in the UnitedStates still find fraud losses and identity theft risks acceptable. Itis disappointing that U.S. companies are trailing the rest of the worldin this area.”
Charles Walton, executive vice president for payments for INSIDEContactless, believes that the U.S. will ultimately get on board withthe secure cards. “We’re seeing inherent insecurities in the system,such as the Heartland Payment Systems hack. It’s only a matter of timebefore these types of hacks will become intolerable.”
Walton says hackers will look at the weakest point in the paymentchain and exploit it. “If you start securing one point in the chain, itbegins to expose the other points, the path of least resistance forwater, will find the lowest point.”
MasterCard’s Merschen says that these fraud migration and datacompromise incidents, plus the possibility of government regulationwill lead several U.S. banks to consider EMV.
The handwriting is on the wall, so to speak. “It’s inevitable thatthe U.S. migrate to EMV, primarily because fraud is escalating,” addsRandy Vanderhoof, executive director of the Smart Card Alliance. “Majorfinancial institutions in the U.S. are also international so it willnot be a big step for them to issue these cards in the U.S.”
Contactless and EMVAt first blush it would seem that contactless and EMV would beworking toward opposite purposes, but Walton says EMV can run on top ofcontactless. “I would think of EMV as a security protocol that workswith contactless as well as contact chips.”
Visa is using EMV specs in its contactless payWave technology, Byrnesays. “The way we’re deploying contactless in the U.S. is using EMVspecs,” says Byrne. “It’s based on EMV technology making use of strongsecurity elements baked into EMV. These new cards will not only beaccepted in readers in the U.S. but also in the UK.”
The next generation of contactless cards will be a step toward EMV,says Vanderhoof. For example, MasterCard terminals certified forcontactless also carry elemental portions of EMV. “We’re seeing thesegradual upgrades of the infrastructure to support it,” he says.
Vanderhoof says these new rules for EMV contactless are differentthan those for EMV contact cards. Purchases under about $25 can be acontactless transaction in the UK, just like in the U.S. “Just tap itand go, no PIN or signature. After a certain number of transactions youmight be required to enter your PIN.”
EMV vs. contactless overseasWhile EMV and contactless will have to coexist in the U.S., it’s notthat simple where’s there’s already an EMV infrastructure in place.“Europeans have a lot invested in EMV,” says Urs A. Lampe, vicepresident, product marketing and new business for contactless smartcard provider LEGIC Identsystems, in Switzerland. “Now contactless ishappening and the EMV installed base is all on contact, so you’llprobably see some swapping out of terminals in the next few years.”
Or they could opt for integrated contactless readers or readers thatare configured to accept contactless peripherals, adds Byrne.
Another solution is dual interface products in which a single chipcan communicate in contact or contactless mode. INSIDE will be bringthe Micropass 6002, a dual interface chip to market in the fourthquarter of this year, Walton says.
Merschen adds that a number of markets, such as Canada, the UK,France, Malaysia and Taiwan, have already embraced dual interfacesolutions, running both EMV contact and contactless transactions usingone single chip. “Some banks have clearly stated that contactless willbe a standard feature for many of their portfolios,” he says.
Canada, Walton says, is an interesting market because 10 millioncontactless chip cards have been deployed. He projects that by the endof the year, dual-interface cards will make an appearance there. “We’llbe seeing use of chip-based cards in the U.S. for security reasons. Thebuildup of EMV in Canada will tend to cause fraud to migrate to theU.S.,” he adds.
But there’s no getting around that the purposes of EMV andcontactless can be at odds. “EMV certainly brings about much moresecurity and flexibility to today’s mag-stripe cards,” Merschen says.“While contactless brings transaction speed and cardholderconvenience.”
In the U.S. it may come down to a question of speed versus security.As retailers transition to newer payment terminals it will be up to thecard issuers on whether or not to deploy EMV and put a safeguard inplace to help stem the tidal wave of payment card fraud.
EMV definitely works, but…
Latest card fraud losses reported by APACS, the UK paymentsassociation, show EMV does work, but it’s not a cure all. Certain typesof credit card fraud will require other measures.
While 2008 fraud loss figures totaled about U.S. $902.5 million thetwo main areas of fraud were on transactions not protected by chip andPIN: Internet, phone and mail order fraud, and fraud abroad committedby criminals using stolen UK card details in countries yet to upgradeto EMV.
This second fraud type has nearly doubled in two year, providingmore ammunition to those pushing the U.S. to become EMV compliant.
Phone, Internet and mail order fraud (card not present) accountedfor more than half of those losses at U.S. $485.9 million, just a 13%increase over 2007 losses but is double the losses suffered in 2004.
Counterfeit card fraud increased 18%, to about U.S. $250 million.But that’s down from the 46% increase reported in 2007. The vastmajority of this fraud is due to criminals stealing card details in theUK to make counterfeit magnetic stripe cards for use in countries yetto upgrade to chip and PIN, says APACS.
“The industry continues to apply pressure on those countries, suchas the U.S., where chip and PIN has still to be rolled out,” the APACSreport adds. “Increasingly effective use of intelligence systems andthe ongoing global rollout of chip and PIN have contributed to thisslowdown.”
Although card fraud losses have increased, losses as a percentage ofplastic card turnover amounted to just 0.12% in 2008, equaling about atenth of a penny lost to fraud in every dollar spent. This, too,reflects EMV’s “positive effects as well as the fact that we continueto use our cards more and more each year,” says APACS.
As to card not present losses, that can happen with or without EMV.More retailers, APACS notes, need to encourage cardholder and retaileruse of the secure codes found on the back of most credit cards.
However, one area where EMV is still vulnerable is with ID theft.Card ID theft losses have increased by 39% where criminals take overthe running of another person’s credit or debit card. This fraudtypically involves a criminal obtaining a genuine card and a genuinePIN, and has contributed to the fraud increases seen at UK shops andcash machines, APACS says.