For decades, the U.S. payments industry has relied on magnetic stripe-based card technology. Most other countries have or are in the process of transitioning to the EMV chip card standard. EMV ensures the authenticity of a credit card by using encrypted data which is stored on the card. However, the encrypted data does not include the actual transaction.
Now, incentives and directives are paving the way for the U.S. adoption of EMV. This is in part to drive the adoption of NFC mobile payments. Companies that implement EMV early on will gain an advantage over competitors with solutions that are available now. However, merchant migration may be easier, less costly and provide more benefits than many realize. This is especially true when used with end-to-end encryption.
Discussions about EMV implementation in the U.S., until recently, haven’t been taken serious, with few supporters and a lot of skepticism that the U.S. payments industry could ever be motivated to transition from magnetic stripe-based payment cards.
EMV, which stands for Europay International, MasterCard and Visa, which joined in 1994 to begin the specification, has been or is in the process of being adopted by every developed country except the U.S., as well as most emerging countries. American Express and JCB subsequently joined MasterCard and Visa in ownership and management of EMVCo, and entity to manage and extend the specifications, while Europay was absorbed by MasterCard.
Despite some supporters, including WalMart, the U.S. has resisted moving to EMV because the payments ecosystem made up of card brands, processors, acquirers and merchants has mainly been satisfied with the magnetic strip-based infrastructure. However, in August 2011, Visa announced a Technology Innovation Program (TIP) and liability shift for the U.S. that sets out an EMV migration plan that includes incentives for adoption, and potential penalties for those who don’t go along.
Following suit, in early 2012, MasterCard announced a roadmap for EMV adoption with its own set of incentives and liability shift. Subsequently, Discover announced a 2013 EMV for acquirers and direct-connect merchants and also revealed that it had already accepted EMV in the U.S. at certain WalMart locations. American Express followed the other major brands with its own timeline, with a mandate in early 2013 for processors and financial incentives for merchants beginning in the second half of that year.
Visa’s announcement of TIP overtly tied the U.S. shift to EMV for both contact-based and contactless payment acceptance. “The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of Near Field Communication (NFC) mobile payments by building the necessary infrastructure to accept and process chip transactions,” stated Visa.
From a merchant perspective, the major incentive is that Visa will “eliminate the requirement that eligible merchants annually validate their compliance with PCI DSS if at least 75 percent of their Visa transactions originate from “dual-interface EMV chip-enabled terminals” and if they comply with other qualification criteria. Visa will require U.S. acquirer U.S. processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013.
A MasterCard executive told PaymentsSource that a merchant running 75% of card transactions through at EMV terminal with both contact and contactless capabilities by 2013 would receive 50% relief on PCI testing.
American Express indicated merchants “will be eligible to receive relief” from PCI Data Security Standard (DSS) reporting requirements if POS locations where 75% of transaction occur “are enabled to process American Express EMV chip-based contact and contactless transactions.”
Since the card brands are creating a shift in liability to acquirers and away from issuers, if merchants don’t implement these new EMV acceptance devices, they will eventually become liable for fraudulent card transactions that would have been prevented if they were processed over EMV terminals. Currently, card issuers absorb most of the liability for fraudulent card transactions.
Announcements by Visa and MasterCard regarding their EMV plans have created some confusion over Chip & PIN and Chip & Signature. There is a common misperception that EMV is synonymous with “Chip and PIN” but that is not accurate. Chip and PIN is just one aspect of EMV that has been widely adopted and was implemented in the UK under that name in the past decade. But other countries have opted for a “Chip and Signature” approach.
Visa has stated that EMV in the U.S. doesn’t have to mean Chip & PIN, which was interpreted as favoring Chip & Signature. What Visa actually said was, they “will continue to support a range of cardholder verification methods (CVMs) with EMV chip, including signature, online PIN and no-signature for low-value, low-risk transactions.” Therefore, they will accept Chip & PIN along with other variations.
MasterCard, which also supports different aspects of EMV, has discussed a liability hierarchy, which essentially means that liability for EMV fraud is going to rest on the shoulders of whichever party in the processing chain has the weakest implementation of EMV.
The Merchant Advisory Group, which includes Walmart, Target, Sears, CVS Caremark and several others, has strongly endorsed Chip & PIN as a requirement for U.S. EMV adoption. Clearly PIN is more secure than signature, so it makes sense to default to this option as the best shield against fraud liability.