by Bob Lowe
EMV (Europay, MasterCard, Visa), Chip Cards, Smart Cards, Chip and PIN, Chip and Choice – they can’t even decide what we’re going to call it, let alone how exactly it will work; yet they expect hoteliers to be working on implementation plans. Here’s what we know, what we don’t and what we can expect…
What is EMV?
EMV is an acronym for Europay, MasterCard, Visa. This association of card brands came together in 1994 to develop a new credit card payment method to replace the limited capabilities of the magnetic stripe. What they came up with was the chip card – a credit card wherein the magnetic stripe was replaced with an embedded computer chip similar to the SIM card in your smart phone.
EMV is currently in use around the world with figures from late 2012 showing more than 75 percent worldwide adoption. The United States is the only major country that hasn’t yet adopted smart cards.
Why the delay? Because the complexity of the U.S. market makes EMV adoption exponentially more difficult here. Whereas in most European countries we see a few state-backed banks handling the majority of card transactions, and only a handful of processors getting in on the action, in the United States we have hundreds of issuing banks and nearly two dozen major processors. Add to that the fact that the majority of European merchants use stand-alone payment terminals provided by their banks that are not integrated with their point-of-sale systems or accounting software. U.S. merchants, on the other hand, much prefer integrated payment solutions.
What are the benefits?
The great promise of EMV has historically been reduced card-present fraud and the ability for offline processing. Because nearly all merchants in the U.S. have reliable connectivity such as Internet, offline capabilities will not be part of U.S. EMV, so the only real benefits we will see is a potential reduction in fraud.
In 2010, U.S. card fraud hit $8.6 billion, and that number is expected to surpass $10 billion in the next two years. Because the smart card is able to self-authenticate each time it is inserted, verifying that it has not been reported stolen and that it is a genuine card, issuing banks (who bear most of the cost burden from fraud currently) hope to see much of this fraud disappear. Even if it doesn’t, they have found a way to limit their own liability. Beginning in October 2015, any merchant who does not have a certified EMV solution in place will become liable for the fraudulent transactions committed in their business. They will also lose the ability to fight chargebacks for any transactions that were not processed using EMV.
Merchants who adopt EMV will see the benefit of not having to complete their annual PCI assessment, so long as they process 75 percent of their charges on a certified EMV terminal (and meet a few other guidelines). This is not to say they don’t still have to be compliant with PCI DSS, only that they don’t have to fill out a form proving their compliance.
What costs will merchants pay for this privilege? To accept smart cards, an estimated $2.5 billion worth of new payment terminals need to be put in place. That amount doesn’t include the cost of POS/PMS updates or custom development and the accompanying, mandatory EMV certifications.
Changes necessary to implement smart cards will be especially notable in the hospitality space. MasterCard’s U.S. EMV standard requires a PIN, similar to a debit card. Many U.S. hotels do not have the capability to accept a PIN. This means not only will new payment hardware be required, but front desk areas may have to be modified to accommodate a guest-facing payment terminal (a PIN pad like you use at the grocery store).
So, drastically oversimplifying the situation in the name of merchant advocacy, merchants are being asked to pay $2.5 billion to adopt a technology that does little good for them, but could potentially save the issuing banks $8-10 billion per year. In return, the card brands are offering merchants the olive branch of not completing their annual PCI assessment; although they will still be held liable should they be found to be out of compliance.
What we know and what we don’t
The EMV rollout in the U.S. has already begun. Processors and device manufacturers are actively working on solutions (although, to be honest, they’re already far behind schedule for the 2015 fraud liability shift date). The solutions they are pushing appear similar to the EMV we have seen in Europe and Canada with these few exceptions:
1. No offline mode
a. EMVCo decided that the U.S. communications infrastructure is reliable enough that offline processing is no longer necessary.
b. Several major U.S. retailers have already filed suit to keep offline processing available in the U.S. specifications, citing potentially massive losses that could result from even a few minutes of processing disruption.
2. No PIN required by VISA
a. A PINless EMV model removes the two-factor authentication inherent in the transaction and, by replacing the PIN with a signature, puts the onus back on the merchant to verify that the signature provided matches the one on the card. This mirrors our current methods, and in so doing, sets aside one of the only consumer-facing benefits of EMV.
3. Capability for EMV debit
a. The U.S. will be the first major market to launch EMV-capable debit cards on multiple debit networks. (Most European markets have only one debit network.) How these cards will comply with the Durbin Amendment mandate that merchants be able to choose from two or more debit networks for any given transaction is yet to be determined, since the nature of the chip makes that nearly impossible.
4. Near-field communication
a. With the increasing popularity of near-field communication (NFC) payment instruments (including smart phones and digital wallets), we will likely see NFC and EMV adopted at the same time by merchants. It is important to remember that while they may use the same chip, NFC is not the same as EMV and does not offer the same fraud protection. Plus the fact that this new NFC is “EMV NFC” and not the old “track data” type of NFC, and has its own set of issues.
As you can see, there are still a number of kinks that have to be worked out, which is why We have been warning our merchant customers to be extra vigilant when investing in new hardware, and to verify with their providers that those devices will indeed be supported for EMV. (A firmware update will be required once we know exactly what standard those devices will have to meet. Until then, no device should be considered compliant.)
The migration to U.S. EMV is not going to be easy, so start your preparations and do your homework now; that way you won’t be left out in the cold come October 2015. If you have any questions, feel free to send an email to [email protected] and we would be happy to help.
