• United States



Contributing writer

EMV transition involves many moving parts

Jul 29, 20166 mins
ComplianceComputers and PeripheralsData and Information Security

The EMV transition is slow going, but that was expected

The shift from magnetic stripe to chip-based payment cards was first announced in 2011, with a deadline of October 2015, but most merchants still have not upgraded, and are paying the price in that they are now having to cover the costs of fraudulent transactions.

According to EMVCo, the international consortium responsible for the EMV chip card standard, the U.S. also lags far behind other countries. In Africa and the Middle East, for example, 87 percent of in-personal payments were with chip cards, 40 percent in Asia, 72 percent in Eastern Europe, and 97 percent in Western Europe.

There’s a lot of finger pointing going around about why the transition is going so slowly, but the bottom line, according to experts, is that the United States has a more complicated infrastructure than other countries and the transition was never expected to happen quickly.

“No one in the industry actually expected it to be done by now,” said Allen Friedman, vice president of payment solutions at Ingenico Group, a leading global payments technology company based in France.

Most countries have five or 10 banks that issue credit cards, and about that many that provide merchant acquiring services, he said. Acquiring banks are the ones who handle payment card payments for merchants.

In the U.S., however, there are hundreds of acquirers, he said, in addition to value added re-sellers and gateways.

[ ALSO ON CSO: Is EMV the silver bullet to credit card fraud? ]

“The U.S. is the most complex payment system in the world,” he said.

This complexity has a very direct effect on whether a merchant can switch to chip cards. It’s not just a matter of simply buying new payment terminals.

The new hardware has to be certified as EMV compliant to ensure that it is secure. The software kernel in the machine has its own, separate, certification step. The hardware manufacturer handles both of these certifications.

Allen Friedman, vice president of payment solutions at Ingenico Group

Then the hard part begins. Each combination of device and back end payment software has to pass its own certification, with a separate process for each of the four major card brands. The certification process includes a number of test cases — around 300 different ones, in the case of Mastercard, said Friedman.

“That’s a lot of testing, and a lot of things could go wrong, have to be fixed, and done all over again,” he said. “All of this played into the tremendous backlog and bottlenecks that we’ve seen in this certification process.”

In fact, some merchants already have the new chip card readers at the checkout counters but aren’t using the chip card functionality because it hasn’t yet been certified.

“It was surprising that anyone got done by October 1,” he said.

He estimates that currently about 13 to 15 percent of merchants are processing chip card transactions.

“But considering the size of the market, that’s really not bad,” he said. Take for example, countries like Canada of France, which had simpler payment industry markets, and still took seven or so years to migrate.

According to Friedman, all Ingenico payment terminals are EMV compliant, since the company sells its terminals around the world and making special non-EMV terminals just for the U.S. market would actually have been more expensive.

Some merchants in a bind

The convoluted migration process is leaving some merchants confused about what’s going on.

Even if a terminal is EMV-capable, their payments processing provider might not be certified for that particular machine.

One finance director at a national retailer contacted CSO to let us know about the bind they were in.

Four years ago, they spent around $1 million to migrate to their current payments provider — but there was a problem with the EMV certification.

It would have taken them another $1 million to switch to another vendor. And it would also have been very costly to rip and replace all their terminals. They could either suffer the liability hit, or opt for terminals not integrated with their back end systems.

“But then you would have to ring up the transaction twice, once in the point of sale system and then again on the non-integrated terminal,” he said. “This will slow down the checkout process and cause all sorts of issues, such as when you have to do a refund.”

At first, he thought that because the terminals he was using, the Verifone MX860, were older, and considered “end of life,” that there may have been a deliberate plan to force customers like him to update to newer terminals.

“It’s pretty dirty tactics,” he said.

The payments processor, Aptos, did, in fact, prefer that their customers upgrade.

“Any client running earlier versions — such as MX8xx — were encouraged by both Verifone and Aptos to upgrade to the MX9xx devices because of Verifone’s end-of-life classification for the MX8xx series,” said Darlene Bogusz, the company’s product manager.

“We started certification on the MX9xx family of devices first because they are the newer models and many of our clients have them,” she added.

But it seems to have all worked out in the end — Aptos completed their certification for the Verifone MX860 devices on July 21, Bogusz said.

Verifone confirmed that their older MX800 series devices are designed as “end of life.”

“However, we have updated the EMV features on these devices,” said Joe Mach, senior vice president and general manager for vertical solutions at Verifone. “The MX800 hardware is certified and compliant with EMV.”

[ RELATED: Predicting winners and losers in the EMV rollout ]

Unnecessary hardware purchases are particularly unwelcome right now, since the mobile payment space is still evolving rapidly and may require yet another round of upgrades.

Ben Woolsey, president and general manager at CreditCardForum, warned retailers to watch out for pressure tactics.

“Whether this is an isolated phenomenon or not, it’s probably more likely a sales tactic from legitimate vendors rather than fraud but retailers should still be on guard and make sure any upgrades are truly required for EMV certification versus vendor sales quota reasons,” he said.

“But we did hear about a retailer alert warning of unscrupulous vendors sometimes calling merchants, pretending to be their processor, telling them that they had to buy new equipment to be in compliance,” he added.

He urged merchants to double check with their POS vendor or merchant processor before committing to purchase any new equipment.

According to a recent survey by CreditCardForum, 45 percent of the largest retailers in the U.S. are not fully EMV compliant — even though most already had terminals that were capable of accepting chip cards.

“Feedback from some merchants has been that the custom software they use can be difficult or expensive to integrate with the chip reader,” he said.