Merchant incentives, liability shifts but questions abound
Visa Inc. unveiled plans and incentives for U.S. merchants to deploy EMV with an eye toward near field communication, the company announced in August.
EMV via contact chip, contactless or NFC all use dynamic authentication to reduce a fraudsters ability to use stolen credit card data. The U.S. is one of the only industrialized countries in the world that hasn’t moved to EMV payments.
To encourage the transition Visa is doing three things. Effective Oct. 2012, Visa will expand its Technology Innovation Program to the U.S. and eliminate the PCI Data Security Standard requirement for eligible merchants in which at least 75% of the Visa transactions originate from chip-enabled terminals.
The new terminals must be enabled to support both contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program. Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.
Visa will also require U.S. processors to support merchant acceptance of chip transactions no later than April 2013. Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique.
Visa will provide additional guidance as part of its bi-annual Business Enhancements Release for acquirer processors to certify that their systems can support EMV contact and contactless chip transactions.
While waiving PCI might be the carrot for merchants, the stick is a liability shift that would take place in Oct. 2015 for counterfeit card-present POS transactions. At that time if a contact chip card is presented to a merchant that has not deployed EMV-capable hardware, liability for counterfeit fraud may shift to the merchant’s acquirer. Fuel-selling merchants will have till Oct. 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers.
This liability shift is also intended to encourage issuing banks to begin providing EMV products to cardholders. The benefit of shifted fraud liability should be an asset in the equation as issuers attempt to cost justify EMV migration.
Existing contactless upgrades
While there are incentives for merchants to make upgrades to EMV, even those with existing terminals that accept one or both of the technologies will have to upgrade the software, says Mark Nelsen, senior business leader in fraud risk products at Visa.
Most of the existing contactless terminals and contactless cards use an older specification that is based on magnetic stripe data emulation. These cards will still work, but merchants will have to upgrade terminals in order to accept contactless EMV, Nelsen says. The older contactless cards will still be read when the new software is installed because it is backward compatible. For issuers to benefit from increased fraud protection, however, they will need to switch from the current contactless payment methods to the new specification for contactless EMV.
Visa will offer support to banks for issuance of the new cards, says Mark Nelsen, senior business leader in fraud risk products at Visa. “We have a variety of implementation services to help get issuers set up with personalization tools,” Nelsen says.
An area where issuing banks may have difficulty is authenticating EMV transactions, Nelsen says. When an EMV card transaction is being processed there are a couple of different steps it takes for verification.
After the card is inserted into the reader it is typically switched through to VisaNet for validation and then to the issuing bank. Since issuing banks may not be able to handle the additional data that comes with an EMV transaction, Visa provides a complete chip validation and conversion service, relieving issuers of the issues of handling chip data.
Visa’s fix will be dropping the additional fields after it verifies the transaction and then sending that data to the issuer. The issuing bank will basically see the same data that’s contained in a mag-stripe transaction and then provide the authentication. There’s no loss in security with this system because Visa validated the EMV transaction before dropping the other fields and sending it to the issuing bank.
The announcement from Visa has been met with mixed reaction. “It’s not in itself the be all and end all,” says Dave McKay, technical sales manager at Bell ID. “What it has done is act as a cattle prod. It put a solid foundation that EMV is becoming inevitable.”
Merchants that don’t comply with the new Visa rules will shoulder a heavier burden of fraud expenses while those who do will get some PCI relief, McKay says. “There will be a ballooning cost for those who don’t comply,” he says. “The sweetener is some relief from PCI compliance.”
One or the larger questions looming is what will the other payment brands do in response to the Visa announcement, McKay says. “Most merchants aren’t just accepting Visa so they’re still going to have the cost burden from the other schemes,” he says.
That said, it’s likely that American Express and MasterCard will take similar steps, McKay says.
The true importance of the Visa announcement is putting some solid dates around a U.S. EMV rollout, McKay says. “It’s not a great paradigm shift but puts some focus on the road map and forces the other schemes to come up with their measures,” he adds.
Not really a push for EMV?
Richard Crone, CEO at Crone Consulting LLC., says the Visa announcement is a move to push merchants toward accepting NFC-enabled payments and not EMV. With very few EMV cards issued in the U.S. there won’t be the opportunity to reduce fraud because customers won’t be using the cards. “Until we get to chip and PIN and see the exponential benefits the merchant is carrying the burden to upgrade the point-of-sale,” he says.
Visa is trying to extend its payment infrastructure with the latest move and have merchants pay for it, Crone says.
While there may be questions as to the ultimate motivation for the Visa announcement, one thing seems clear. It will almost certainly be a catalyst to expedite change in the U.S. payments infrastructure.