The Inevitable - EMV Payments On a Fast Track to Becoming a New Standard in the United States

by Reed Smith
Contact

Last week, congressional leaders in Washington continued with their focus on the safety of the U.S. payments system in the aftermath of the massive retailer breaches at Target, Neiman Marcus and others. The House Committee on Financial Services held its session March 5, while the House Committee on Science, Space and Technology hearing was held March 6. The message coming out of the hearings was that the adoption of EMV cards is just one of many steps that need to be taken to secure the U.S. payments system.

Not coincidentally, MasterCard and Visa have announced the formation of a cross-industry group focused on enhancing payments system security to keep pace with the expectations of consumers, retailers and financial institutions. The companies say that the group "will initially focus on the adoption of EMV chip technology in the United States, in addition to addressing other security-related topics, including tokenization, point-to-point encryption and broader needs of the region."

Named after its original developers (Europay, MasterCard® and Visa®), this smart chip technology features payment instruments (cards, mobile phones, etc.) with embedded microprocessor chips that store and protect cardholder data. This standard has many names worldwide and may also be referred to as: "chip and PIN" or "chip and signature." EMVCo. is the standards body collectively owned by American Express, JCB, MasterCard and Visa.  These companies also comprise the organization that maintains the Payment Card Industry Data Security Standard (PCI-DSS).

Under the EMV standard, a cardholder’s confidential data is more secure than on the current magnetic stripe card due to the fact that EMV supports dynamic authentication that is verified by the point of sale (POS) merchant terminal.  The EMV system has been long in coming to the United States.  As we know from earlier congressional hearings, Target unsuccessfully tried to implement it and, for the last few years, the payment networks have been trying to spur adoption. Uncertainty from litigation and complexity of implementation by retailers have delayed the implementation of EMV in the United States.

As a result of the high profile and the size of the most recent breaches, the timetable for adoption of EMV in the United States is likely to speed up or, stated more accurately, there will likely not be long delays. However, EMV is not the silver bullet.  Experts agree that EMV would not have prevented the Target breach because the malware that attacked Target was looking for account information inside POS devices’ memories, where data is unencrypted. This information would have been compromised regardless of whether or not it came from EMV cards because it was not taken directly off the cards themselves.   Most significantly, while EMV provides authentication at the POS device, it has no effect in online transactions.  Thus, as more brick-and-mortar merchants implement EMV technology, we can expect higher risk for fraud and data breaches for online merchants as the fraudsters shift their focus.

There is no agreement at this time if the EMV adoption in the United States will be coupled with a PIN or a signature requirement.  Cards will continue to be issued with a magnetic stripe.  Also, while experts agree that a layered approach is necessary to truly protect payment data, there is no agreement on what, if any, other data protection element, such as tokenization, is needed. 

The newly formed cross-industry group is just one of the ways Visa and MasterCard are trying to ensure widespread adoption of EMV.  They have also issued upcoming rules and guidelines for processors and merchants to support EMV chip technology.  

Visa is introducing its Technology Innovation Program (TIP) to the U.S. region, which waives an annual PCI-DSS audit if 75 percent of the merchant's Visa transactions are processed through a dual contactless and contact EMV certified device. MasterCard is introducing its PCI-DSS Compliance Validation Exemption Program to the U.S. region, which also waives the annual PCI-DSS audit if 75 percent of the merchant’s MasterCard transactions are processed through a dual contactless and contact EMV certified device.

If the waiver of a PCI-DSS audit is not incentive enough, the coming liability shift will certainly be. Under the payment network guidelines, merchants who have not made the investment in chip-enabled technology by the network deadlines may be held financially liable for card-present fraud that could have been prevented with the use of a chip-enabled POS system.  When the liability for fraudulent transactions will shift depends on the card brand, but October 1 of 2015 and 2017 are key dates for Visa, and October 1 of 2015, 2016 and 2017 are key dates for MasterCard.  American Express has announced October 1, 2015 for its liability shift date.  Recently, the networks have reiterated their commitment to adhere to the liability shift dates

What to Do – NOW

In the past the payment networks have either extended or completely abandoned their own timelines.  That will likely not be the case this time around.  Congressional attention on the retailer breaches and the impending liability shift has become a catalyst for EMV adoption.  It is likely that EMV implementation in the United States will now be on the fast track; thus, it is important to start the planning process now.  For issuing banks, working with card manufacturers that can produce EMV cards may become a challenge as there is a limited number of such manufacturers.  For merchants, the situation is similar, as the demand for EMV-enabled POS terminals will skyrocket in the coming months. 

  1. Develop a Business Plan for your Specific Business.  For retailers, equipment upgrades will be both costly and time consuming. For some retailers, the business plan will have to include an assessment of whether the amount of fraud prevention may deliver an acceptable ROI for the cost and effort to implement this technology. Implementing EMV chips will speed up mobile and contactless payments and make them more secure. The devices that accept EMV chip cards are dual contact/contactless devices. Thus, merchants should ensure that their business plan includes capturing mobile and contactless payments, especially with respect to gift cards and loyalty/reward programs.
  2. Get Involved.  Participate in industry-specific groups.   Follow closely what the payment networks, the U.S. Congress and regulators will propose with respect to payment data security.  Don’t forget about the Federal Reserve Board payment system improvement project and its ramifications for upcoming regulation and implementation of EMV.  http://fedpaymentsimprovement.org/
  3. Don’t Wait!  The first merchant in the United States to accept EMV cards in many of its stores is Walmart. Sears, Target and CVS Caremark have announced the rolling out of Chip and PIN at an accelerated pace. As market pressure builds in all segments of the payment network infrastructure, there will be pressure on resources. 
  4. Go Beyond the Requirements.  Putting in place a successful strategy that addresses both POS and online transaction security, as well as personal data security, generally will require going beyond the current requirements/recommendations.  Understanding how and what new technologies can be layered in the protection of private and financial data will be a market differentiator. 

Payment system security is a complex problem that cannot be solved by any single technology, standard, mandate or regulation.  Consequently, a multi-faceted, business-oriented, risk-based plan is needed before the flood gates of EMV adoption open.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Reed Smith | Attorney Advertising

Written by:

Reed Smith
Contact
more
less

Reed Smith on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.