The Merchant and EMV: What You Need to Know to Prepare for the Magstripe to EMV Transition

(1)

Research Brief

The Merchant and EMV:

What You Need to Know to Prepare for the

Magstripe to EMV Transition

(2)

Moneris was created as a joint investment between RBC Financial Group and BMO Financial Group (including Chicago-based Harris Bank) in December 2000. As one of North America's largest providers of payment processing solutions, Moneris offers credit, debit, wireless and online payment services for merchants in virtually every industry segment and processes more than three billion transactions, annually. Moneris also offers electronic loyalty and stored-value gift card programs. With more than 350,000 merchant locations, Moneris provides the hardware, software and systems needed to improve business efficiency and manage payments. An EMV leader, 92% of all in-store transactions processed by Moneris are Chip and Pin transactions, of those ~7% are contactless transactions

Moneris is the industry leader because we focus all of our energies on the three key elements of

processing - technology, innovation and people. These strengths differentiate us in the marketplace and allow us to deliver exceptional value in transaction processing.

(3)

Executive Summary

If you’re a US merchant and you accept card payments, you are in the midst of a change, whether you know it or not.

Europay, Mastercard, and Visa (EMV) smartcard technology is coming to the US to prevent card fraud. The EMV migration aims to replace magnetic-stripe, or mapstripe, credit cards, with safer chip cards. By October 2015 merchants will be required to adopt EMV standards or be liable for counterfeit fraud at a magstripe-only terminal. The shift to EMV, a proven global payment security technology, has big implications for every merchant in the US. The changes are considerable:

• Every US merchant accepting point –of-sale payments will be affected. If you take magstripe-based payments, you will be expected to also take chip-based EMV payments sooner or later.

• If you decide to support EMV, every one of your point-of-sale terminals must be retired and replaced by a chip-capable unit. If you decide to stick with your magstripe-only device, you’ll be liable for fraud losses when your customer transacts with an EMV capable card.

• Not only will your PIN pad hardware require replacement but the software on your PC, tablet, or electronic cash register will require upgrading to support new EMV

transaction requirements.

• The EMV transaction flow is different from the venerable magstripe swipe. The card is inserted into a terminal during a transaction. This changes the transaction flow for both the customer and the clerk. Optimizing that flow can create a positive customer

experience and improve clerk efficiency.

• Visa expects issuers to release more than 500 million EMV cards by the October liability shift date. Merchant customers will have EMV cards in their wallets.

While your customers will still use cards to pay and merchants will still use terminals to take those payments, the changes are significant and variable. Most credit cards will still require signatures or make signatures optional for low value transactions, but some financial

institutions will issue credit cards that require PIN entry, as most debit cards do today. If you serve travelers from other countries, “chip and PIN” credit cards are typical and your EMV-capable POS system will support those transactions, too.

This white paper describes EMV, its implementation complexities, and provides merchants with recommendations on how to prepare for its arrival.

(4)

Why, and How, Now?

The why EMV is obvious. The Target and Home Depot breaches are just two recent examples of how hackers can expose the data of millions of customers; the annual cost of card fraud is now in the billions.

EMV puts customer protection first. It is a foundational technology that improves payment card security and reduces fraud risk by preventing card counterfeiting.

The card brands are using fraud liability as their main driver to migrate payment ecosystem to EMV. As it now stands, after October 1, 2015, most retail merchants will be liable for the counterfeit card loss on any transaction initiated by an EMV-capable card at a terminal that is only magstripe capable. In other words, the entity with the weakest security pays for the fraud losses.

In other markets, either government regulatory bodies or cooperating industry groups have provided the energy behind the shift, along with the liability shifts incentive. In the US, the liability shift is the essential lever to get the market moving.

But not all merchants will feel that the liability shift is sufficient incentive, given what the change costs. New EMV POS terminals are $250 and up. Small merchants selling low-cost, high volume goods—coffee shops come to mind—don't face much counterfeit card risk and, even if they do, the loss is minor.

So, some merchants may drag their EMV feet. Except for one factor: the reaction of their customers. In this era of massive data breach, consumers are sensitized to card payment security issues. Once they grow accustomed to using their EMV cards, they will expect all of their merchants to provide the latest in card security technology. Providing magstripe-only payments might signal to the customer that the merchant doesn't care about payment security. And that will be bad for business.

More sophisticated merchants with integrated point-of-sale systems will also care whether or not their software supplier is EMV-ready. These merchants rely on line of business software that automates key functions like inventory, customer loyalty programs, as well as the payment step. Merchants who rely on the independent software vendors who build those business applications need to make sure their supplier is aware of EMV’s benefits and the need to support it.

The Pace is Accelerating

The good news is that current forecasts predict that more than 575 million EMV cards will be issued in 2015. That's a good start. The pace of EMV terminalization is also picking up. The Payments Security Task Force (PST) forecasts that 47 percent of terminals will be EMV-capable by the end of 2015. While even at these rates, the chip-to-chip transaction rate will remain low, the momentum for EMV continues to grow. Unlike in other markets, the US has

(5)

the advantage of all four major card brands working from the same schedule. The US wins by all brands moving together.

EMV is One of Three Security Pillars

While EMV is neither new or the latest in security technology, it does represent a substantial step forward. No one can argue that eliminating counterfeit cards is a bad idea. But it will take many years, particularly in the massive US market, to establish a complete EMV perimeter. Visa reports that in other markets it takes on average six years for 90 percent of transactions to be conducted via EMV in a “chip-to-chip” transaction. In the US, that time period will likely be longer because of the millions of POS terminals that need replacing and the more than 1 billion payment cards that must be issued.

EMV fits into an overall payment card security plan but it is not the only option in the security toolbox. Card data encryption and tokenization are two other pillars of data security

recommended by payments security experts. The card brands and the PCI Council encourage their use. Needed to protect card data in flight and at rest, these tools will fulfill significant roles even in an all-EMV world.

EMV Payments are More Complex than Magstripe

EMV's improved security performance comes with an increase in complexity. EMV was designed to support a broad range of use cases, some of which will be rare in the US, but must nevertheless be supported. The challenge facing both merchant and software vendors is how to anticipate, support, and interpret various EMV specifications. The following illustrates how difficult that can be:

Online v. Offline Authorization. One of the original design requirements was the ability for

transactions to be authorized offline. In the mid-Nineties, telecommunication costs were high in Europe. The offline intelligence allows for authorization of generally low-value transactions without the terminal going online via, what was then an expensive dial-up call.

While that use case scenario is far less common in Europe today and non-existent in the US, accommodating offline capability is still a certification requirement here in the US for

MasterCard, AMEX, and Discover. Global payment interoperability is the chief reason for support of offline authorization.

PIN vs. Signature Cardholder Verification. EMV supports chip-based transactions with,

and without, a PIN. If the issuer programs the card to prefer signature use, the cardholder is not prompted for a PIN. EMV also supports PINs in both online and offline modes.

The choice to use a PIN or a signature is up to the card issuer. To get started with EMV, many US issuers are choosing the signature method but not all; some are issuing “chip and PIN” cards that bring the added advantage of protection against lost and stolen card fraud.

Network Level Differences. EMVCo is the keeper of the EMV specification. While the

(6)

and UnionPay—the interpretation and implementation of that specification varies slightly from card brand to card brand. Currently, this variability is most pronounced in the area of

contactless payments. As one of the newer elements in the EMVCo specification, contactless technology continues to be updated following each card brand’s unique interpretation. The net effect is that even among the owners of the EMV standard there are differences sufficient enough to require lengthy certification testing by all acquiring processors across all supported card brands.

Processor Level Differences. This variability most directly impacts the next level in the

processing hierarchy: the acquiring processor. Each processor must accommodate those variations, tuning message structure and process flows for each of the card brands it supports. Each acquirer must pass thorough certification tests for each card brand and for each POS terminal family it supports. Significant investments in programming, IT infrastructure, testing equipment, and time are required.

To shield merchant and ISV customers from this complexity, the smart acquiring processor exposes a single, comprehensive software interface to simplify integration to the processor's front end authorization system and back end clearing and settlement functions. Properly executed, this single interface can save the merchant and/or its ISV the time and expense of working directly with EMV code.

Independent Software Vendor Differences. ISVs deliver software that manages the

merchant’s payment flow via the electronic cash register (ECR), be it a PC, a tablet, or mobile device. Of course, ISV software does far more -- order management, inventory, and customer loyalty programs -- but the payment step is integral to the overall process.

The magstripe to EMV transition will impact ISV development requirements. As we have seen, EMV covers many more use cases, and certification requirements have expanded. The ISV’s software must accommodate these changes as well as optimize the checkout flow for customers. ISVs and merchants alike can lower their development and certification costs as well as their investment in time by choosing a provider who can shield them from EMV’s complexity.

(7)

EMV and the Merchant

EMV deployment is a difficult process. EMV and its multiple use cases present a considerable technical effort to master and certify. Global expertise will help ease the US effort, but because of the highly variable business, regulatory, and technical nature of the US payments system, merchants report to Glenbrook that minimizing their exposure to that complexity is a key step in a successful EMV deployment. For the merchant, EMV support comes down to a set of decisions about who does the hard work of EMV support: the merchant or an upstream provider.

Decision Time for Merchant

A Glenbrook review of the Canadian merchant experience with EMV deployment reveals that merchants must make many correct decisions to optimize the return on their EMV

investments. The following discussion frames key decisions merchants must make:

Do You Upgrade to EMV?

For most merchants, and certainly all Tier 1 merchants (the top 350), the decision has already been made. It is an emphatic “yes.” The risk of counterfeit card loss is very real. Just as

important, most merchants view EMV support as a necessary step toward rebuilding customer confidence. While some smaller merchants may hold out, “yes” is the smart answer. Remember, “no” means accepting the potential burden of counterfeit card losses, fines, loss of certain chargeback rights, and the discomfort, if not disdain, of customers who expect their retailers to care about payment security and data privacy.

Small Can Be Beautiful

Another decision point is a function of your business size and complexity. You’re in luck if you’re a single location business with a stand-alone POS terminal. Your deployment challenge will be limited to saying “yes” to EMV, purchasing or leasing the device, and deciding where to place the new terminal. You have a simple payment acceptance system, so EMV shouldn’t be a big deal. Many “mom and pop” merchants could be up and running with EMV well before larger businesses.

How Do You Upgrade the Electronic Cash Register?

Large firms using ECRs to drive their PIN pads are likely to upgrade to EMV and perhaps contactless hardware to meet customer expectations and their certain use of new technologies at the checkout counter – like Apple Pay.

It’s the software question that matters more.

If you are a large merchant with an integrated point of sale system or ECR, you are likely to use a PC connected to a POS terminal; if you’re a smaller retailer, you may also be using a tablet connected to a card reader or terminal to take payments. Regardless of which model is

(8)

used, your ECR software vendor needs to answer critical questions about EMV support. Does the software support EMV transactions today? If not now, when? What PIN pads are

supported? What EMV kernel software is running on the terminal? When does its certification expire?

One of the concerns expressed by merchants interviewed by Glenbrook was the pace of change in POS payment devices. There are infrequent but critical updates to EMV kernel software. It’s important to know how those updates will affect certifications and plan ahead for them.

New ways to pay—again, think Apple Pay—are being added to the mix. It’s a moving target. We have spoken with merchants who have decided to rent or lease EMV payment terminals as a way to minimize risk. During the first two or three years of US EMV deployment, that approach could offer flexibility and further insulation from the obsolescence risk posed by updates and new certification

requirements.

As we learned, many Canadian merchants had to work closely with their software providers to develop EMV payment capability and optimize the customer and clerk payment flow. This process takes time, so start the discussion with your vendor now. There are ways to streamline the integration challenge. Acquirers and processors like Moneris have simplified EMV support and lowered the

execution risk for merchants and ISVs

alike by offering comprehensive software interfaces that shield the merchant’s software developer from the complexity of coding to EMV directly. Called POSPAD, the Moneris software also reduces the certification burden from the merchant’s IT staff. POSPAD software is pre-certified and runs in multiple traditional and mobile devices. It is pre-tested so that ISV and merchant development effort is substantially reduced. Moneris also provides a certification test tool to speed the development process along. The POSPAD software is designed to reduce integration time from months to weeks.

Will You Support Contactless Payments?

The recent launch of Apple Pay in the US has attracted a lot of merchant attention, but you need a thoughtful strategy before taking this on this new technology. A decision to support contactless and near field communications-based (NFC) smartphone transactions should be made in concert with your decision to support EMV. Contactless capability is built into most modern PIN pads and POS terminals and all of them are EMV capable. The two can be

(9)

What’s Your Payment Security Equation?

If card data security = EMV + point-to-point encryption + tokenization, what should you do? Should you use point-to-point encryption alone? What about tokenization? Based on

Glenbrook’s work with breached merchants and acquirers, the answer is “it depends” upon the details of your operation. EMV does not encrypt sensitive card data; EMV data could still be captured and used for ecommerce transactions or to create a counterfeit magstripe card. That’s why encryption is a strong choice and why the Moneris POSPAD platform offers encryption capability. Card data is never in the clear and visible on the merchant’s systems. Tokenization is essential for merchants who store card data for recurring payments, follow-on transactions, refund, or loyalty tracking. Moneris has cross-channel tokenization capability to securely replace the card number when transaction face-to-face and online. The new math of card data security can require all three technologies. Make sure to educate yourself.

Lessons Learned

A Glenbrook review of the Canadian experience with EMV deployment reveals a few crisp lessons for US merchants.

Know Your ISV’s Schedule

As a merchant you have better things to do than to support EMV yourself. Make it the job of your ISV and your acquirer. Focus instead on new hardware, clerk training, and customer training. If your ISV does not yet support EMV, demand a schedule and information on how the ISV plans to get it accomplished. If the ISV says it plans to build EMV support itself, demand to know which hardware devices, PIN pads especially, it will support and when those devices go into certification and with which acquirer. To achieve a timely, solid outcome, find people you can rely on and understand exactly what your suppliers will deliver – and when.

Insulate Yourself from the Complexity

There are qualified experts who understand EMV’s technical complexity. Processors and gateways and ISVs serving merchants know they have to step up to the challenge and they are. We recommend that merchants insulate themselves from the headaches of EMV support by working with a processor, a gateway, or through their ISV. That’s what the Moneris POSPAD software provides. Even if a merchant’s ECR and enterprise payment system is homegrown, there is no good reason to take on the development and ongoing investment to support the new card format – let the payment experts handle it.

Outsourcing payment handling and security risk to partners is a common merchant strategy. Given the risks of data breach and the expenses of PCI compliance, minimizing exposure to payments data and the systems that touch it makes sense. Becoming an expert on EMV and end-to-end encryption and/or tokenization is expensive. Why not focus more on sales?

(10)

Work on a Smooth Checkout Process

EMV is a new way for consumers to pay. Soon that traditional swipe of a magstripe card will be replaced by something different: inserting your card into the terminal during the duration of a transaction – comparatively, that’s a longer POS process. That means customers, and

merchant clerks, are going to have to learn how to adapt. It may only take a matter of months, but there is plenty of potential for confusion.

Customers, for instance, could leave their cards in the terminal and in the store. One merchant interviewed by Glenbrook had a beep programmed into the PIN pad to audibly prompt the user to remove her card once the transaction was complete. Helping people remember this critical step in the transaction is important to ensuring their positive experience.

A successful EMV transition also requires thinking about clerk training. What can the clerk be doing during the EMV transaction process to make that an efficient experience? Time is, after all, money.

Make the Right Choice

This paper has focused on the virtues and the complexity of EMV implementation. For POS hardware makers, processors, acquirers, gateway operators, and ISVs, addressing that complexity is unavoidable.

Merchants, however, have the opportunity to outsource that complexity--and a larger proportion of their payment security risk—to upstream payment providers like Moneris. Top tier merchants must still develop a solid deployment plan using a comprehensive checklist. But with the right upstream partner, implementation and operational risks are minimized. The smallest retailers have little to fear from adopting EMV technology. Recent Payment Security Task Force forecasts suggest that more than 47 percent of merchants will be EMV-capable by the end of 2015.

(11)

About Glenbrook

Founded in 2001, Glenbrook focuses exclusively on payments consulting. In addition to acting as consultants, each of Glenbrook’s principals has long experience as a senior executive in the payments business, having dealt with both strategy formulation and the day-to-day realities of execution under the pressure of budgets and timelines. Glenbrook helps its clients to track a number of related markets to assess trends, surface opportunities, and identify threats, and then develop aggressive responses to these forces. The company is able to do this by bringing to bear a valuable combination of specialized skills in payments, decades of hands-on experience, and a network of high-level professional relationships.

Glenbrook works across the payments industry – with banks, merchants, billers, processors, networks, alternative payment providers, and a variety of investors – as well as across all payment methods (card, ACH, alternative, Check 21/imaging). We have deep expertise in each payment domain from ecommerce, POS, bill payment, P2P, B2B, to income.

Glenbrook is the publisher of Payments News, the “blog of record” for payments professionals; more than 12,000 read it each day. In 2009 Glenbrook launched a companion blog, Payments Views, featuring commentary on the payments news of the day. In 2014, Glenbrook added its Payments on Fire podcast series.

Glenbrook's Payments Boot Camp program offers intensive “deep dives” into the world of payments. The Boot Camp is offered several times a year for the public, or as a private on-site workshop. More than 3,000 industry executives have attended to date. We recently launched a series of payments education webinars on special topics and published a book Payments

Systems in the U.S. See PaymentsEssentials.com for more information course schedules, and book purchases.

The Merchant and EMV: What You Need to Know to Prepare for the Magstripe to EMV Transition

Research Brief