Payment Law Advisor Legal Commentary and Resources for the Payment Industry

Visa’s Chip Card Initiative: A Good Start Towards U.S. EMV Adoption – But Is It Enough?

Posted in Privacy and Data Security

The Unites States is the last major holdout in switching to EMV.  Many think Visa’s recent program to promote the use of EMV in the United States will change that.  According to many industry commentators, Visa’s program is both a welcome and long overdue shift away from magnetic stripe (“mag stripe”); however, it may not be the start everyone is hoping for.

 

EMV: What is it?

EMV is a global payment specification that describes the requirements for the interoperability between smart chip based payment cards and card acceptance devices (“CAD”) (i.e., automatic teller machines and point of sale terminals).  The specifications are managed by EMVCo, an organization that is named after the original payment brands that created the specification—Europay, MasterCard, and Visa.  The current owners of EMVCo are Visa, MasterCard, JCB and American Express.

EMV, sometimes referred to as chip-and-PIN, is the dominant payment card authentication methodology method in Europe.  According to EMVCo, 40 percent of all payment cards and 71 percent of all payment CADs worldwide are EMV-compatible.

The distinguishing feature of EMV is the consumer payment application that is resident in a secure chip embedded in the plastic payment card.  The chip performs three key functions—(1) secure storage; (2) cardholder verification; and (3) cryptographic processing.  These capabilities provide the means for secure consumer payments.

 

How EMV Works

There is a fundamental difference between a mag stripe transaction and an EMV chip transaction.  A magnetic stripe is simply a data store that is read by the CAD and then the card is no longer used.  The CAD sends the cardholder information and transaction data to the issuing bank through a payment network for approval.  The payment network and issuing bank perform all the processing and apply all the rules governing the payment.

In contrast, during an EMV transaction, the chip contains many of the rules for payment and is partially involved in the processing.  These rules can include enforcing services such as offline authentication and approval, verifying cardholder identity, and online authorization.  The issuing bank defines what services are required for certain transactions based on its risk management policies and loads the payment application on the chip to apply those policies.  The CAD helps enforce the rules set by the issuer on the chip.

In order to execute a payment, the chip connects to a chip reader in the CAD, via either physical contact or through a contactless protocol.  In both scenarios, the CAD provides power to the chip to enable the chip to function.  The CAD confirms that the chip is allowed to complete the requested transaction.  If allowed, the cardholder is verified via a method supported by the CAD and agreed to by the chip.  Based on the results of the processing restrictions, cardholder verification, CAD risk management rules, and other rules coded on the chip and CAD, the CAD will request a response from the chip with a result of decline offline, approve offline, or go online for further processing.

 

Visa’s EMV Adoption Program

On August 9, 2011, Visa announced its plan to promote the adoption of EMV contact and contactless chip payments in the United States.  As part of its program, Visa announced the following three initiatives aimed at merchants and merchant acquirers:

  • Effective October 1, 2012, Visa will expand its Technology Innovation Program (“TIP”) to the United States.  TIP will eliminate the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75 percent of the merchant’s Visa transactions originate from chip-enabled CADs.  To qualify, CADs must be enabled to support both contact and contactless chip acceptance, including mobile contactless payments based on near field communication (“NFC”) technology.  Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to the PCI DSS standards as applicable.
  • Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013.  Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique.
  • Effective October 1, 2015, Visa will institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale (“POS”) transactions. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip-capable terminals, liability for counterfeit fraud may shift to the merchant’s acquirer.  Fuel-selling merchants will have an additional two years, until October 1, 2017 before a liability shift takes effect for transactions generated from automated fuel dispensers.

Looking closely at these initiatives, however, it is questionable whether Visa’s program will spur the adoption of EMV.

Visa’s program may not provide sufficient incentive for merchants to invest in new CADs or updating existing CADs.  The Visa program requires merchants to install in CADs contactless chip acceptance functionality, including the capability to accept mobile contactless payments based on NFC technology, to “help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile payments.”  Given the lack of EMV cards issued in the United States, the liability shift may not be enough incentive for merchants to pay the costs to invest in new CADs or update existing CADs.  Furthermore, although Visa will eliminate their annual PCI validation requirement, unless the other payment brands launch a similar EMV adoption program, merchants will still have to annually validate PCI compliance.

Missing from Visa’s program are incentives for issuers and consumers.  Until 2015, because any Visa transaction counts toward the 75 percent threshold, merchants simply have no stake in whether an EMV card is used.  Some sources estimate that the cost of producing a chip card at somewhere between $1 and $3 dollars compared to 13 cents for its magnetic stripe counterpart.  The incremental cost to issuers, therefore, is considerable.  Moreover, there is no guarantee consumers will make the switch to using EMV as long as a mag stripe remains on the card.  Issuers will need incentives to switch their customers to EMV cards and customers will need incentives to use EMV rather than mag stripe.

Visa’s program may be more of a catalyst for NFC payments than for EMV.  Rather than incur the costs of issuing new EMV cards to their customers, issuers may instead rely on consumer-owned NFC-capable mobile phones.  Pyramid Research’s latest projections forecast that fewer than 100 million NFC-enabled smartphones will be sold globally by 2012; by 2015 the number will reach approximately 350 million.  Pyramid projects such relatively slow uptake due to uncertainty in the market surrounding the business model for NFC—between the mobile networks operators, issuers, merchants, and the payment brands, everyone wants a cut of the transaction fees (and post-Durbin there is less of that to go around).  This may change very quickly, however, with the top three carriers in the United States forming Isis to foster mobile phone NFC payments, Visa’s newly announced mobile wallet, and more and more carriers announcing NFC-capable smartphones.  Consumers like convenience and the two announced NFC initiatives, Google Wallet and Isis, will also have a customer incentive—immediately redeemable offers.

What is even more compelling is the effect this program may have on alternative payment system start-ups.  Whether these alternative payment systems will disrupt or displace traditional card-based payment systems in the near future (if ever) remains to be seen.  Unless these companies are able to deliver a system to merchants at a cost point (including transaction costs) that shows savings over whatever cost savings EMV (and NFC) may provide the merchants, then it is unlikely that the traditional payment model will change.

 

Chip-and-Sig, not Chip-and PIN

Much of the focus of Visa’s program is on the security and fraud prevention aspects of EMV.  Visa says the use of chip technology in payment cards will allow for dynamic authentication, which adds an extra security layer by requesting additional information (not just a signature) during transactions.  The company says it will continue to rely on signatures and PINs for “low-value, low-risk transactions” but that eventually they will be replaced entirely by dynamic authentication methods.  Dynamic authentication relies on the use of security data points that change every transaction.  Such a system offers very robust protection for in-person purchases because it makes it extremely difficult for criminals to use stolen payment card data or counterfeit cards.

While Chip-and-PIN is the format used in the U.K., France, and most European countries, Chip-and-Sig, the use of an EMV card without a PIN, will likely be the initial deployment option for EMV in the United States (several Asian countries and Germany have also chosen this deployment method).

Visa’s program does not require PINs and issuers have already announced plans to issue Visa EMV cards that do not provide the option to use a PIN.  See Sean Sposito, Signature, Not PIN, the Easiest Path for EMV in U.S., Banks Say, American Banker, June 1, 2011, available here; Press Release, JHA Payment Processing Solutions offers EMV Chip-and-Signature Smartcards, July 13, 2011, available here.

The decision to omit a PIN requirement is peculiar given the PIN requirement is one of the features that make EMV chip cards significantly more secure than traditional mag stripe cards.  That being said, criminals will likely move to fraud forms where a PIN would need to be entered, which is what happened in the U.K.  The UK Payments Administration tracks card fraud statistics and since the introduction of EMV chip-and-PIN in the UK through 2008, most forms of card fraud losses went down but card-not-present fraud increased significantly (2008 fraud figures available here).  The two main areas of fraud cited were on transactions not protected by chip-and-PIN, specifically, internet, phone, and mail order fraud, and stolen cards being used in countries not using chip-and-PIN.  Notwithstanding the migration of fraud and criminal activity to different channels, recent figures released in March 2011 show that through September 2010 losses from all forms of card fraud in the U.K. are down (latest figures available here).

If the latest statistics from the U.K. are so promising, why is Visa not mandating chip-and-PIN?

One reason is the financial impact it would have on issuers and payment networks to update their systems to handle chip-and-PIN EMV transactions.  Another is that Visa and MasterCard require that all attended POS devices have the ability to support chip-and-signature.

Visa may be on the correct path here.  Although EMVCo and financial institutions claim that there is no security flaw in chip-and-PIN, there have been demonstrations and a paper written that support statements that chip-and-PIN is broken and should not be adopted in the U.S.

Visa’s initiative, however, while a promising start, is unlikely to be the program that propels EMV into the mainstream.  NFC may be the “killer app” that provides the path toward full EMV implementation.  Google and the three largest U.S. mobile network operators have both announced initiatives to roll out mobile commerce offerings utilizing NFC for proximity payments.  If these programs demonstrate that NFC can be a money maker for the participants, including particularly the mobile network operators, there is likely to be an all-out marketing effort to get NFC-capable handsets to as many consumers as possible.