Six Months After EMV: Still Putting the Pieces Together

April marked the six-month anniversary of the EMV liability shift. After years of discussion and anticipation, that changeover has technically “happened,” but unfortunately, not much good has happened as a result. Even with all the preparation and hype, the payments industry is still playing catch up. Why? Well, it’s a complex picture that requires a bit of history.



EMVCo, an organization made up of and regulated by the world’s leading card brands, released the first version of EMV in France in 1995. The technology gradually spread across Europe over the following decade. So why is the U.S. implementing EMV so late in the game? To start, most nations have only a handful of government-backed banks that govern payments; in the U.S., there are hundreds.



Also, many merchants outside the U.S. use independent, standalone payment terminals, whereas most U.S. merchants have more complex, integrated payment systems. Finally, EMV is much more than a simple new feature; it is a complete paradigm shift for the industry. The rules for payment processing have changed, and EMV certification requires a great deal of coding and system restructuring. In short, moving to EMV in the U.S. is a massive undertaking.



October 1, 2015, was set as the U.S. EMV liability shift date after two decades of delay, discussion and disagreement. The card brands expected — or at least hoped — that all U.S. merchants would be EMV-ready by this date. However, only about 8% of U.S. merchants were actually accepting EMV cards on day one. This number has since grown, but the majority — especially small to medium-sized businesses — were left behind.



The EMV Confusion

Promoters of EMV touted it as a way to prevent breaches. Unfortunately, this is not what it was designed to do. EMV covers only one area of payments: card-present fraud. EMV also does nothing in terms of actually securing payment data in a merchant’s systems or network. In fact, some EMV terminals actually push card data in clear text out their back end — a major step backward in security.



The idea was that EMV would be of great benefit to merchants and consumers alike. Theoretically, merchants would get hit with less fraud and fewer chargebacks and consumers would have one more security barrier between themselves and hackers. As of right now, it seems like EMV has caused more problems than it has solved.



Why has the adoption of EMV in the U.S. been so hard? Big-box retailers with virtually unlimited influence and resources had little problem getting set up by October 1, while everyone else was left with an uphill battle.



The certification process alone takes months, and to make things more difficult, mid-way through the EMV certification process, several processors jumped the gun in adding new requirements.



For example, Visa suggested a policy — after the October liability shift date — that merchants who want to process EMV should also be equipped to accept NFC (near-field-communication) by 2018. The processors heard this and took it as “do it now!” This meant that the independent software vendors and device manufacturers who were in the middle of their EMV certifications had to add more than a dozen additional use cases to their coding before they could move forward with the certification process.



From my perspective, the card brands have expected too much too soon from EMV. The priority should have been to first get it out in the wild, and then fill in the cracks with new features and updates. Instead, millions of EMV terminals are going unused by merchants who are stuck waiting while this conversion plays out. This is not a case of trying to walk before we can run; we’re trying to fly a jet before we’re potty trained.



Still, EMV has promise — as a part of a complete solution.



What Merchants Can Do

Modern payment processing environments are becoming more complex and unique, and that’s why it’s important for merchants to understand that EMV is not the panacea that it was painted out to be. Instead, it needs to be approached as a single component in your overall payment security strategy. A best practice is to use EMV with point-to-point encryption (P2PE) and tokenization solutions. This constitutes the payment security trifecta.



1. By using a microchip to authenticate the card or cardholder, EMV helps to prevent instances of card-present fraud.



2. For any card-present payment processing environment, including mobile points of sale, P2PE is a vital layer of security. Look for solutions that encrypt card data at its first point of interaction with the payment terminal. By doing this, the actual card data never enters or travels through the merchant’s payment system.



3. Tokenization solutions replace card data with a random, alphanumeric value, or token, for storage. This token does not have a one-to-one or mathematical correlation with the card number and, therefore, cannot be unencrypted and used for future fraudulent transactions in the case of a data breach.



By securing card data and rendering it useless to data thieves, P2PE and tokenization help protect merchants from becoming the next victim of a data breach. EMV protects them from the fraudulent use of card data stolen in previous breaches. With these three technologies working together, merchants are able to protect their card data from every direction — making them much better equipped to avoid becoming a target for the bad guys and a headline for all the wrong reasons.

J.D. Oder II is CTO and senior VP of research and development at Shift4, a provider of secure payment solutions. He leads Shift4’s systems operations and development efforts as well as the security and compliance teams. Oder is credited with introducing tokenization to the industry in 2005 and was also an early adopter/member of the PCI Security Standards Council.