The EMV liability shift in the U.S.A is getting closer so I would like to share some basic strategies on how to implement EMV on POS terminals.
While EMV has been a key component for terminals in Europe, Australia and other regions, many terminals in the U.S. accept magstripe cards only. This will change in Fall 2015 when the cards schemes will stop taking the liability for non-EMV transactions. POS and terminal manufacturers with magstripe-only terminals will have to adjust and become EMV compatible to stay in the market.
Apart from the existing handling of a transaction that controls transaction flow and connects the card reader with the acquirer, an EMV compliant terminal must also adhere to the EMV specification. In whatever way this EMV compliance is implemented, it can conceptually be separated from the rest of the terminal functionality. This separated piece of functionality is commonly referred to as the EMV Kernel. The EMV Kernel, together with the rest of the terminal, must undergo periodical certification and adhere strictly to the EMV specification.
Simply put, there are two strategies on how to implement EMV compliance when creating a POS terminal:
- Write your own EMV Kernel
- Use an existing 3rd party solution
The upside of writing your own EMV kernel is that indepth EMV knowledge will be built up amongst the development team and control over the source code stays within the company. The challenges however are that it takes time and money to build this knowledge (EMV Co estimates 18 months), that it requires continuing maintenance to stay EMV compliant, and it is a mission critical component that cannot fail.
The advantages of using a 3rd party solution are as follows:
- Faster time to market, as the know-how is bought in.
- As the EMV specification is the same for every POS it is not a differentiating factor for a POS solution. Therefore it is not a strategic piece of code where knowledge needs to be kept internal.
- It makes sense to use a stable and already approved product that runs on many other terminals and has successfully proven its value in the market.
- No need to adapt to frequent changes in EMV specification, especially for contactless. This has proven to be a major problem for several reasons.
Regardless of which strategy is used we recommend thorough testing before attempting certification, as there are one time costs related to certification that are payable whether a solution passes certification or not. There are several test tools on the market (e.g. by Clear2Pay) that facilitate testing, but these come with a significant cost.
Also, the testing can either be done in-house or by a 3rd party. When implementing your own kernel, it probably makes sense to test in-house. Alternatively, using a 3rd party test lab saves the cost of acquiring the test tools, test knowledge and certification knowledge.
Regardless of how these US companies choose to become compliant, EMV certification will be a requirement to successfully stay in the card payments market.
Abrantix provide an EMV Kernel starting with a beginner package that includes 1000 licenses at a low cost. Packages for more than 1000 licenses, support and consulting are also available. In contrast to other suppliers we provide the source code of the kernel to allow full transparency and integration into existing payment applications.
We also have a test lab and provide test and certification support.
We are happy to help, and also hear your opinions on this topic of course.