Strategies to implement EMV on Terminals

EMV Chip

EMV Chip

The EMV liability shift in the U.S.A is getting closer so I would like to share some basic strategies on how to implement EMV on POS terminals.

While EMV has been a key component for terminals in Europe, Australia and other regions, many terminals in the U.S.  accept magstripe cards only. This will change in Fall 2015 when the cards schemes will stop taking the liability for non-EMV transactions. POS and terminal manufacturers with magstripe-only terminals will have to adjust and become EMV compatible to stay in the market.

Apart from the existing handling of a transaction that controls transaction flow  and connects the card reader with the acquirer, an EMV compliant terminal must also adhere to the EMV specification. In whatever way this EMV compliance is implemented, it can conceptually be separated from the rest of the terminal functionality. This separated piece of functionality is commonly referred to as the EMV Kernel. The EMV Kernel, together with the rest of the terminal, must undergo periodical certification and adhere strictly to the EMV specification.

Simply put, there are two strategies on how to implement EMV compliance when creating a POS terminal:

  1. Write your own EMV Kernel
  2. Use an existing 3rd party solution

The upside of writing your own EMV kernel is that indepth EMV knowledge will be  built up amongst the development team and  control over the source code stays within the company. The challenges however are that it takes time and money to build this knowledge (EMV Co estimates 18 months), that it requires continuing maintenance to stay EMV compliant, and it is a mission critical component that cannot fail.

The advantages of using a 3rd party solution are as follows:

  • Faster time to market, as the know-how is bought in.
  • As the EMV specification is the same for every POS it is not a differentiating factor for a POS solution. Therefore it is not a strategic piece of code where knowledge needs to be kept internal.
  • It makes sense to use a stable and already approved product that runs on many other terminals and has successfully proven its value in the market.
  • No need to adapt to frequent changes in EMV specification, especially for contactless. This has proven to be a major problem for several reasons.

Regardless of which strategy is used we recommend thorough testing before attempting certification, as there are one time costs related to certification  that are payable whether a solution passes certification or not. There are several test tools on the market (e.g. by  Clear2Pay) that facilitate testing, but these come with a significant cost.

Also, the testing can either be done in-house or by a 3rd party. When implementing your own kernel, it probably makes sense to test in-house.  Alternatively, using a 3rd party test lab saves the cost of acquiring the test tools, test knowledge  and certification knowledge.

Regardless of how these US companies choose to become compliant, EMV certification will be a requirement to successfully stay in the card payments market.

Abrantix provide an EMV Kernel starting with a beginner package that includes 1000 licenses at a low cost.  Packages for more than 1000 licenses, support and consulting are also available.  In contrast to other suppliers we provide the source code of the kernel to allow full transparency and integration into existing payment applications.

We also have a test lab and provide test and certification support.

We are happy to help, and also hear your opinions on this topic of course.

Visa plans to accelerate acceptance/use of EMV cards in U.S.

EMV Deployment Map (September 2010)

In Summer 2011 Visa announced plans to accelerate the acceptance and use of EMV cards throughout the U.S. EMV cards are also known as IC or Chip cards. This announcement was no surprise as EMV has been a long accepted standard through Europe and Asia. However, to make the entire network EMV ready requires all the participants in the market to adapt their systems. Chip cards will need to be issued, the acquirer/processors must adapt their host systems and the terminals at the POS will need to be replaced.

Accompanying the announcement Visa published a road map stating the following:

  1. Visas Technology Innovation Program (TIP) will be expanded into the U.S., effective October 2012.
    This means Visa will waive the annual validation of a merchant’s PCI/DSS compliance, as long as at least 75% of the merchant’s transactions originate from dual-interface EMV terminals. Dual-interface terminals are terminals that can process contact and contactless EMV transactions.
  2. All participating acquirer/processors have to make their systems EMV ready by April 2013.
  3. Visas global POS Counterfeit Liability Shift Program will be extended into the U.S., effective October 2015 (two years later for petrol merchants).
    This program will transfer the liability for fraud originating from non-EMV transactions to the acquirer/processor, and as a result to the merchant as seen in other countries.

This plan clearly focuses on two goals:

  1. Reducing fraud.
  2. Setting the benchmark for NFC based card acceptance (for example; contactless payment by card or mobile phone).

In recent years the U.S. has been an easy target for fraud. In 2008, fraudulent transactions made up 0.04% or USD 8 billion of the complete U.S. turnover of credit card transactions. Card numbers are being stolen all across the world and used in the U.S. to commit fraud. The predominant number of magstripe POS terminals makes this a relatively easy way to commit fraud. With the adoption of the liability shift program one large fraudulent region will be eliminated, as seen in other countries that already run the program. Once this has been achieved, the question remains: Where will the fraud move next? Until chip cards are used worldwide, magstripe fraud will remain a global problem.

Interestingly, the liability shift program is a sweet deal for Visa as it will instantly and largely increase the points of acceptance for NFC based cards. Conversely, it will be a cost intensive change for the merchants as it forces them into changing their POS infrastructure into dual-interface EMV terminals. This sets the ground for Visas contactless program Pay Wave and for mobile payment. Google already provides a nice solution with its wallet, where the phone emulates an NFC payment card.

This is where we believe it gets really interesting. In contrast to Europe where cardholder authentication through PIN is usually required, Visa aims for an online / non-PIN model in the U.S. which will pave the way for contactless transactions. Wave the card and that’s it, no PIN entry required. Issuers and acquirer/processors will be happy with this, as it lessens the costs and complexity on the card and the terminal.

In contrast to all of this, one can see an increasing market for “easy” magstripe transactions. Square, amongst others, provides an easy way for merchants to accept magstripe cards. Up to April 2011 Square has seen USD137M total flow. These payment solutions target small businesses and make it very easy to accept credit cards as a merchant. Common to all these solutions are high transaction fees for the merchant and the full risk of chargebacks. What some people might not know is that Visa invested in Square. There seems to be a two way strategy in pushing the mid and large size businesses into accepting contactless EMV cards and enabling small businesses to accept credit cards on their full risk. Clearly a winner for Visa! But what do they actually do for it?

In the longer term magstripe transactions will disappear. Issuers will simply stop issuing magstripe cards. This has already started in some Eastern European countries. The main reason is fraud, but also because there is new technology that makes cards obsolete. The “card” itself might not be a “card” anymore, but a mobile phone, key fob or all sorts of mediums carrying the chip. While it may take several years to fully implement, it is interesting to wonder how small businesses will be targeted.