8 Takeaways on EMV from Experts at NACS

By Chris Lietz

Last week, Coalfire was in Dallas for NACS’ TECH Event, the annual gathering for all-things technology in the Convenience & Fuel Retailing Industry.  While there, I attended a session titled “The 411 on EMV.” The session had more than a good name; it was a panel of experts from consultancies, major merchants, processors and equipment manufacturers, and each of them did a great job sharing what they know about EMV.

The summary below is written as an overview for merchants who are looking for some general information on the topic.  As such, I don’t go into details best left to the experts, and I’m not recommending any particularly strategy. But, I do hope that this 8-point overview frames the issue facing every merchant and helps you start developing a plan that’s right for your business.

  1. “EMV” is the commonly-used name for a set of global specifications (managed by EMVCo, LLC) for payments where the consumer payment application resides on a secure chip.  Widely-deployed throughout the world outside of the United States, EMV promises to significantly reduce fraud stemming from counterfeit plastic.  So even if the bad guys get a hold of a cardholder’s data, they can’t easily duplicate the chip, which is required to authenticate the transaction.
     
  2. The US is the biggest economy in the world and thus, EMV proponents want it deployed here too.  However, it has taken decades to get EMV deployed everywhere that plastic is used, (10 years and counting in Canada) and there are significant costs and legal issues associated with the proposition. 
     
  3. That said, the major card brands are big fans of EMV and thus, they have set up mandates for acquirers (to be able to able to process EMV transactions) and incentives for merchants (to deploy EMV-capable terminals).  A simplified roadmap for EMV is:
    • April 2013:  Mandated acquirer compliance
    • October 2015:  Liability shift excluding automated fuel dispensers (AFD)
    • October 2017:  Liability shift for AFDs
  4. Every merchant should be clear about the liability shift and what it means for them.  Think of it this way – every card transaction requires two parties:  an issuing bank (who issues cards to consumers) and the merchant.  If fraud occurs, who gets stuck with the costs, the bank or the merchant?  After the EMV liability shift, the costs go to the trading partner that is the ‘least secure’ (i.e., less able to support EMV authentication).   For example, if an issuing bank gives their customer an EMV-capable card but the merchant can’t authenticate it, the merchant is the least secure (and gets stuck with the fraud on any compromised accounts).
     
  5. Several of the experts at the event pointed out that there are additional elements of the EMV business case as well:
    • Costs associated with testing, process changes, and workforce and customer training
    • Benefits from reductions in fraud, reductions in chargebacks, reduced PCI compliance reporting expenses and potential reductions in interchange fees
  6. Given all this, every merchant faces a significant business decision associated with EMV.  Is it time to move forward and become EMV-ready, or is it better to go slow and absorb the liability shift? There are lots of different opinions out there, and every situation is unique.  But two key points warrant repeating:
    • If you are a merchant, EMV is a choice, not a mandate
    • Every merchant needs an EMV strategy (and as the saying goes, if you do not have a strategy, then that IS your strategy!)
  7. Some trade associations, including NACS, are participating in the  EMV discussion on behalf of their members. Those conversations continue on Capitol Hill and across the nation. Gray Taylor, the Executive Director of PCATS, told the audience that he sees ‘significant headwinds’ to EMV adoption, citing a questionable value proposition to consumers and merchants, delays and uncertainty associated with the specifications, and even legal compliance with laws governing card processing.
     
  8. Equipment manufacturers and processors, unlike merchants, don’t have much choice in the matter ---they pretty much have to become EMV-ready to comply with the mandates of their operating agreements and the demands of their merchant customers who want to adopt EMV.  At the NACS Tech Event, we heard from product managers from all the major POS providers, and they all have market-ready solutions.  As you consider your options, you should most definitely get in touch with your equipment provider… they have helpful information on their product roadmaps and plenty of good advice that will help you build your strategy business case.

I hope that this information was helpful as you get grounding on the topic of EMV and gets you started thinking about your EMV strategy.  As an independent IT GRC firm, Coalfire doesn’t have a vested interested in any particular EMV strategy, and you can count on us for vendor-neutral advice.    If you are a Coalfire client or partner, I encourage you to talk about it with your assessor or account rep.
 
Alternatively, fill out the form below and an expert will reach out to you promptly.