Roadmap to EMVU.S. move to EMV will likely build on NFC
"We have a roadmap to evolve our contactless magnetic stripe data cards to an EMV contactless format by changing the components within the card and the data elements that interact with the point-of-sale systems," Vanderhoof says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
Merchants looking to prepare for a switch to the EMV standard should begin investing in their infrastructure. "I should be looking at investing in a POS system that's going to accept both contact and contactless payments," Vanderhoof says. Regardless of what the ultimate implementation of the next generation of payments will be, merchants will have future-proofed that investment.
And if mobile devices begin to expand their usage in the payments market, then merchants will be able to support those contactless payments at their retail establishments.
EMV cards are picking up momentum in the U.S., and according to Vanderhoof, discussions and initiations are moving along, especially within the regulatory industry. "I think this has been a healthy debate that's taking place in the market place around interchange rates, security and who has the responsibility for protecting the payment industry in this market," he says.
In this interview, Vanderhoof discusses:
- The maturity of U.S. card technology relative to mobile;
- Pressures U.S. card issuers will feel from EMV migrations in other global markets; and
- Security and authentication options U.S. regulators, legislators, card issuers and merchants should consider.
Vanderhoof is the executive director of the Smart Card Alliance, a not-for-profit, multi-industry association of more than180 member firms working to accelerate the widespread acceptance of smart card technology in North America and Latin America. He came to the alliance in January 2002 and became the executive director in August, 2002. During his tenure as the chief executive, he has directed the transformation of the organization from primarily a networking organization into a diverse, education oriented, international, multi-industry organization that gathers industry stakeholders together to help stimulate the rapid adoption of all forms of smart cards for electronic payments and digital security applications. In December 2008, Randy was named by Security Magazine to the list of the Top 25 Most Influential People in the Security Industry.
Before joining the Smart Card Alliance, he was employed with IBM Global Smart Card Solutions; an international product group supporting IBM's smart card services to its global banking, healthcare, and government industry vertical teams. Previously, he served as on the Executive Board for the Alliance as a corporate member from 1998-2001.
EMV: More Secure TechnologyTRACY KITTEN: The Smart Card Alliance recently issued a white paper about the state of EMV and the options the U.S. might consider on its path to a more secure payment card technology. Can you tell us a little bit about this white paper and what it includes? The white paper, from what I understand, is a roadmap that has four considerations the US should look at when exploring a move to the EMV standard, such as convergence of EMV with NFC mobile payments, as well as use of PIN over signature. The paper notes card interface, card authentication, transaction authorization and card holder verification. So I just thought maybe we could explore those different options.
RANDY VANDERHOOF: The Smart Card Alliance Payment Council is an active stakeholder group made up of the payment brand issuers, processors, terminal manufacturers, integrators and some consultants, all who have been very involved in the roll out of contactless payments in the U.S. Recently, in terms of discussions around mobile payments, they felt that it was time to take a fresh look at the different approaches to EMV that fit all aspects of the U.S. market. And the U.S. market has something about it that makes it unique and different from some of the other markets that have already adopted EMV. We wanted to make sure that we were considering all of those variable options and relating them to how the U.S. market might deal with that.
In addition to looking at the technology options, we wanted to recognize the maturity that is taking place with the technology and the availability of a EMV-ready payment infrastructure already in place in the U.S., and noting that it would be much less complicated and more cost effective to migrate now to EMV then it would have been a decade ago, with some of the earlier assessments and estimates of cost factored in.
KITTEN: Can you provide a little insight into some of the considerations that are highlighted in this white paper, or roadmap, and why the Alliance deems the four that I mentioned earlier to be the most critical considerations - card interface, card authentication, transaction authorization and card holder verification?
VANDERHOOF: To put it into context we first approached the paper by looking at this global deployment of EMV and using that as a reference point for the possible roadmap options for the U.S. market. We also provided a primer on the EMV security specifications related to card authentication methods, card verification methods and transaction authorization and implementation options so that people understood what the tool kit for EMV payment was all about, before we got into discussing how the different components of that tool kit might be implemented here in the U.S. We also wanted to pay attention to the relationship between EMV and other payment technologies that are out, such as contactless payment, near-field communication, the role and impact of the PCI rules for data security and end-to-end encryption technology, as well as other things that have been recently introduced in the payments market. We wanted to get an overview of all of the changes that are required for the issuing, acquiring, merchant acceptance and ATM networks so that people had an understanding of what the scope and scale of what an EMV adoption might look like in the U.S., without being prescriptive to suggesting that it should be one particular way or the other.
In order to do that in an effective manner, we chose the four main elements that we felt were going to highlight the changes that EMV payments are over the traditional magnetic stripe payment. We looked at those four card interfaces being the most obvious because we're no longer relying on the magnetic stripe. We are now using an imbedded chip that will operate either as a contact-only chip, a contactless chip or a dual technology chip. We explained what those different options were like and what that might mean in terms of the implementation choices that the market was facing.
Card authentication is another major factor because card authentication determines how the industry protects itself against fraudulent cards. There are a number of techniques that have been deployed that involve the way we authenticate the card to the terminal and the terminal to the card. Terms like SDA and DDA are used and explained in the document, and it was important for people to understand the differences of those. From the transaction authorization perspective, we wanted to explore the differences between an online-only transaction authorization environment or some combination of online and off line, which you may know has been deployed outside of the U.S. market.
Today the U.S. market is a hundred percent, or roughly, online only and if we were going to choose to implement an EMV migration that was also online only, then that would create another set of choices in terms of the types of technology, cards, readers and systems that would be implemented, which would impact both the business case as well as the cost of implementing these technologies. It's very important to consider the transaction authorization method.
Then the last, but certainly not the least, was the card holder verification techniques. Here in the U.S., we operate on a signature basis for card holder authentication and most of the EMV world has adopted a chip and PIN, or a PIN-based, authentication method. We wanted to explain that there are even options within choosing PIN or no PIN in the EMV specs and there could be an online PIN or an offline PIN, or potentially even no PIN, relying on signature and what that might mean for the market if we were to choose any one of those options.
Contactless PaymentsKITTEN: I'm going to go back to one of the things that you talked about earlier, and that is the notion of contactless payments. When we talk about contactless, or RFID, transactions, we actually have two options. And I don't think we really differentiate the options as often, at least in the U.S., as we should. The two options are a mag-stripe contactless option and an EMV option. In the U.S. today, more than seventy-five million cards use contactless RFID mag-stripe data, and it has been suggested that RFID could perhaps bridge the gap between the mag-stripe and EMV. Can you help our audience understand the difference between mag-stripe RFID and EMV RFID?
VANDERHOOF: The adoption and implementation of contactless payment really began in the payment industry in the U.S. In order to facilitate a low cost and fairly non-disruptive implementation, the major brands decided that they would emulate the transaction data elements of the magnetic stripe in order to minimize the amount of changes that would be required in the infrastructure to adopt, which served the U.S. market very well. But other countries started looking at contactless, and the success that was generated through the U.S. implementation of contactless, and saw benefits for this technology in an EMV environment as well. The contactless EMV mode would maintain all of the security elements and the differences in the data encryptions, as well as the dynamic data elements of contact EMV cards, or chip and PIN cards, in a contactless mode.
The term EMV contactless was an evolution of the contactless payment standards that were going to be utilized in countries that were already processing EMV. In the U.S. market, we have a roadmap to evolve our contactless mag-stripe data cards to an EMV contactless format by changing the components within the card and the data elements that interact with the POS systems.
There is a migration path for the seventy-five million contactless MSD version cards to be accepted and work in an EMV environment, but we've also thought that in order to future-proof the technology, should the U.S. adopt a full EMV migration, we would need a plan in place to have our contactless cards evolve in terms of how they process to also support the EMV processing standard. This would be a decision that could be made between the card and the terminal. If the payment terminal has the ability to accept a contactless EMV transaction and that card has both contactless EMV and contactless mag-stripe, it could then make the decision to process the transaction as an EMV model transaction. Likewise, if that terminal or that merchant is still processing mag-stripe data, the card that would support both EMV and mag-stripe might step down to the mag-stripe level of communication for those types of transactions.
KITTEN: How might the use of RFID mag-stripe technology in the U.S., if it becomes more widely adopted, impact U.S. card holders when they travel overseas?
VANDERHOOF: I think there are business roles that can be applied to support that condition. Today, those POS terminals that accept EMV cards will also recognize if a non-EMV card is presented, and will switch modes to reading the magnetic stripe and routing the transaction as a magnetic stripe transaction. So U.S. card holders traveling overseas with their contactless cards would likely face the same scenario. If they present their card to a terminal that is expecting only EMV contactless cards, and it sees a mag-stripe version from a U.S. issuer, then there would be a step down at the terminal level to choose the process they would normally have used to process a U.S. based magnetic stripe-only card. Today, the big problem for U.S. customers traveling overseas is the requirement to have a contact chip for those types of EMV transactions.
Mobile and EMVKITTEN: The link between mobile and EMV also is something that the industry has talked about quite a bit, but it's not something that the white paper that the Smart Card Alliance put together delves into too deeply. Why did the Alliance feel it was not appropriate to include a deeper discussion about mobile in the paper about EMV?
VANDERHOOF: We took the approach that it was better to take smaller bites out of the apple rather than to try to delve into all of the different options. We decided that rather than add to what is already a forty-page document all of the variables that mobile devices introduce, we thought it would be cleaner to have a separation of those two discussions and start to look at mobile as another project down the road.
KITTEN: I would like to ask your opinion about timelines. It seems last summer we were hearing quite a bit about EMV and perhaps some of that just had to do with the fact that we were writing about EMV more often. But there does seem to be a lull in the discussion and interest. Does some of that have to do with the current regulatory environment? Are financial institutions in the U.S. and others just waiting to see how legislation such as Dodd-Frank and the Durbin Amendment shake out?
VANDERHOOF: I would disagree with you that there has been any lull in the discussion or the interest in terms of migration to EMV in the U.S. in the last year. In fact, this time last year there were no EMV cards in the market, and now we have EMV cards being issued by the United Nations Federal Credit Union, Travelex, which is now owned by MasterCard who started offering pre-paid chip and PIN cards for U.S. citizens to use for international travel, and recently the North Carolina State Employee's Credit Union, who also announced that they are going to be implementing an EMV card. There has been a lot of progress that has been made in the last year, and we're expecting there is going to be even more progress coming in 2011.
I think the regulatory environment, with the discussions around interchange rate, and the Card Act and the Durbin Amendment, which you've been hearing about and reading about in the media, is going to have an impact on the market in terms of the rate of acceleration towards this move in EMV. But it's not the sole reason for any delay. In fact, I think the momentum is still very strong that the market is ready to move, and will start to move quickly.
KITTEN: Talking about the interchange issue, of course this is a big issue and concern. And a move to EMV could impact the fees merchants pay and the percentage of interchange card issuers collect. In other parts of the world where EMV has already experienced widespread adoption, a tiered interchange scale has been implemented, one that encourages merchants and issuers to move toward EMV because it is considered a more secure technology. Can you explain how that structure has worked in other markets, and do you think that we could perhaps expect to see a similar structure as an incentive here?
VANDERHOOF: The payment structure, interchange fees and the relationship between the issuers, processors and merchants differ country by country. It's really unfair to try and generalize about the rules and interchange fees that are in place in maybe a country like Turkey, the U.K. or Australia, with the U.S. market. The U.S. market has multiple layers of complexity beyond what most other countries are deploying. I think the thing that has accelerated the change over in countries to EMV has been applying liability shifts on those merchants who would pay a penalty if they didn't adopt their technology soon against the timelines that were given. It is unlikely in the U.S. because of the size of the market and the fact that there are so many players. And it's difficult to try and get all players to move at the same time when there is a multi-angled business case for the whole payment processing world.
It's unlikely that we're going to see any type of broad strokes of a liability shift, at least one that is voluntarily driven by the payment brands, the issuers and the merchants themselves. There is lots of speculation about what the regulatory environment might ultimately turn out to be, but I think they are all factors toward coming up with some meaningful consensus across the industry that says, "We want industry to solve this problem." We don't necessarily think that it's a good idea to have rules put down on the industry without having industry provide input into the problem and what those approaches for solving those problems would be. I think we are still in the discussion and discovery stage, and I think this has been a healthy debate that's taking place in the market place around interchange rates, security and who has the responsibility for protecting the payment industry in this market.
Preparing for EMVKITTEN: Before we close, could you give our audience some final thoughts about considerations for which they should be preparing where EMV is concerned? This summer could be a turning point, you've suggested, as Canada completes its migration and the single European payment's area enforces more stringent policies about non-mag-stripe acceptance.
VANDERHOOF: The most obvious answer to that question is, if I'm a merchant and I'm looking at investing in my accepted infrastructure, I should be looking at investing in a POS system that's going to accept both contact and contactless payments. It's a very small delta in cost for them to upgrade that terminal to support that. And if they do, then regardless of what the ultimate implementation of the next generation of payments is, they're going to future-proof that investment. If mobile devices start to expand, if NFC comes and payments becomes a major part of the market, which many expect will happen, then merchants are going to need to have the ability to support mobile contactless payments at their retail establishments.
Putting a contactless terminal in and then leaving off the contact chip option may not even be a choice for them. POS terminals, as they're continuing to evolve their manufacturing processes, are trying to standardize on a common global format for what those terminals look like. It might ultimately be thrown in with the investment up-front. Then it'll be a matter of software upgrades. Or it'll be how they use those terminals in connecting to their back-end acquiring networks that will ultimately change to adopt to whichever of the options the U.S. chooses in terms of contact or contactless, off-line or online authentication, and the type of cardholder verification rules that we adopt in terms of PIN, signature or other options that are available.