Guest Analysis: The Implications of EMV Compliance for Your Business

MARC THOMAS

Owning a business is all about staying ahead of the curve. With data breaches in the news, changes in PCI compliance, and new EMV credit cards bringing a shift in liability for merchants, getting serious about payments security has become a top priority. I work with thousands of merchants – and that means we get a lot of questions, especially about topics that relate to data security for their business. Recently, I found myself in a conversation with a merchant about payments security, EMV compliance, tokenization, and what it all means for merchants. This is what we discussed…

SIFTING THROUGH EMV CONFUSION
As we get closer to October 2015, when liability for fraudulent charges shifts to merchants who haven’t upgraded their systems to be able to process EMV credit cards, we’re likely to hear a lot more about EMV compliance everywhere.

There is a lot of confusion around EMV, and I think it’s helpful to call out a few points, specifically in how EMV relates to tokenization. There are important distinctions to be made between tokenization and EMV.

EMV & PRIVACY
EMV is an authorization technology, and doesn’t by itself hide cardholder data. The “unique transaction number” allows the merchant’s EMV terminal to challenge the EMV card to prove that it’s authentic. This makes it harder to copy an EMV credit card than a magnetic card. But once the card is authenticated, the cardholder data is transmitted to the POS similar to how it is today.

EMV & DATA BREACHES
A major question that merchants bring up has to do with EMV and data breaches. Here’s the truth: EMV cards are just as susceptible to attack by malware on POS systems as the magnetic cards processed by Target, Goodwill, and other recent victims. To thwart such attacks, you need to get the PAN (credit card number) out of reach of potential attackers. Tokenization addresses this problem, by replacing the PAN with a token, that looks a lot like a credit card number but is less dangerous.

Will EMV compliance require that EMV cards implement tokenization?
Various people have different ideas about how to best implement tokenization. EMVCo, the company that manages the EMV specifications, even has a proposal that can put the PAN out of reach of everyone, cardholder and processor included, except the issuing bank, which is the only institution who rightly owns and needs the PAN.

EMV CHIP AND PIN + CHIP AND SIGNATURE CARDS
Even when the US EMV standards go into effect on October 15, 2015, requiring the card issuers to issue credit cards with the EMV fraud detecting microchips, cards will still have the magnetic stripe, this is known as Chip and Signature. The elimination of the mag stripe isn’t expected to be adopted until the 2017 – 2019 time frame depending on the source, and these forecasted dates change often as the entire ATM infrastructure in the US will need to be replaced in order to “write” to the credit and debit cards in order to replace the “mag stripe and signature procedures” with a “pin only procedure.” This is known as Chip and Pin.

Although it’s easy to say what would and wouldn’t work on paper by looking at specifications, we’re not going to believe it until we see it. We have seen the date for the initial round of US EMV adoption change every year for the past 5 years.