Adopting EMV: A Requirement, Not a Choice
It is coming and you better be ready for it – EMV, which stands for Europay, MasterCard and Visa, and is slated to be mandated across the United States starting in October 2015 and automated fuel dispensers have until October 2017 to comply. Unlike magnetic swipe cards, EMV chip cards encrypt data and authenticate communication between the card and card reader. Additionally, chip card user is prompted for a PIN for authentication.
Why are those dates important? According to the August 2013 Nilson Report, companies lose $5.33 billion to fraud today, with card issuers and merchants incurring 63 and 37 percent of these losses, respectively. Under the EMV mandate, merchants who do not process chip cards will bear the burden of the issuer loss. By accepting chip card transactions, merchants and issuers should see a reduction in fraud, as illustrated by – a report commissioned by the Federal Reserve which states that in the six years since EMV has been implemented in England, credit card fraud has fallen 34 percent.
EMV cannot prevent fraud in instances where the card is not physically used, such as when online shopping. However, security comes down to authentication of the individual using the card and the value of EMV is the ability to identify the user in card-present transactions. To further strengthen an organization’s fraud prevention initiatives, transactions need to incorporate end-to-end encryption coupled with tokenization.
The U.S. is one of the last remaining non-adaptors of EMV. Given the vulnerabilities of legacy magnetic stripe transaction, the U.S. has become the country of choice for individuals looking at take advantage of opportunities to commit fraud. The low EMV adoption rates can be primarily attributed to cost – it typically costs American banks approximately 10 times more to produce EMV cards than magnetic strip cards. According to The Nilson Report, companies profit by over $35 billion from credit card swipe fees after the fraud losses are deducted, so the incentive to move to EMV has been dampened. Coupled with the cost to retailers in replacing payment terminals, the barriers to EMV adoption are high.
Overcoming Barriers to EMV Adoption
Given the significant barriers to EMV adoption, it may be tempting for merchants to meet minimum requirements for accepting EMV payments. However, medium to large retailers should also consider the bigger picture of customer security and peace of mind. Some key critical success factors for a payment initiative of this size include:
Stakeholder Identification: This is a key step to ensure that you have varied perspectives from all departments and their support. It will keep your organization from being blindsided and reduce the risk of disagreements in later stages of the program. Key stakeholders should include Store Operations, Card Accounting, Loss Prevention, Contact Center, and IT & Data Security.
Cost Benefit Analysis: Take a top down approach and decide accordingly on the scope of the analysis – this will ensure that decisions on scope are made on basis of quantitative data and not just qualitative arguments.
Phased Approach: To overcome time or cost overage in a project of this scope and complexity, retailers should try using an iterative approach for development. The rollout can be divided into multiple releases of six to seven months, which will provide the opportunity to review, capture lessons learnt, and improve subsequent releases.
Business Continuity Architecture: As with all payment systems, it is imperative to have the EMV system running at all times. The solution should preferably have Active-Active architecture across multiple data centers and have a low Recovery Point Objective (the point in time to which the systems and data must be recovered after an outage).
Resilience Testing: Typically in a software project, the testing is limited to the unit, integration, performance and user acceptance. However, due to the critical nature of the applications and systems involved, robust resiliency testing is vital. This will ensure that there are no single points of failure and the system remains available when running in error conditions.
Proactive Monitoring Alerts: Considering the criticality of business function carried out by EMV, tokenization and payment gateway, a vigorous supervising environment must be defined to perform proactive and reactive monitoring. It should take into consideration the monitoring targets, tools, scope and methods. This will provide advance visibility to the failure points and better ensuring maximum system availability.
Organizations should adopt a five step approach to implement a secure, robust and industry-leading payment solution, illustrated in Figure 1 and outlined below.
End to End Data Encryption
Point to point encryption will ensure card data is secure and encrypted from the point of capture to the processor. Usually, merchants use data encryption that is not point to point, rendering their organization vulnerable to data breaches. Software encryption is the most common form of encryption, as it is easily installed and quires little or no hardware upgrades; however, it is less secure, may expose encryption keys, and is prone to memory scanning attacks. Hardware encryption is considered more secure but requires more costly terminal upgrades. Hardware encryption is designed to self-destruct the keys if tampered, but is not well-defined as very limited headway has been made in this space.
Build a Card Data Environment (CDE) that will host a centralized card data storage solution. Only limited applications with firewall access and capability to mutually authenticate via certificates can access CDE and receive card data. The rest of the applications will have tokens which are random numbers. This architecture will ease the merchant’s burden with existing and emerging PCI Data Security Standards.
Perform a risk assessment on the current payment gateway and identify gaps in functionality, manageability, compliance, scalability, speed to market and best practices. Determine the alternatives to mitigate the risks. Some of the important aspects of a leading payment gateway solution are support for all forms of credit, debit, gift cards and check transactions. Its ability to work with any acquirer, in-built encryption abilities, support for settlement and reconciliation must also be kept into consideration.
Settlement, Funding and Reconciliation
A workflow-based system to handle chargebacks and the automation of chargeback processing will greatly reduce labor-intensive work and enhance the quality of data used for settlement and reconciliation. Upgrades to the existing receipt retrieval system may be needed.
Card fraud is on the rise in the U.S., and merchants are the primary target for stealing information. With the EMV deadline just over a year away, the responsible retailer must take steps to prepare now. Although EMV implementation might seem overwhelming to merchants, they should start their journey to secure payments rather than wait for a looming deadline. Solutions such as data encryption and tokenization should be used in combination with EMV to implement a robust payment solution to better protect merchants against fraud. By proactively adopting EMV payment solutions, merchants can stay ahead of the regulatory curve and better protect their customers from fraud.
About Cognizant: Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise,and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 171,000 employees as of December 31, 2013, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world.
About the author: Karl Swensen is an Assistant Vice President with Cognizant Business Consulting and leads the store operations practice. He has over 25 years of experience helping companies implement change and growth strategies at both retailers and consumer products companies globally from a strategic, business process, technology and human resources standpoint. His work experience includes leadership positions at Oracle, Home Depot and Kurt Salmon Associates. Karl has a Bachelor of Industrial Engineering degree from the Georgia Institute of Technology.
Other articles about payments and processing:
Follow Us On Twitter – https://www.twitter.com/ThePOSNews