Should you Worry about EMV 2.0?
If your organization is like a lot of retailers, you may just be settling in after spending a lot of time, effort and cost implementing EMV. Or maybe “settling in” is a bit strong of a term, since many of the processes surrounding EMV haven’t been completely sorted out and companies are still trying to determine the standards and plans for software updates, patches and the like.
Then comes the recent announcement of EMV 2.0 and, understandably, some companies got a bit nervous about this new release. What does EMV 2.0 mean for their EMV 1.0 implementation? What’s changed? Do they have to go through yet another all-consuming project?
What EMV 2.0 is and isn’t
EMVCo – the consortium of credit card companies that manages the standards around EMV – released the latest version of its EMV Payment Tokenization Specification – Technical Framework this fall. Dubbed EMV 2.0, the latest version “addresses the adoption of payment token use cases in e-commerce beyond existing card-on-file, and offers enhancements to how payment tokens can be controlled within a single payments channel” according to the EMVCo press release.
EMV 2.0 also revises the roles of the token service provider and token requestor; introduces new concepts like the token program and token user; and outlines how all of these roles play out within the global payments environment.
These new standards are not a major overhaul of what’s currently in place. Rather, it’s a matter of refining specific roles and procedures that are relevant to contactless payment systems such as Apple Pay or Android Pay, and, to a lesser extent, mobile and browser-based payments.
Do you need to act now?
The short answer is that it depends on your business case. EMV 2.0 is sure to be another resource-intensive project, so it’s important to take a close look at your business to figure out whether it’s necessary and worth the effort.
Assess your fraud risk
EMV 2.0 includes a new messaging protocol that allows consumers to authenticate themselves when using a contactless payment option. It’s an additional security layer that prevents unauthorized transactions from mobile, contactless, and traditional browser-based payments, and it further protects the merchant from fraud exposure.
Taking stock of your fraud risk is a good first step when figuring out if immediate action is needed. If you have implemented EMV 1.0 and are continuing to face fraud threats or gaps, the enhanced security protections of an EMV 2.0 implementation may make sense for your business. However, if you’re among most small and mid-sized retailers for which fraud is not a significant concern, you may be adequately protected with your EMV 1.0 measures.
How common are mobile or contactless payments?
EMV 2.0 is largely about an enhanced technical framework that creates a common baseline for mobile or contactless payments; as well as defining how EMV payment tokens are generated, deployed and managed. In plain English, this means that EMV 2.0 facilitates more secure transactions when a customer pays using a contactless or mobile method.
Here in the U.S., contactless payments aren’t yet widespread. If you are a small or mid-sized retailer, you probably don’t have a large percentage of your customer base using these types of payments. Instead, they likely shop in-store and pay by cash or credit card, or they shop online using the traditional browser-based method and pay by credit card.
If the above scenarios are true for you, then EMV 2.0’s enhancements aren’t immediately relevant to your operations and there’s likely no need to take immediate action. However, EMV 2.0 changes are especially relevant to those large Tier 1 retailers that process millions of transactions a day and may have a larger number of customers using more cutting-edge payment methods.
It’s ok to wait and see
The largest retailers will no doubt start planning for EMV 2.0 changes because they are immediately relevant to the security and profitability of their business, as well as the convenience and security of their customers. But few small and mid-sized companies are going to have the stomach or the resources to undergo another significant implementation – and that’s ok.
If you’re like most retailers, you can breathe easy for now. But keep an eye on the experiences and lessons from the Tier 1 retailers as they implement EMV 2.0. What benefits are they truly getting out of it? What hurdles are they running into? What do their timelines look like? It’s likely that EMV 2.0 will make sense for your organization at some point down the road, so keeping tabs on the biggest players now will help you think through your own processes and needs when the time comes.
Author: Kimberly Berneck, senior vice president, delivery management, BTM Global
Other exclusive articles on payment processing at Pointofsale.com