Preparing for the Migration to EMV Migration in the U.S.
P REPARING FOR THE
M IGRATION TO EMV IN
THE U.S.
The
A Mercator Advisory Group Research Brief Sponsored by AVATAS
8 Clock Tower Place, Suite 420 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
1
Preparing for the Migration to EMV Migration in the U.S.
Introduction
Today, new payments technologies like Near Field Communications (NFC), Quick Response (QR)
codes, and Bluetooth Low Energy (BLE) are all generating buzz. While these technologies have the
potential to substantially change the way that consumers pay for goods and services, for merchants
the approaching EMV migration is even more significant.
The move (pushed by card networks like Visa and MasterCard) toward EMV adoption will strongly
encourage merchants to reconsider their payment acceptance solutions as they confront the likely
reality of having to purchase new point-of-sale (POS) terminals to avoid greater liability on
fraudulent transactions.
Reducing payment card fraud is the main driver for the industry’s migration to EMV cards in place of
the current magnetic-stripe cards, a technology more than 40 years old. Magnetic-stripe cards are
vulnerable to being easily counterfeited. In contrast, EMV cards represent a significant security
upgrade to the U.S. payments system and should reduce fraud dramatically in the years to come.
The purpose of this Mercator Advisory Group Research Brief sponsored by Cayan is to shed more
light on EMV from the merchant perspective by clarifying what EMV is and why it was selected to
help reduce fraud. This Research Brief also provides information on how merchants should prepare
for the EMV migration and recommendations on best practices as EMV cards and EMV-compliant
POS terminals become more commonplace.
What Is EMV?
EMV is a payment security standard developed by Europay, MasterCard, and Visa in 1994. In the
mid-1990s, EMV-compliant payment cards began to be issued and EMV-compliant POS terminals
began to be installed in countries around the world. While different markets have migrated to the
EMV standard at different speeds, the U.S. has been the one major international outlier not
adopting the standard.
Since 2011, however, the global card networks that first created EMV have renewed their push to
bring the EMV standard to the United States by creating incentives for merchants like eliminating
the PCI Data Security Standard (DSS) reporting requirement. They have also set deadlines for
migration. Merchants who do not meet the card network’s deadlines face increased liability for
fraud committed by customers using counterfeit cards for payment at the point of sale. These socalled liability-shift deadlines are reviewed later in this Research Brief.
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
2
Preparing for the Migration to EMV Migration in the U.S.
To comply with the EMV standard, merchants must have POS terminals that are equipped to accept
and process transactions initiated with EMV cards. An EMV card resembles the current magneticstripe cards with one significant difference, the EMV “chip” or microprocessor that is embedded in
the card.
Unlike a magnetic-stripe card, an EMV card is not swiped through a reader. Rather, it is inserted into
a slot on the POS terminal as shown in Figure 1 (or tapped at the POS, if the customer has a “dualinterface” EMV card and the merchant has a contactless reader, shown in Figure 2.) When the
“traditional” EMV card is inserted, a metal contact on its face connects the card to the terminal and
the two devices are then able to communicate. Almost all EMV chip cards issued today (especially in
the United States) also have a magnetic stripe for use at terminals that haven’t been upgraded to
EMV. In Figure 1, a traditional EMV card and a traditional EMV card reader are shown.
Figure 1: Traditional, Contact EMV Card and Card Reader
Sources: Google Images, Mercator Advisory Group
EMV supports multiple cardholder verification methods (CVM) including personal identification
number (PIN), signature, and no CVM. The PIN may be offline or online. “Offline PIN” means the PIN
is stored on the card and the validation step is conducted using just the card and the terminal
without going online to validate the PIN. To initiate this type of EMV transaction, the cardholder
inserts the card into the reader and enters his or her personal identification number on the
encrypting PIN-entry device. The terminal then sends the PIN to the card for validation. EMV cards
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
3
Preparing for the Migration to EMV Migration in the U.S.
can also be deployed for online authorization, known as “chip and signature.” Because the United
States is an “all online all the time” authentication environment, some major stakeholders are
suggesting that offline PIN and its associated higher costs (the card requires stronger cryptography
and larger memory in each card) are not necessary to serve the needs of the U.S. domestic market.
While signature-based EMV debit cards will no doubt be issued, Mercator Advisory Group expects
debit card issuers to continue to employ online host-based PIN authorization with their EMV debit
cards to maximize their fraud loss performance and continue to provide consumers with a security
feature that inspires confidence and trust.
Although many merchants will proceed to use EMV card readers like the one seen in Figure 1, some
U.S. issuers have begun deploying dual-interface cards in which a single chip supports both
traditional EMV transactions and contactless payment transactions. Contactless payments are
transactions made by simply tapping a card against an enabled POS terminal. For merchants that
experience high consumer payment volumes, deploying contactless enabled terminals may be very
efficient. Furthermore, the contactless EMV interface is the same one used by smartphones
equipped with Near Field Communication, or NFC, chips, and so a POS terminal that supports both
contact and contactless EMV is ready to accept mobile payments from smartphones. Figure 2 shows
a dual-interface EMV card and a contactless EMV card reader.
Figure 2: Contactless EMV Card and Card Reader
Sources: US Bank, Google Images, Mercator Advisory Group
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
4
Preparing for the Migration to EMV Migration in the U.S.
Why Migrate to EMV?
Although many merchants may be skeptical of EMV migration given the significant upfront costs of
upgrading payment acceptance terminals, over the long run merchants and the industry as a whole
will benefit from reduction in fraud. The magnetic stripe is no longer able to fend off fraudsters
armed with low-cost magnetic-stripe readers, card-duplication gear, and Internet-sourced card data
that can be entered into the payments system without strong account holder authentication. The
result has been an outbreak of card skimming that has cost the payments industry and merchants
millions of dollars.
According to a report published by Europol, a pan-European police agency, the U.S. is now the main
source of European Union credit card fraud, joining Brazil, Colombia, the Dominican Republic,
Mexico, and Russia as leading destinations for payment card fraud. From the point of view of
payment security, the U.S. is a sitting duck, especially exposed to cross-border fraud and continued
growth in card-not-present (CNP) fraud.
The fact that merchants in both Canada and Mexico are mostly compliant with EMV standards
makes merchants in the U.S. very vulnerable to fraud. And an increasing proportion of world
markets is becoming EMV compliant. According to EMVCo, the industry body created by the card
networks to provide information on EMV technology, at the end of 2012 there were 1.62 billion
EMV cards, or nearly 45% of all payment cards around the world, and 23.8 million EMV-compliant
terminals, representing over 75% of all POS terminals globally.1 As the rest of the world continues to
move toward EMV, merchants in the United States not only will see more EMV cards but also will be
at greater risk of fraud until they install EMV-compliant POS terminals.
Case Study: Fraud Reduction in the U.K.
As in most other EMV countries, issuers in the United Kingdom continue to include a magnetic stripe
on payment cards so the cards can be used in non-EMV-compliant countries. Because of this, POS
fraud still may occur when counterfeit cards are used in markets where EMV is less prominent. Only
6% of card fraud losses recorded in 2012 in the U.K. were linked to counterfeit cards. The majority of
card fraud in the U.K. is now tied to card-not-present, or CNP, transactions, which EMV does not
prevent.
1
For more information on global EMV card and terminal deployment and adoption rates, see the Appendix (Table 2).
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
5
Preparing for the Migration to EMV Migration in the U.S.
Card fraud in the U.K. began to drop following EMV implementation. But in 2008 and 2009 fraud
losses began to rise, driven mostly by CNP transactions and cross-border fraud initiated with
counterfeit cards using information captured from legitimate cards’ magnetic stripes. After more
countries had adopted EMV, CNP and cross-border fraud losses fell. During the first six months of
2010, total fraud loss fell to £28.2 million from £46.3 million in the same period the previous year.
Since its adoption in the European countries, and the U.K. in particular, EMV has effectively
eradicated face-to-face counterfeit card fraud in card payments. Consequently, the U.K. case study
has significant implications for U.S. merchants since it highlights the tangible reduction in fraud
witnessed in a country following EMV migration.
U.S. Merchant Fraud Liability Shift Timeline
While the full migration to EMV in the United States is not expected for a few years to come, the
card networks have already set forth their merchant fraud liability shift deadlines. In 2012 the card
networks encouraged merchants to begin upgrading their POS terminals to be EMV compliant by
offering incentives. For example, Visa extended its Technology Innovation Program (TIP) to U.S.
merchants and MasterCard has offered to reduce a merchant’s liability for card-reissuance and
fraud costs by 50% in the case of a data breach if merchants process at least 75% of their
transactions on terminals capable of both contact and contactless EMV transactions.
Similarly in 2013, the card networks offered additional incentives to merchants. For example,
American Express and Discover both offered to eliminate or waive PCI reporting standards if 75% of
transactions processed over their networks from a merchant were handled by EMV-compliant
terminals.
However, it is not until 2015 that the fraud liability shift to merchants truly begins. All of the major
card networks (Visa, MasterCard, American Express, and Discover) have set fraud liability shift
deadlines for those merchants who have not yet upgraded to EMV-compliant POS terminals. Table 1
lists the important EMV liability shift dates set by the card networks.
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
6
Preparing for the Migration to EMV Migration in the U.S.
Table 1: U.S. Fraud Liability Shift Deadlines
Sources: Company websites and Mercator Advisory Group
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
7
Preparing for the Migration to EMV Migration in the U.S.
Recommendations for Merchants
To prepare for the forthcoming EMV migration and to ensure that they will be compliant by the dates outlined
by the card networks, merchants of any size should consider the following actions (note that the list is not
sorted in any particular order):
 Make sure your acquiring processor is passing along the interchange savings mandated by the DoddFrank Wall Street Reform and Consumer Protection Act of 2010 and in particular by the Durbin
Amendment, which addressed interchange regulations. Furthermore, your acquiring processor should be
monitoring developments related to the case In Re Payment Card Interchange Fee and Merchant
Discount Antitrust Litigation, on which Judge John Gleeson of the U.S. District Court for the Eastern
District of New York of the U.S. rendered a decision on Friday, December 13, 2013, favoring merchants.
 If you are concerned with EMV acceptance and cost and merchant choice in routing, look to participate
in the Secure Remote Payments Council or monitor the work of the Chip and PIN Working Group
operating under that Council. Participation in the EMV Migration Forum, a newly formed organization
under the auspices of the Smart Card Alliance, is another excellent way to influence the direction of the
U.S. transition to EMV.
 If mobile commerce and payments are a consideration, and they should be, evaluate the purchase of
terminals that support both contact and contactless EMV so that NFC-based transactions are possible.
Look for terminals that have the contactless capability built into the terminal directly, not via an add-on
card or external device. That will keep the cost lower and allow you to implement new mobile commerce
payment applications more readily.
 If you haven’t already, consider PIN debit acceptance. Because EMV does support PIN, nearly 100% of
EMV terminals include PIN pads. Debit PIN pads lower the cost of debit risk. A 2010 PULSE Debit Card
Issuer Survey determined fraud losses on PIN debit cards were $0.17 per card, while signature debit
losses were $2.29 per card, highlighting the difference in fraud between PIN and signature.
 Buy EMV-capable terminals when refreshing your point-of-sale terminals. Make sure you’re ready to
take “chip and PIN” payments and keep track of payment and customer experience changes brought on
by EMV—in particular, those enabled by mobile devices.
By incorporating the recommendations above, merchants will be well positioned to handle EMV transactions
and to meet the EMV liability shift dates set by the card networks.
2
2
For more technical recommendations on best practices for merchant EMV readiness see Appendix (Table 3).
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
8
Preparing for the Migration to EMV Migration in the U.S.
Conclusions
The most significant advantage to utilizing the EMV chip and PIN card standard is the reduction in
card fraud resulting from counterfeit, lost, and stolen cards. However, fraud reduction is not the
only benefit to EMV migration. By moving to the EMV standard, issuers are significantly improving
the probability that their customer’s cards will be accepted overseas. With EMV chip payment cards
in hand, consumers can use their card on any EMV-compatible payment device anywhere they are
accepted in the world.
Furthermore, EMV also supports greater cardholder verification methods and EMV payment cards,
unlike magnetic-stripe cards, can also be used to perform secure online payment transactions. In the
end, EMV does a lot to improve the counterfeit card problem at the POS by making it much harder if
not impossible for criminals to skim card data.
EMV and in particular the contactless payment functionality will also continue to fuel the mobile
payment revolution. The mobile payment revolution may not be far off, already today, NFC-enabled
POS terminals in the U.S. represent about 10% of all terminals and merchants embracing NFC
include McDonald’s, Walgreens, CVS, and Cinemark Theatres to name a few. Furthermore, as
smartphones continue to increase their consumer penetration, interest in mobile payments will only
grow.
According to Mercator Advisory Group’s CustomerMonitor Survey Series (an in-depth online survey
of a sample of 3,000 U.S. adults on a myriad of payment topics), interest in mobile payments has
increased sharply in the past year. In 2012, 10% of mobile phone owners and 21% of smartphone
owners reported that they had tried to make a mobile payment; however, in 2013, 20% of mobile
phone owners and 31% of smartphone owners tried making a mobile payment. With mobile
payment interest growing among consumers, merchants may be better suited to deploy contactlessenabled terminals that can accept all types of EMV transactions (traditional, contactless, and NFC).
Although it will take time for the U.S. to become fully EMV compliant, EMV implementation is set to
change the nature of terminal deployment and management in the United States. In addition to
overhauling current POS practices, EMV will alter the customer onboarding process moving forward,
ultimately radically changing how merchants accept card payments. As a result, developing an EMV
business case today may be hard, but investing in EMV-compliant POS terminals and other hardware
will represent a sound investment over time.
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
9
Preparing for the Migration to EMV Migration in the U.S.
Appendix
Table 2: Global EMV Deployment and Adoption
Sources: EMVCo 2013, Mercator Advisory Group
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
10
Preparing for the Migration to EMV Migration in the U.S.
Table 3: Guiding Principles for Merchant EMV Readiness
Sources: MasterCard, Mercator Advisory Group
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
11
Preparing for the Migration to EMV Migration in the U.S.
Copyright Notice
External publication terms for Mercator Advisory Group information and data: Any Mercator Advisory Group
information that is to be used in advertising, press releases, or promotional materials requires prior written
approval from the appropriate Mercator Advisory Group research director. A draft of the proposed document
should accompany any such request. Mercator Advisory Group reserves the right to deny approval of external
usage for any reason.
Copyright 2013, Mercator Advisory Group, Inc. Reproduction without written permission is completely
forbidden.
About Mercator Advisory Group
Mercator Advisory Group is the leading independent research and advisory services firm exclusively focused on the
payments and banking industries. We deliver a unique blend of services designed to help clients uncover the most
lucrative opportunities to maximize revenue growth and contain costs.
Advisory Services
Independent and objective analysis in research documents and advice provided by our Banking Channels, Credit,
Commercial and Enterprise Payments, Debit, Emerging Technologies, International, and Prepaid practices.
CustomerMonitor Survey Series
Eight annual reports based on primary data from Mercator Advisory Group’s bi-annual surveys of 3,000 U.S. adult
consumers to determine their behavior, use, preferences, and adoption of current and emerging payment methods
and banking channels to help our clients identify and evaluate business opportunities and make business decisions.
Consulting Services
Services enabling clients to gain actionable insights, implement more effective strategies, and accelerate go-tomarket plans. Offerings include tailored project-based expertise, customized primary research, go-to-market
collateral, market sizing, competitive intelligence, and payments industry training.
PaymentsJournal.com
The industry’s only free online payments and banking news information portal delivering focused content, expert
insights, and timely news.
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
12
Preparing for the Migration to EMV Migration in the U.S.
About AVATAS
AVATAS Payment Solutions is the leading payment processing company for the energy and service
industry. Through its deep industry expertise and innovative technology, its customers improve their
cash flow and take advantage of cutting edge e-commerce solutions.
For more iinformation on AVATAS, please visit www.avataspayments.com
12 Clock Tower Place, Suite 150 | Maynard, MA 01754
Phone: 1(781) 419-1700 | e-mail: [email protected]
www.mercatoradvisorygroup.com
13