Post on 27-Apr-2020
EMV in the U.S.Liability shift; what does this mean for the U.S.?
EMV in the US
Fraud is on the rise in the U.S. A liability shift was announced by the major payment
schemes, fuelling the move to EMV. Moving to EMV would, in theory, prevent the U.S. from
becoming the primary target of fraudsters. This liability shift directly affects acquirers,
issuers and merchants as it relates to fraud. This means that the party, either the issuer or
merchant, that does not support EMV, accepts liability for forged card transactions.
Since the U.S. liability shift announcement by Visa was made, many papers and articles
appeared about this topic. But what does it really mean for the U.S.? UL’s transaction
security team answers essential questions about what the liability shift really means for
issuers, acquirers and merchants with regards to costs, risks and benefits.
Q: What is different to the situa-tion in the U.S., compared to the rest of the world? A: There are a few reasons why the
situation in the U.S. with regards to the
implementation of EMV is unique to
other migrations in the world. The largest
implication for banks is the high potential
for card-present fraud reduction. Card
fraud has always been a concern but it was
considered manageable; the revenue from
card interchange fees was sufficient to
cover the losses. The Durbin Amendment
and regulation II have changed that
equation, as these regulations reduce
interchange fees.
Card fraud in the U.S. reportedly already
costs the card payment industry $8.6 billion
a year and industry experts are concerned
losses will rise as fraud migrates to the U.S.
from EMV-ready countries. Perhaps now
more than ever, banks have good reason
to evaluate the extent to which embedded
smart chips can reduce their losses from
card fraud.
Losses from card-related fraud are
increasing and the smart chip enables
more robust cardholder verification to
protect against consumer-level fraud,
such as forged or lost/stolen cards, for
EMV transactions. On a global scale, the
total losses from card fraud are steadily
increasing. As regions including Europe,
Canada and Asia/Pacific continue to mark
positive results in the battle against card
fraud, the pressure on the U.S. to migrate to
the EMV standard becomes stronger.
Then there is the U.S. infrastructure; there
are many different debit networks. These
networks all need to know upfront what
Questions and answersWhat the liability shift really means with regards to costs, risks and benefits.
page 2
their requirements are before starting to
invest in new infrastructure to support
the EMV implementation. As yet these
requirements have not been developed.
Implementing new infrastructure
without understanding upfront what the
requirements are will add major risk to any
implementation.
Whilst all the above implicates that the
US ‘lags behind’ in technology when it
comes to payment transactions, they do
have the advantage of being able to learn
valuable lessons from other countries that
have already implemented EMV. These
lessons can help to reduce costs, define
scope and ensure a smoother transition
to EMV. It also provides the U.S. with
the unique opportunity to select EMV
configuration options that take advantage
of their existing online communications
infrastructure. Lastly, it provides the
advantage of implementing contactless
technology at the same time. As stated by
Smart Card Alliance, the “U.S. may evolve
to a hybrid combination of options to
best support venue, transaction type, and
compatibility with the rest of the world”.
Q: What is the cost versus the benefit?A: With every change of infrastructure –
be it cards, terminals or POS devices – an
investment cannot be avoided.
However, putting fraud-prevention
measures in place will pay off in the long
run both merchants and acquirers as well
as issuers. As an issuer, you can raise your
interchange fees a bit if you put fraud-
prevention measures in place. Another
incentive given by the schemes is waiving
the Payment Card Industry Data Security
Standard (PCI DSS) compliance validation
requirements; this to encourage merchants
to invest in contact and contactless chip
payment terminals.
Whilst the initial investment is considerable,
implementing EMV chip technology
in the U.S. could speed up mobile and
contactless payments. The devices that
accept EMV chip cards are dual contact/
contactless devices. By installing these
devices to accept EMV, merchants are also
preparing themselves to accept mobile and
contactless payments. This can be seen as a
major benefit to an initial costly investment.
In a study based on a fictitious bank with
5 million cardholders and average market
characteristics, MasterCard Advisors
estimated losses could be as high as $25
million if EMV migration is delayed until
2015, rather than starting in 2013. It’s clear
that there is the potential to significantly
reduce losses and take advantage of added
benefits by migrating to EMV sooner rather
than later.
And finally, cardholders will also see
the implementation of EMV as a huge
benefit. With market penetration of EMV
technology deployment growing around
the world, the magnetic stripe technology
becomes more and more outdated. Tens
of millions of U.S. cardholders have been
inconvenienced abroad over the last few
years by being refused to accept their cards
and even more by not being served at
unattended terminals.
Q: What are the risks of not migrating to EMV?A: Delaying migration to EMV may cause
an increasing risk of loss, largely due to the
Every change of
infrastructure requires a
significant investment.
Reap the benefits of the
EMV discussion by choosing
a solution that fits a
combination of technologies,
to ensure you are ready for
the future.
page 3
EMV in the US
page 4
EMV in the US
impact of fraud migrating from countries
where EMV deployment is more advanced.
Delaying EMV implementation could
impact on the rise of US fraud, as well as on
the decline of cross-border revenue; fewer
merchants in EMV-mature countries will
accept cards that are not EMV compliant.
Secondly, EMV migration will spark the
development and acceptance of additional
technologies (e.g. mobile payments) and
as a bank or merchant you need to assess
what impact this will have on the future.
The EMV migration could be a good start to
future-proofing your payment solutions.
Q: Is EMV going to be here for the next 10 years?A: EMV is a standard towards a more secure
payment solution, and has been around
for nearly 20 years already. And now, with
NFC technology and mobile payments
developments, EMV is evolving. EMV is
collaborating with the NFC standards
organizations on building EMV compliance
into NFC payments. EMV technology
and mobile payments require similar
infrastructure requirements. There could
be an increased EMV compliant processing
system added to the payment ecosystem
across the world, meaning that EMV will
probably be here for a long time to come.
Q: How should banks/merchants handle the migration to EMV?A: There is a not a specific guide or a set
process on how to handle the migration to
a new technology. However, understanding
some fundamentals is essential.
Before getting started, it’s always a good
idea to educate yourself on the topic you
are going to invest time and money in.
Merchants, issuers, acquirers and other
involved stakeholders need to learn about
EMV; including the technical standard, the
implementation process and infrastructure
requirements.
Secondly, it's important to know your
options. There are various EMV-compliant
card programs that can help you get
started. This can include pilot programs
that do not fully commit to the
infrastructure investment of an in-house
bureau; central issuance or instant issuance
of EMV-compliant cards; or PIN change and
PIN selection. And, it can mean determining
what is right for you and your cardholders,
such as offering contact, contactless or
dual-interface cards.
Also ensure to gain a clear understanding
on the costs involved when starting an
EMV project. This includes everything from
infrastructure changes to cost per card.
Finally, future-proof your solution by
understanding how NFC technology is
related to EMV technology. The adoption of
a dual-interface chip technology will help
prepare the U.S. payment infrastructure for
the arrival of mobile payments supported
through NFC. Understanding the migration
to NFC is important to consider in terms
of how NFC technology will evolve in
the financial and payment landscape,
including the affect it will have on
necessary infrastructure to accept certain
technologies.
Q: What are the timelines and project risks? A: Important deadlines can be found at
the end of the document. Apart from that,
The approach to successful
EMV migration starts
with education. Gain an
understanding of what EMV
is about; know your options;
consider costs carefully and
future-proof your solution
to support mobile payments
developments.
we have set out the issues to look at when
looking to migrate to EMV and contactless
technology:
1. EMV and contactless technology have
a major impact on the entire acceptance
infrastructure and require thorough
planning to ensure a smooth migration.
Ensure you understand all deadlines
set by all major payment schemes and
collect their requirements for the EMV
implementation.
2. EMV alone is something that requires
many hours of training to understand. With
contactless and possibly mobile added
to this and being different for each of the
brands puts more resources required for
the training that is needed. Don’t overlook
the time and investment needed to
take in the necessary knowledge. Being
well-informed is the first step of a successful
technology change.
3. Take testing and certification in
consideration as each brand has its own
certification process and requirements
that need to be adhered to. A robust test
plan needs to be in place to enable timely
certification of a number of different
brands. Taking the time to properly test the
infrastructure (both chip and terminal) will
eventually proof to be a worthy investment.
4. PCI enhancements including P2PE
should be considered in addition to the
implementation of EMV and contactless
technology to ensure deployed devices will
be compliant for proposed PCI changes.
Considerations for issuers:
When making an educated decision
on whether or not to migrate to EMV,
issuers may want to askl themselves the
following questions: Where are you in the
development lifecycle? Do you believe the
dates will hold? What type of solution will
you support? Will you force reissue all cards
by 2015 or use existing reissue schedule?
Will you start to reissue when the industry
is ready (and potentially miss the liability
shift date)?
Considerations for merchants:
Merchants on the other hand have different
questions to consider, if they are still in
doubt whether to migrate to EMV. Based
on a seven to year POS lifecycle, merchants
could take advantage of their existing
replacement cycle, if meeting the liability
shift date is not critical for them. This is
however a risky strategy as it could lead to
multiple certification exercises and require
support of two different POS systems.
Merchants could also deploy hardware
in advance of soft/firmware updates
(which buys time and ensures hardware is
consistent across all locations and allows
for same software utilisation), there is a
risk that the hardware will be obsolete if
software upgrade or hardware deployment
takes more than five years.
Q: Should we skip EMV and implement mobile technology instead?EMV technology is a core component
of mobile payments (based on NFC
technology), and can be viewed as a
prerequisite for NFC mobile payment
adoption.
page 5
EMV in the US
“As the Canadian payment industry commences
its long-term migration to EMV Chip over the next
several years,” said Global Payments Canada President,
Jordan E. Cohen, “we are committed to providing
our merchants with the most robust and advanced
payment solutions in the market.
UL's comprehensive testing and certification
environment is just one example of how we are
facilitating a seamless EMV Chip migration for our
customers.”
By adopting EMV, much of the work that
is required to enable NFC technology
is already out of the way - notably the
dynamic authentication upon which both
technologies are based.
The likelihood of mobile payments
taking off through the adaptation of NFC
technology is much greater as the number
of NFC-enabled smartphones (currently
on the market and currently in use) and
contactless POS terminals are constantly
growing. Although we may not be able to
predict exactly when NFC-based payments
will take off, we can say with certainty
that it will happen (also considering the
large number of NFC pilots in the world).
Preparing yourself for this development
early can make market entry easier and
cheaper.
Considering the similarities in the
technologies, the requirements pushed
by the schemes and the rest of the world
having implemented EMV already, mobile
payments will most likely not be the
solution to be chosen over EMV, however
they are one of the drivers to smarter
solutions in a rapidly changing market
place.
page 6
EMV in the US
About UL Transaction Security
UL is the world leader in advancing safety with
over a hundred years of history. Employing
more than 10,000 professionals in over 100
countries, UL has five distinct business units
- Product Safety, Environment, Life & Health,
Knowledge Services and Verification Services
- to meet the expanding needs of our custom-
ers and to deliver on our public safety mission.
Through the acquisition of RFI Global, WIth-
am Laboratories and Collis in 2010 and 2012
respectively, UL is uniquely positioned as the
world’s number one competence center in
transaction security technology. UL acts as
your independent, trusted partner for end-
to-end transaction security services for the
mobile, payment, e-Ticketing and ID manage-
ment sectors on a global scale.
UL’s comprehensive transaction security ser-
vice line provides advisory services, expert
training courses, test tools and simulators, test
services and certification and security evalua-
tion services. Our thought leadership, close
involvement with leading industry bodies and
extensive experience enables UL to keep up
with the rapid pace of transaction innovation
for years to come.
Important dates and deadlinesVisa
• August 9, 2011. Visa announced plans to
accelerate chip migration and adoption
of mobile payments in the U.S., through
retailer incentives, processing infrastructure
acceptance requirements and forged card
liability shift.
• October 1, 2012 – PCI Audit Relief: If more
than 75% of merchant Visa transactions
originate from EMV-compliant POS
terminals that support both contact and
contactless transactions, the merchant may
apply for relief from the audit requirement
for PCI compliance.
• April 1, 2013 – Acquirer Compliance.
Acquirers and sub-processors must be
enabled to handle full EMV chip data in
transactions.
• October 1, 2015 – Counterfeit Card Liability
Shift. The party that has made investment
in EMV deployment is protected from
financial liability for card-present forged
fraud losses on this date. If neither or
both parties are EMV compliant, the fraud
liability remains the same as it is today.
• October 1, 2017 – Counterfeit Card Liability
Shift, Automated Fuel Dispensers. This
extends the card-present forged card
liability shift to automated fuel dispensers.
MasterCard
• January 30, 2012. MasterCard announced
their U.S. roadmap to enable the next
generation of electronic payments, with
EMV the foundational technology.
• October, 2012 – PCI Audit Relief: If
more than 75% of merchant MasterCard
transactions originate from EMV-compliant
POS terminals that support both contact
and contactless transactions, the merchant
is relieved of audit requirement for PCI
compliance.
• April, 2013 – Acquirer Compliance.
Acquirers and sub-processors must be
enabled to handle full EMV chip data in
transactions.
• April, 2013 – Cross-Border ATM Liability
Shift. MasterCard will extend its
existing EMV liability shift program for
inter-regional/cross-border Maestro ATM
transactions taking place in the U.S.
• October, 2013 – Account Data
Compromise (ADC) Relief for merchants.
On this date, if at least 75% of MasterCard
transactions originate from EMV-compliant
contact and contactless POS terminals, the
merchant is relieved of 50% of account data
compromise penalties.
• October, 2015 – Fraud Liability Shift.
MasterCard liability hierarchy takes effect.
The party that has made investment in the
most secure EMV options is protected from
financial liability for card-present fraud
losses for both forged and lost, stolen and
non-receipt fraud on this date.
• October, 2015 – Account Data
Compromise Relief: On this date, if at least
95% of MasterCard transactions originate
from EMV-compliant POS terminals, the
merchant is relieved of 100% of account
data compromise penalties.
• October, 2017 – Fraud Liability Shift,
Automated Fuel Dispensers. MasterCard
liability hierarchy takes effect for
automated fuel dispensers.
Discover
• March 15, 2012. Discover announced
implementation of a 2013 mandate for
acquirers and direct-connect merchants
in the U.S., Canada and Mexico, to support
EMV. Discover’s approach will support all
card authentication channels (online and
offline), all cardholder verification methods
(including both chip and PIN or chip and
signature transactions), and all commerce
channels (contact and contactless,
including mobile).
American Express
• June 29, 2012. American Express
announced its U.S. EMV roadmap to
advance contact, contactless and mobile
payments and its plans to begin issuing
EMV-compliant cards in the U.S.
• April, 2013 – Acquirer/Processor
Compliance. Processors must be able
to support American Express EMV
chip-based contact, contactless and mobile
transactions.
• October, 2013 – PCI DSS Reporting Relief.
Merchants will be eligible to receive relief
from PCI Data Security Standard (DSS)
reporting requirements if the merchants’
POS acceptance locations, where 75% of
their transactions occur, are enabled to
process American Express EMV chip-based
contact and contactless transactions.
• October, 2015 – Fraud Liability Shift.
American Express will institute a fraud
liability shift policy that will transfer liability
for certain types of fraudulent transactions
away from the party that has the most
secure form of EMV technology.
• October, 2017 – Fraud Liability Shift,
Automated Fuel Dispensers. American
Express fraud liability shift takes effect for
transactions generated from automated
fuel dispensers.
page 7
EMV in the US