Preparing for the Party
By Cary Whaley
With regard to EMV security chip cards, many community banks may be thinking the same way as an unnamed 19th-century wag who said, “There is a fine line between arriving fashionably late and missing the party altogether.”
EMV, which stands for Europay, MasterCard and Visa, for the organizations that developed the card security technology, is the smartcard replacement for magnetic stripe technology on cards, and it is finally arriving in the United States. The payment card technology can’t really be called new, since work on the standard began 20 years ago. Since then, many countries around the world have adopted the standard for retail card transactions. Because the United States represents both the largest and most complex card market in the world, it makes sense for migration here to lag behind other markets; however, the time for the party has arrived.
The EMV cards, which use a cryptographic algorithm to protect transaction data, require the use of new card and reader technology. Countries that have migrated to EMV technology have experienced dramatic reductions in point-of-sale fraud. For example, the United Kingdom experienced a 69 percent reduction in face-to-face card fraud.
The card associations steadily have been moving forward with migration plans for EMV in the United States, starting with mandates that processors run EMV-compliant systems by October 2013. The associations are using rule-based shifts of liability for fraudulent transactions as leverage to motivate the various groups within the card world, with successive dates being laid out for different groups like processors, point-of-sale owners, ATM owners and so on.
The major focus of the liability shifts is that if a non-EMV-complaint card is processed at an EMV-compliant terminal, the liability for a fraudulent transaction automatically falls on the issuer, and if an EMV-enabled card is processed at a terminal that does not use the EMV standard for processing, then that liability automatically falls on the merchant. These liability shifts will be implemented in phases, and sometimes at separate times for separate card associations.
The first of these shifts that affects issuers and acquirers will occur on Oct. 1, 2015. After that date, according to Visa, “the party that is the cause of a chip-on-chip (EMV) transaction not occurring (i.e., either the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud losses.”
The deadline is the same for Visa, MasterCard and Discover; however, it only applies to transactions at the point of sale. ATM transactions and transactions at fuel pumps have a separate timeline, and in some cases different dates for different associations. The first generation of new cards and readers will be “dual-interface,” meaning that they can process both magnetic stripe and chip transactions to avoid any acceptance issues.
There are still pundits and naysayers in the marketplace, and many of them are saying that EMV alone does not address the entire card fraud issue, including card-not-present transactions and behind-the-firewall data grabs like that which struck Target. While that debate will continue, community banks need to take a realistic view of the upcoming deadlines and begin to make decisions accordingly since the majority of card transactions occur at a point of sale.
The key questions for community banks are when and how to implement an EMV program with respect to the liability shift deadlines. Your bank can adopt EMV cards early, target a migration to EMV around the card association deadlines or take a wait-and-see approach.
Early adoption approach. By migrating ahead of the deadline, banks will be able to adapt to any unforeseen roadblocks with time to adjust their schedules, and they will not face the resource contention issue as the deadlines approach. This also will give them the room to personalize the migration where necessary and manage any customer situations that arise. Even early adopting banks in the United States will benefit from the migration experience of many other countries.
While these banks will be leading the information wave as the deadlines approach, they will have the opportunity to tailor their messaging to their specific plan and customer profile. The anticipated wave of market education will also serve as a second round or reinforcement of key points. With only a little more than a year until the first liability shift deadline, it may be hard for at least some banks to avoid being fashionably late.
Wait-and-see approach. Since issuers bear most of the risk today for fraudulent transactions, there is an argument to be made that nothing really changes if they do not promptly migrate to the new EMV standard. While this is correct, shifting circumstances may create unexpected effects. When competitors roll out their new programs touting changes to better protect their customers, it could create a negative perception for banks that fall behind. In a similar way, advertising and education surrounding the shift to PIN-enabled credit cards may stir confusion about why some banks are setting PINs and others are not.
Finally, fraudsters are opportunists, and as migration to EMV heats up they will rapidly concentrate their efforts on the cardholders of banks that have not yet migrated their portfolios to EMV. These banks may be the ones that miss the party along with our 19th-century wag.
Meet-the-deadline approach. As the card associations’ EMV deadlines approach, awareness in the marketplace will grow through press coverage, advertising and educational work involving many of the market participants. Banks can take advantage of this awareness building to align their migration with the deadlines. On the other hand, the risk of project delays due to resource constraints increases as many banks begin executing EMV with their card vendors on a similar schedule.
What needs to be done
Preparation, planning and education will be essential. The first order of business for your community bank should be to spend some time with its service providers in the issuing and card personalization areas to understand where they are in terms of EMV readiness, what kind of programs will be available and what decisions your bank needs to make. The same sort of discussions should be held with your bank’s ATM operators and merchant acquiring organizations if applicable.
Merchant acquirers will need to work with their accepting merchants to deploy and certify EMV-complaint terminals, and merchant systems will need to be certified to process EMV transactions. To avoid liability, ATMs will need to be able to accept and process chip cards, along with their driving infrastructure, although this is the last of the liability shift deadlines. Branch terminals like kiosks and teller stations will also need to be chip-enabled, and loyalty programs will need to be examined for leveraging chip technology. Many of these are outside of the EMV mandate, but real upsides may be available.
Educating everyone regarding the changes surrounding EMV adoption will be vital to the success of the launch. Customers will need to understand and be comfortable with the changes to their cards and point-of-sale experience, especially the option for PIN use for credit card transactions. Bank staff and merchants will need information in order to guide customers through the process effectively.
EMV represents a set of changes that will impact many areas of your community bank and most of its customers, so thorough planning is a key to success, no matter when you plan to arrive at the party.
Cary Whaley (firstname.lastname@example.org) is ICBA’s vice president, payments and technology policy.