The U.S. will begin to officially jump on board the EMV bandwagon on Oct. 1. That is when the four payment card networks — Visa, MasterCard, Discover and American Express — institute a liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions.
With this driver, U.S. adoption of EMV is on its way, yet there is still much work ahead.
Due to the complex nature of EMV, all stakeholders in the payment chain will need to make changes to support it. This includes terminal manufacturers, merchant acquirers, merchants, EFT processors, networks, issuers, card manufacturers, card personalization bureaus and core data processors. Each of these entities must code to the specifications for EMV in order to continue to support the payment ecosystem as it is today.
The Liability Shift
Currently, POS counterfeit fraud is largely absorbed by card issuers at a rate of approximately three cents per swipe. Countries that have adopted EMV report strong transaction security features in card-present transactions that are not possible with traditional magnetic stripe cards used in the U.S., which are susceptible to skimming and other forms of fraud.
After Oct. 1, liability will be assessed to the party that did not enable the chip-to-chip transaction. In the case of issuers, this applies if cards are not EMV chip-enabled. For merchants this applies if terminals are not EMV chip-enabled.
The Durbin Debit Issue
No issue has proved more difficult for EMV adoption in the U.S. than the Durbin Amendment to the Dodd-Frank Act, which "prohibits an issuer or payment card network from restricting the number of payment card networks on which an electronic debit transaction may be processed to fewer than two unaffiliated networks, regardless of the method of authentication."
EMV, however, was designed with security in mind, so that transactions only go to the network specific to that chip on that specific card; there was no room for choice.
Finally, a "Common Application Identifier (AID)" became available last year. This solution requires two AIDs on a global branded debit card, such as Visa or MasterCard.
That card will also have the global brand's standard or global AID and the global brand's proprietary EMV application. So, a Visa debit card will have the Visa VSDC EMV application plus two AIDs, the Visa standard AID and the Visa U.S. Common AID.
MasterCard debit cards will have their MasterCard standard AID and their common AID (Maestro AID) paired with the MasterCard Mchip application. In general, PIN transactions will invoke the Common AID, which gives the merchant or ATM owner the option to route that transaction to any MasterCard-licensed PIN network. Signature and international transactions will invoke the standard/global AID and the merchant will route to that brand, similar to how magnetic stripe transactions are routed today.
This solution fulfills a number of industry requirements, including routing neutrality and choice for merchants; one application on the card lessening complexity for issuers and acquirers alike; and a level playing field for networks.
While EMV credit transactions function in the U.S. now without significant changes to the payment card system, debit adoption was stalled because standard EMV implementation does not support the requirement for merchants to route to two unaffiliated networks.
Just as EMV in the rest of the world doesn't fully support the complicated multi-network environment in the U.S., global EMV terminal deployment specifications are not configured for the U.S. market either.
Now, stakeholders are moving swiftly to enable the terminal to ignore standard EMV rules so that the acquirer can choose the Common AID or set it as the default in a PIN debit transaction.
What About Tokenization?
How does tokenization — the industry's hottest topic since the September Apple Pay announcement — fit into the EMV-adoption picture?
The assessment of CO-OP Financial Services (www.co-opfs.org) is that tokenization and EMV together will provide even better security for the U.S. payment system. Think of EMV as the security for a plastic card in a card present transaction, and tokenization as the security for digital transactions, whether mobile or online.
So while the technologies are similar, they are designed for different cases. Coupled together they will make it much more difficult for fraudsters and improve the security of all transactions. And global interoperability of EMV chip cards is still a key driver of adoption in the U.S.
For financial institutions that haven't started their EMV conversation, CO-OP's counsel is: Don't panic. Some institutions may decide to delay their shift until late 2015 or even 2016, without serious fraud or liability risk.
It is never wise to be last to market, and EMV will be the standard in the U.S. Even so, institutions need to be talking to their vendors, looking at their budgets and, most of all, gaining an education on the technology, to determine the best time to move forward with EMV.
Michelle Thornton is director, product development for CO-OP Financial Services in Rancho Cucamonga, Calif. (www.co-opfs.org). She can be reached at firstname.lastname@example.org and 800-782-9042, ext. 6162