Jeremy Gumbley, CTO of Creditcall, tells how the U.S. compares to other countries’ progress in their EMV migration at a year before the deadline, as well as what IT solutions providers should be doing for their customers now.
Q: Our readers’ merchant customers have until October 2015 to implement EMV-enabled systems to avoid responsibility for fraudulent payment card transactions. Can you explain how that date and the upcoming shift in liability originated?
Gumbley: The October 2015 Liability Shift deadline was a joint effort created by payments brands in the U.S. In August 2011, Visa announced its plan to speed up EMV migration in the U.S. by implementing retailer incentives, processing infrastructure acceptance requirements and a counterfeit card liability shift. Shortly after that, MasterCard, Discover, and American Express announced their roadmaps to EMV in the U.S. with an agreed liability shift deadline of October 2015.
The main driver behind the push towards EMV acceptance in the U.S. is the technology’s ability to combat fraud.
Q: Is this a similar pattern that took place in other countries during EMV adoption?
Gumbley: Many countries around the world that have successfully migrated to EMV, implemented a deadline for their migration — a major difference is that the U.S.’ liability shift comes, in some cases, 10 years behind other countries.
In the U.S., while October 2015 marks the date when merchants will be liable for the costs associated with fraud if they have not updated their technology to be EMV compatible, the transition is not mandatory. After October 2015, merchants who choose not to update their payment systems to the new EMV technology will be liable to cover the potential costs of fraudulent transactions caused by mag-stripe cards.
A similar pattern took place during the UK’s migration to EMV. While the liability shift came into action in January 2005, it became a mandatory process to accept EMV chip cards as of February 14, 2006. Retailers were advised to expect credit card brands to decline payments automatically if a chip and PIN card was not used in the transaction.
There is still a potential for the move to EMV chip card technology to become a mandatory process in the U.S. in the future.
Q: Based on history, how does the U.S. compare to adoption one year before that date?
Gumbley: With the liability shift coming into place in less than 12 months, there doesn’t seem to be much sense of urgency amongst integrators, ISVs, and VARs to migrate their solution to the EMV chip-card standard, despite development times taking an average of 22 months.
One year ahead of the liability shift in the U.S., we are not seeing a lot of consumer education programs. The UK employed a chip and PIN rollout campaign to educate consumers about the new technology. The campaign was centered around the slogan “I ♥ PIN”— a fitting slogan as Valentine’s Day, February 14, was the date that shoppers were required to enter their PIN, as opposed to verifying via signature, when using their chip and PIN cards.
However, consumers are becoming more aware as many large retailers have been affected very publicly by breaches including the likes of Home Depot, Michaels, Neiman Marcus, and most famously, Target. In a bid to stay out of the headlines, many retailers are quickly adopting the new technology — I predict that if the current momentum continues that by the liability shift, more than half of retailers will be able to accept EMV payments. When customers increasingly begin to use their chip cards at retailers, it will continue to drive adoption elsewhere.
Q: What is impeding adoption?
Gumbley: The central question surrounding EMV Migration in the U.S. is why has it taken so long for the world’s largest industrialized country to adopt EMV? The cost and sheer scale of implementation, especially for a country as vast as the U.S, are major factors affecting the speed of migration. This includes the issuance of new EMV-chip debit and credit cards as well as the upgrade of all payment terminals to the EMV standard. Software developers charged with creating EMV-ready solutions are overwhelmed by the volume of information they need to digest and the complexity of EMV.
Q: As trusted advisors, what can retail VARs do to ensure their customers have every chance of having an EMV-enabled system by next October?
Gumbley: The most vital piece of advice for retail VARs is to start the process of migrating payment systems to EMV now. From start to finish, upgrading a payment system to the EMV standard can take up to 22 months. This means to be ready for the October 2015 deadline, VARs should have started with their EMV migration process back in January 2014.
To help VARs accelerate the EMV Migration process by reducing risk, operational resources and necessary skill, they need to join forces with experienced EMV-ready partners (like Creditcall) who offer pre-certified solutions which will significantly reduce the amount of time and effort to get up and running.
Without a pre-certified solution, retail VARs need to consider five steps:
- Select an appropriate PIN pad or card reader and develop a robust and reliable driver for it. This takes on average three months per PIN pad.
- Update all existing processor interfaces to support the new EMV requirements. This can take up to six months. With the October 2015 deadline approaching quickly, you must consider the demand for processor support requests in the run-up which could cause bottle necks, delaying the process even further.
- Get all the major card scheme certifications such as MasterCard M-TIP, Visa ADVT, American Express AEIPS or Discover DPAS. These take approximately four months and have to be repeated for every PIN pad and processor combination. If you support three PIN pads and three different processors you will need to schedule 144 weeks to obtain these certifications.
- Create a Terminal Management System (TMS) to keep PIN pads compliant and up to date by running the latest version of the EMV standard. A TMS enables this remotely, if an estate of PIN pads cannot be updated manually. PIN pads that don’t run the latest software or configuration are not compliant meaning merchants can be fined by the card brands which is passed down to them by their processor.
- Include support for point-to-point encryption (P2PE) as in combination with EMV your solution will be future proofed and provide the safest payment system available.
Jeremy Gumbley is a veteran of the payments industry having driven product and technology development roadmaps to accommodate EMV migration programs in the UK, Europe, Africa and the Middle East as well as the U.S. and Canada. Gumbley has driven Creditcall’s technical development since 1999 and was appointed chief technical officer and technical director in 2001.
He is responsible for the design, development and implementation of the company’s market leading card payment solutions and portfolio of EMV Level 2 Kernels. Creditcall has licensed and deployed over 1 million Kernels over the last 10 years. In addition, Gumbley oversees the maintenance of the company’s PCI DSS Level 1 compliance.
LINK TO ORIGINAL CONTENT: http://www.bsminfo.com/doc/creditcall-cto-migrate-systems-to-emv-now-0001