Article

A year after the US deadline, EMV compliance lags: Part 1 — What's causing the delay?

EMV system compliance has taken longer than many expected due to the complexity of integrating certified hardware with software and processors. Part 1 in a two-part series explores why the transition has taken so long, especially in the unattended retail sector.

November 2, 2016 by Elliot Maras — Editor, Kiosk Marketplace & Vending Times

A full year after card fraud liability shifted from card issuers to the EMV-noncompliant party in a card transaction, the majority of U.S. merchant transaction deployments remain noncompliant with EMV requirements.

The "State of Retail Payments 2016 Study" by the National Retail Federation and Forrester Research reported that 57 percent of merchants have installed EMV equipment, but cannot enable it because they still are awaiting system certification. Of those, 60 percent have been waiting six months or longer.

The slow pace of EMV system certification has emerged as an obstacle to EMV compliance in the United States, the last major market to adopt the security standard designed to better protect card users from counterfeit fraud.

While there are no statistics available on EMV compliance in the unattended retail sector, industry observers agree the unattended sector has lagged attended retail which, being a much larger market, has naturally monopolized payment processors' attention.  

Cardholders are waiting. By June, 65 percent of all U.S. credit cards and 33 percent of U.S. debit cards were issued with chips, according to creditcards.com.

Compliance moves slowly

"It does seem like it could be going better on the deployment side," said Frank Olea, CEO of Olea Kiosks Inc., a kiosk designer and manufacturer. He said the payment processors have to become familiar with EMV-compliant hardware, which takes time.

Payment equipment manufacturers have introduced a number of EMV-compliant devices, he said, but most kiosks being deployed don't include them yet.

When they are included, not all of them are able to interface with the card processors' software. EMV hardware uses more advanced encryption technology, which is more complex than magstripe technology.

"EMV has increased the level of complexity, which it warrants because you're trying to create security," Olea said.

Based on his personal observations, retail EMV compliance in the U.S. is about 50 percent at best, he said.

On the unattended side, Olea doesn't think very many kiosk deployments prior to the last nine months were capable of accepting EMV chips.

"The retailers all have to change to this technology, so there is a rush on equipment, and there's a rush on certification," said Paul Burden, director of software a Meridian Kiosk. "There are delays getting equipment and delays in understanding the transition requirements."

"EMV compliance is a matter of three tiers: hardware; software; and then your merchant acquirer," he said. "Together, they form one solution, and that has to be certified in order to actually engage with the chip."

A more complex integration

"EMV requires communication in both directions [between the processor and the chip card]," said Greg Burch, vice president of strategic development at payment equipment manufacturer Ingenico Group. "The complexities of that are much more than traditional magstripe."

The complexities are even greater with unattended devices since the card reader sits inside another piece of equipment, as opposed to an attended environment, which will have an all-in-one device, Burch said.

"In the unattended space, there's that concept of making sure you have the form, the fit, the power consumption; you have to look at CAD drawings and make sure that everything fits properly in the lab before you go out and roll it out."

Many users were just in the process of complying with Payment Card Industry Digital Security Standards for magstripe when the EMV liability shift took effect, Burch said. "This [EMV] is an additional technology on top of that," he said.

"It's a more complicated integration," agreed Rob Chilcoat, president of operations at UCP Inc., an EMV compliance consultant that assists companies with EMV migration. "Every link in the chain has to be certified."

"These smart terminals actually package and encrypt the data before it ever leaves the device, which is a concept called point-to-point encryption," Chilcoat said. "Combined with Derived Unique Key Per Transaction, that is what ultimately provides the security assurances to the merchants and the kiosk providers that their system won't ever be the source of a significant breach of customer card data."

The system itself is considered EMV capable when the processor and the card brands have certified that the transactions are originating from an EMV-certified device, and that all software and middleware complies with PCI-DSS as well as the international operability standards as set forth by EMVCo.

This is the step that is taking the longest since all the elements in the payment processing chain need to be in place and evaluated by a qualified security assessor.

"A lot of companies, when they're transitioning, will have their new payment device up, but their chip and pin is not ready yet," said Asa Moran, sales executive at Meridian Kiosk. "This is because they are awaiting approval from EMVCo before the chip and pin can be used. Maybe their payment gateway provider's not supporting it yet."

"In the United States, it seems like there's a way to go. A lot of companies have yet to transition," Moran said. "But if you are a merchant who is resisting the shift, you become a bigger target for fraud as more and more merchants around you become compliant."

Moran noted that Meridian, having a global presence, has encouraged customers to be compliant.

"Any kiosks that have been deployed in the last two years we have strongly insisted our customers be EMV-compliant," he said.

Retailers express frustration

"I'm sure there's some frustration among merchants," Moran said. "They are business people, and transitioning to EMV presents a new cost. But ultimately, chip and pin technology protects merchants and will save them undue costs and headaches in the long run."

Chilcoat said retailers have been slower to adapt because of the financial burden of buying new terminals and software, costs that are mostly borne by the merchant.

The higher cost of the EMV-compliant hardware has also had an impact on kiosk manufacturers.

"When it comes to the unattended hardware, it's much more costly than the kiosk manufacturers are used to," Chilcoat said.

More cost effective EMV-compliant kiosk hardware can be a few hundred dollars. This compares with older replacement parts that might cost as little as $75; it's a significant increase. "Plus, it's a lot more complicated from an integration standpoint."

Part 2 of this two-part series will explore the critical role payment gateways are playing in supporting EMV compliance.

About Elliot Maras

---

Elliot Maras is the editor of Kiosk Marketplace and Vending Times. He brings three decades covering unattended retail and commercial foodservice.