A year after the US deadline, EMV compliance lags: Part 2 — What's being done
Card payment system operators who have tried to switch to EMV-compliant systems might not have anticipated how long it would take for their systems to be properly certified. As described in part one of this two-part series, EMV-compliant systems that allow a card reader to accept an electronic chip are more complicated than magstripe systems.
Nonetheless, progress is being made. Payment equipment manufacturers have introduced a number of EMV-compliant devices. And while simply having these devices will not guarantee an EMV-certified system (they still have to be integrated with processing software), the availability of compliant devices is an important first step.
Payment gateways take a lead role
Because payment gateways are able to certify processing software on behalf of the system operator, they play a major role in EMV compliance testing.
In the pre-EMV days, gateway providers offered one or more connections to various processing networks for authorization and settlement, along with encryption, tokenization and other value-added services. It didn't necessarily matter which device was using the connection as long as the device and gateway supported the required processing functionality and industry requirements.
EMV adds an extra layer of complexity in that certification is specific to a card brand, payment capture device, gateway and processor.
As a result, a kiosk solution provider that wants to support multiple payment capture devices and processors must complete the complex task of acquiring processor-specific EMV certifications, which is extremely time, resource and cost intensive.
Semi-integrated EMV solutions
Payment gateway solution providers that offer semi-integrated EMV solutions have already undertaken this effort on behalf of kiosk integrators, and can provide a plug-and-play EMV solution for capturing payment at the point of sale.
This semi-integrated solution allows kiosk operators to comply with EMV without having to go through the full EMV certification process themselves.
"A lot of [merchants] don't want to go through that time, spend that money and go through the hassle," said Russ Palay, senior director of product management at Apiva, a payment gateway. "That's where a company like Apriva comes in; [the semi-integrated solution] is essentially a plug-and-play EMV solution for the integrator to put in place. They get to market a lot faster to accept [mag stripe], contactless and EMV transactions."
It takes time for a card system operator to put compliant hardware in place, and for the processor to get ready to use it, Palay added. Processors have to learn all the EMV-compliant hardware.
"Even those that have invested in the hardware now are still not fully transitioned from a software standpoint," said Laura Miller, director of marketing at Kioware, a kiosk software provider.
Hardware options increase
One sign of progress is that EMV-compliant hardware is becoming less expensive.
"Until the market comes down in price and there are more options, price can be a barrier," Miller said. "Hardware is driving adoption."
Miller echoed Palay's remarks about the role of payment gateways in supporting EMV compliance: The semi-integrated solution that is certified from device to gateway to processor reduces the complexity of migrating to EMV.
For example, On Track Innovations Ltd., a payment hardware provider, introduced a reader certified to Apriva's gateway, which is integrated with Elavon's processing platform for EMV payment processing.
Livewire Digital recently announced the integration with processors — including Heartland, First Data and Elavon — of its self-service software commerce platform with FreedomPay's EMV-compliant payment processing system for the iSelf Series of unattended devices from Ingenico.
"With FreedomPay, as well as other payment gateways we've integrated with, we've had to go through a certification process to ensure that the implementation is done correctly and securely," said David McCracken, Livewire president and CEO. "This process ensures that our customers, as well as end users of the systems we create, stay out of PCI scope and have no risk of credit card fraud."
Fraud risk to drive compliance
Fraud will help drive EMV compliance, particularly for kiosks carrying high ticket merchandise, said Rob Chilcoat, president of operations at UCP Inc., an EMV compliance consultant that assists companies with EMV migration. "There is definitely plenty of opportunity for fraudsters to take advantage of kiosks that are not chip-enabled," he said.
Scam artists are selling hacked card information on the internet that can be encoded onto stock magstripe cards.
"The unattended terminals that are out there that are only magstripe capable are targeted by fraudsters as the first place to test a counterfeit card to see if it's 'good' or not," Chilcoat said. "Out of the thousands of stolen card numbers they buy in what is commonly referred to as a 'card dump,' only a small percent haven't been reported as stolen or compromised."
The unattended sector has greater fraud risk simply by virtue of being unattended, Apriva's Palay said.
Compounding this risk is the fact that many unattended acceptance devices do not have pin pads. This creates a higher level of risk since there is no requirement for customers to authenticate themselves.
"Adoption is slow, but it's picking up," Chilcoat said.
While several payment gateways have done a good job of making it easier to integrate hardware with transaction processors, a handful of software vendors and kiosk manufacturers have also established a good track record for supporting EMV-compliant systems.
Additionally, Visa recently issued a waiver for unattended kiosks whose average ticket value is less than $25. The card issuers postponed the liability shift for a year for these low-value transactions.
Costs versus benefits
"While it is challenging and expensive to complete an end-to-end EMV compliant solution, the cost pales in comparison to the financial and reputation damage incurred with a breach," said Mike Raudenbush, solutions manager at Kiosk Information Systems, a kiosk manufacturer.
"The EMV requirement is not only something our customers need to consider for a kiosk implementation, but also for any payments they will be processing across all their platforms," added Harry Athey, Kiosk Information System's director of software development.
"Now is a great opportunity to 'reterminalize,' in order to take advantage of the latest payments security and acceptance opportunities for the point of sale," Apriva's Palay said, referring to the opportunity to offer both contact and contactless payment, the latter of which is growing.
Elliot Maras Elliot Maras is the editor of KioskMarketplace.com and FoodTruckOperator.com.