Article

On your mark: US kiosks better get ready for EMV

The U.S. is one of the last countries to migrate to EMV, and liability for fraudulent transactions is about to shift.

April 2, 2014

The race is on for U.S. kiosk operators to migrate the card acceptance technology in their terminals to EMV, the chip card security standard which is designed to eradicate counterfeit card fraud at the point of sale.

The U.S. is one of the last countries to migrate to EMV, or Europay MasterCard Visa, as most European, Latin American and Asian countries have either completed their migration or are in the process of doing so.

The card schemes have established counterfeit card fraud liability shifts for U.S. acquirers to encourage EMV migration.

MasterCard and Visa have both stipulated that, from October 2015, liability for the cost of counterfeit card fraud will shift to U.S. acquirers that don't accept EMV cards at POS terminals. In October 2017, counterfeit card fraud liability will shift to U.S. acquirers which haven't upgraded automated fuel dispensers to accept EMV cards, according to MasterCard and Visa.

A key reason for the U.S. to upgrade to EMV is the fact that card fraud has been migrating from countries which are already EMV-compliant to the U.S. In fact, according to the European ATM Security Team, the U.S. is now the top destination for international card fraud.

The U.S.

"U.S. kiosk operators are only now getting into EMV," Kevin Connor, director of product strategy at U.S. retail software vendor Retail Pro, said in an interview. "It will be a herculean effort for kiosk operators to upgrade their kiosks to EMV in time for the card schemes' 2015 compliance deadlines."

Despite delays in issuing EMV credit and debit cards in the U.S., Visa and MasterCard have refused to extend their deadlines.

The rollout of EMV in the U.S. will help spur deployment and consumer acceptance of card-accepting kiosks and other unattended payment terminals, Connor said. "EMV will make it safer to use cards at kiosks," he said. "Because consumers are increasingly concerned about the risk of card-skimming at POS terminals and unattended terminals, they will likely expect retailers and kiosk operators to use EMV."

EMV is even more important for unattended kiosks than for attended POS terminals, as people won't want to use unsecured, non-EMV-compliant kiosks for card payments, Connor said.

Windows 7

Another challenge kiosk operators face is to migrate from Windows XP to Windows 7. "There are a lot of kiosks still running Windows XP in the U.S.," Connor said. "Most kiosks either run Windows CE, Windows XP or Linux."

On April 8, 2014, Microsoft will stop providing Windows XP updates, although it will continue to supply its Malicious Software Removal Tool to Windows XP users until July 14, 2015.

After April 8, 2014, Windows XP-based kiosks which haven't been migrated to Windows 7 won't receive Microsoft security patches. They will face greater security risks from malware and network intrusions and will be in breach of the Payment Card Industry Data Security Standard. This requires payments terminal and ATM deployers to keep their operating systems updated with security patches that protect against known vulnerabilities.

"There will be a scramble by kiosk operators to upgrade to Windows 7 after April 8," Connor said. "Over the next six months, a lot of kiosks will be out of PCI compliance due to running XP."

EMV compliance

EMV standards are defined by EMVCo, which is owned by Amex, Discover, JCB, MasterCard, UnionPay and Visa. They ensure all EMV-compliant cards can operate with all EMVCo-certified EMV chip-reading card readers.

There are five steps to EMV compliance for kiosks, Jeremy Gumbley, chief technology officer at vending machine and kiosk payment services provider CreditCall, told Kiosk Marketplace.

"Firstly, kiosk operators must deploy EMV-certified and EMV-compliant card readers and PINpads, and install robust EMV software drivers for these devices," Gumbley said. "Next they must ensure their software integration and communications with their payment processor are EMV-compliant and support EMV messaging. Thirdly, they must ensure their kiosks and networks achieve end-to-end EMV certification with their processors. Fourthly, they must keep their EMV hardware and software updated with the latest EMV standards, and finally ensure that card transactions are secure."

Because EMV compliance requires extensive testing and certification, it will be important to start this process ahead of the compliance deadline. The burden of testing and certification will fall to kiosk hardware and software vendors, who will have limited resources to meet demand, according to the CreditCall white paper "EMV migration for the U.S. parking industry."

Payment processors will be receiving high volumes of testing requests for end-to-end certification, so there could be major delays when it comes to scheduling test slots, CreditCall said.

Encryption

Gumbley recommends that, as part of their EMV migration, kiosk operators support point-to-point encryption technology. P2PE encrypts a card number as soon as the card is entered into a card reader, and the encrypted card number is then transmitted over the network to the processor for decryption.

Because the merchant doesn't have access to the security key needed to decrypt the card number, P2PE offers a high level of security, Gumbley said.

Another advantage of using point-to-point encryption is that it makes achieving compliance with PCI DSS requirements less onerous, Gumbley said.

Durbin

One of the factors delaying migration to EMV in the U.S. has been uncertainty over the future of the Durbin Amendment, following U.S. District Court Judge Richard Leon's decision in July 2013 to overturn the Federal Reserve's implementation of Durbin.

In March 2014, the U.S. Court of Appeals for the District of Columbia Circuit upheld the Federal Reserve's implementation of Durbin, including its requirement for two unaffiliated debit brands on debit cards. Judge Leon's ruling would have required debit cards to contain two rival signature debit brands and two rival PIN debit brands.

U.S. debit card issuers had been holding back from migrating to EMV because of uncertainty about Durbin's debit network routing requirements.

Following the U.S. Court of Appeals' ruling, U.S. debit issuers will now likely begin an accelerate EMV implementation process, Ron Mazursky, director of Mercator Advisory Group's debit advisory service, wrote in a blog post.

"As Durbin didn't apply to credit cards, U.S. credit card issuers have been migrating to EMV," Gumbley said. "Debit card issuers can now implement a technical solution for EMV debit cards that complies with Durbin's requirement for two different debit network brands to be on their cards."

Cardholder authentication

U.S. issuers will have a choice of four different Cardholder Verification Methods for EMV cards:

• Online PIN, where PINs are encrypted and verified online by issuers;
• Offline PIN, where PINs are verified offline by EMV cards by comparing the PIN entered by a cardholder with the PIN stored on an EMV card's chip;
• Signature verification, where the cardholder's signature on the receipt is compared to the signature on the back of the card;
• No CVM. Typically for low-value transactions or for transactions at unattended POS locations such as kiosks, no CVM will be required.

Stephanie Ericksen, Visa's head of authentication product integration, told the February 2014 Smart Card Alliance Payments Summit in Salt Lake City that Visa is mandating all new unattended EMV POS terminals worldwide that require PINs, to accept chip cards with no CVM by April 2014. By July 2015, this requirement will be extended to all existing unattended terminals, Ericksen said.

"Most manufacturers of card readers for U.S. kiosks will not be requiring PIN entry for U.S.-issued EMV cards," Gumbley said.

Image courtesy of Tim Alamenciak.