Patty Walters is the senior vice president of EMV Issuing and Merchant Corporate Strategy at Vantiv and the vice chair of the EMV Migration Forum Steering Committee. Her experience encompasses nearly 30 years in various aspects of the industry, including payment security, terminal technology, and marketing. Here, she draws on that experience to examine the impact and potential of EMV, discuss EMV strategies, and provide a snapshot of the future of EMV in the U.S.
Q. How do we know that rolling out EMV in the U.S. will have a real impact on fraud?
A. Fortunately, we have a lot of real-world experience to look at. EMV is used in most of Europe and many other countries around the world, where it is an effective anti-counterfeiting and fraud tool. EMV was implemented in Canada several years ago. Prior to that, the country had a high rate of counterfeit fraud that would increase during holiday cycles as the bad guys targeted that country in order to exploit the mag stripe environment. When EMV was adopted in Canada, the counterfeiting and fraud decreased significantly. At the same time, it increased substantially in the U.S., as the bad guys shifted their attention from Canada to here, where we haven’t had those EMV protections. So it’s pretty clear that it’s been an effective measure where it’s been implemented.
“We will be implementing EMV—it’s on our radar screen and we know the deadlines … If we don’t use EMV, we don’t want to be known as a hideout for fraudsters.”
Q. We’ve heard a lot about EMV, but not everyone may know how it works. How is it different from the traditional card approach?
A. Without EMV, when a card number is read from a mag stripe card, there is no “dynamic” piece of data accompanying the transaction that the issuer can utilize to authenticate that the card is legitimate; hence when bad guys get hold of a card number—they can create an identical card and use it as if they are the legitimate cardholder. That counterfeit card can then be taken into a retail location and used to purchase something that can later be resold—gift cards, jewelry, clothing, and so forth. So you have a legitimate person’s card number being used in a counterfeit way to purchase something that can be easily monetized.
EMV stops that attack at the point of purchase because a key stored in the chip on the card creates a dynamic piece of data that is sent along with the authorization message, creating a “parent-child” relationship between the card and the issuer. The issuer can “recognize” that the dynamic data is from one of its own cards and is able to confirm that the transaction is coming from an authentic card. So with a mag stripe, you have a static environment, and with EMV you have a dynamic environment, where each transaction is accompanied by a unique piece of data which changes on a transaction-by-transaction basis and can’t be replicated or utilized in a “replay” attack. In this way, EMV virtually eliminates card-present counterfeit fraud, since having the card number is no longer enough.
Q. Will consumers notice a difference in the way they use their cards?
A. Yes, but nothing too dramatic. Today, you typically swipe your mag stripe card and make a series of selections saying whether it’s a credit or debit transaction and confirming the purchase amount. In an EMV transaction, you don’t swipe the card, you insert it; the card stays in the terminal for the entire transaction. So, it will be very important for merchants to train their store employees for this change. Otherwise, we’ll have cards being left behind by customers, which is something that none of us wants to see.
Incidentally, there is probably a need to educate the public in general about EMV. In recent Vantiv research, two-thirds of the consumers who have EMV cards said they have used their cards in chip mode in the U.S. But there aren’t very many EMV terminals in place today, which makes that high level of usage unlikely. They probably think they are using EMV when they aren’t.
Q. Implementing EMV represents a real cost to the industry—especially retailers, which will need to build out the infrastructure. What sort of return on investment can they expect?
A. There’s a variety of potential benefits. First, there’s the expected reduction in counterfeiting and fraud. That’s great for customers. But it’s also good for the retailers. If a retailer isn’t EMV-certified by 2015, the liability for fraud shifts from the issuer to the retailer. Certainly, retailers are aware of that deadline, but I think that some would be surprised at the figures we’re talking about here. The fraud associated with a large retailer can run as high as several million dollars a month. And don’t forget, the bad guys are still going to be looking for ways to attack retailers, and it’s pretty clear that they will quickly learn to find and target the weak points—and that will be those retailers that don’t have EMV capabilities.
Q. Beyond avoiding those costs, what are some of the other benefits?
A. Retailers will be upgrading their terminals, and that gives them a chance to step back and take a big-picture look at the infrastructure. Once the retailer has the hood open on that technology, there’s an opportunity to implement improvements that might not be feasible otherwise—things like being able dynamically to convert currency in cross-border transactions or support contactless and mobile payments.
Retailers also need to think about the upside in terms of the marketplace. Having EMV capabilities will make it easier for U.S. retailers to cater to foreign tourists, who typically have EMV-equipped cards already. And with today’s security-conscious consumers, retailers that get out in front in terms of implementation could tout their enhanced security capabilities in their marketing messages. We’ve seen this occur very successfully in other markets. Many U.S. cardholders traveling abroad have experienced the challenge of using their mag stripe cards at an ATM, train station, restaurant, or merchant location, as they’re considered “less secure.”
Q. This clearly represents a lot of change in infrastructure, and there is a lot to consider. How should companies chart a path forward?
A. Yes, there is a real risk of running into “analysis paralysis” in trying to understand the opportunity in the marketplace, as well as the technology itself. We recommend you start at the beginning: get educated. As an industry, we have to ensure that all the stakeholders associated with the EMV migration—the different system owners and departments being affected— are involved in the education process. The natural evolution of education is an initiation into the planning process. As EMV is such a large change, all stakeholders need to provide input into near-term and long-term strategies. This is an opportunity where retailers, for example, can look beyond compliance and ask, “What do I want those terminals to do for the next 10 years?”
I suggest taking advantage of various industry forums to find out more about the issue—organizations such as the Smart Card Alliance, the Merchant Advisory Group, and the Electronic Transactions Association. The EMV Migration Forum and the Payments Security Task Force collaborated on a wonderful website GoChipCard.com where you can dive into EMV from the perspective of a consumer, merchant, or issuer.