On August 9, 2011, Visa USA announced an interesting program to give merchants a carrot to drive them to adopt dual-interface chip technology terminals that will accept EMV (aka Chip and PIN) as well as mobile payments using near field communication (NFC) also known as contactless cards and devices that can transmit card information via NFC.
The carrot Visa USA is offering merchants is a waiver on annual PCI compliance if merchants implement dual-interface chip technology terminals. The criteria merchants must meet in order to obtain the waiver is:
- At least 75% of the merchant’s transactions must originate from dual interface EMV chip-enabled terminals;
- The merchant validated their compliance with the PCI DSS within the last 12 months with the merchant’s acquiring bank or the merchant filed a defined remediation plan with the merchant’s acquiring bank;
- The merchant must have confirmed that they do not store sensitive information (i.e., track data, PIN, CVV) after completion of any transaction; and
- Not involved in a breach situation.
The first requirement certainly drives the swap out of old terminals. However, until banks start issuing the EMV and/or contactless cards in bulk, the investment by merchants in the dual-interface chip technology terminals is not going to happen. What I am sure Visa USA is hoping is to get a large merchant like Wal-Mart, Best Buy or Target to buy into the program and therefore drive the issuers and banks to get on board. Without a big box merchant, this program is pretty much dead on arrival.
The next two points are pretty much the same thing. In order to be compliant with the PCI DSS, a merchant must prove that it is not storing sensitive credit card information. The only reason I can see for the third point is, I am sure, to cover the “defined remediation plan” of the second point in the event that the gap found was related to storage of sensitive information.
The fourth and final point just makes complete sense. If a merchant has been breached, they must have shown that they are PCI compliant before being allowed to be waived from a PCI assessment.
Is it a good idea to waive the annual PCI assessment for merchants all in the name of getting them to adopt a new technology? Particularly technologies that do not entirely solve the fraud issue with credit cards. Yes, you heard me right. EMV and contactless technologies do not entirely solve the fraud problem. While they minimize fraud in the case of card present transactions, they do not even address fraud in card not present transactions. And it is in card not present transactions where fraud is most prevalent.
So why the push for EMV and contactless cards? That is a good question. The proponents of EMV will tell you it is to curb fraudulent purchases. However according the latest information I could find, while EMV is expected to drop card present fraud by 35% this year in Canada (the first full year they have EMV); card not present fraud is continuing to go up. Based on statistics from a variety of sources, card not present fraud ranges anywhere from 40% to more than 60% of the total card fraud committed.
So, if EMV and contactless do little or nothing for the majority of fraud being committed, why the push for them? That is a really good question. And to tell you the truth, I have no idea why Visa USA is pushing this other than to make things consistent worldwide. And from a standpoint of curtailing card present fraud, at less than 5% in 2009 (the last year statistics are available); there is certainly no ROI for EMV. This is why EMV has not been rolled out in the US. There is no payback if banks and merchants invest in EMV.
But then you have contactless cards. Contactless cards rely on near field communications (NFC). NFC is made possible by radio frequency identification (RFID). Like the magnetic stripe, the RFID in a contactless card only has the PIN block encrypted. Numerous proofs of concept attacks have been documented against these contactless cards. The bad news for cardholders is that unlike EMV and regular credit cards, a contactless card can be skimmed without their knowledge or even suspicion. The only way the consumer knows their contactless card has been skimmed is when they get their statement and see the fraudulent charges.
But the really stupid thing about EMV and contactless cards is that until every merchant has the ability to process them, they will continue to have to have a magnetic stripe. This is particularly true for automated teller machines (ATM). Even in Europe where EMV is the only type of card available, ATMs still require a magnetic stripe. This would hold true for the US as well since even the major banks cannot afford to change out the card readers in all of their ATMs to support EMV and contactless. As a result, any transition to these new cards will be a very long time coming.
That is not to say that EMV or even contactless could not take a significant bite out of card not present fraud. While the hardware for the cards exists for PCs, the problem is that such a solution would require a standard application program interface (API) which the card brands, banks, payment processors and merchants have done nothing to create. Over the years there have been a number solutions proposed by banks and card brands, but nothing that was adopted by everyone. As a result, instead of fixing the problem, everyone just accepts it.
The bottom line appears to be that Visa USA is pushing high technology as a solution for card present fraud that just does not address the real problem. However, I guess it is better to appear like you are doing something rather than not doing anything.
Relevant reading:
The Chip And PIN Debate – Part 1
PCI SSC Nixes PA-DSS Certification For Mobile Payments Applications For A While
PCI Guru 
Is there any limit on the size of merchants eligible for the TIP PCI validation waiver, i.e., are Level 1, 2, 3, 4 merchants all eligible if they fulfill the other requirements?
The technology innovation program (TIP) is a Visa program. So while you can go through it and Visa will allow you to avoid an assessment, if you accept MasterCard, American Express, Discover or JCB, they will all still require you to submit to an assessment under their rules.
When I use my EMV card on my (European) bank’s ATM it does additional checking of the card using card’s chip – and not just reading the data from the mag-stripe. The mag stripe is there to support the old payment infrastructure that due to merchant’s restistance of upgrading to new terminals is not going away…
Also two other points to the post and the comments:
1. Contactless EMV transaction are secured by dynamic data (e.g. unique cryptogram) because they can harvest the integrated chip. The data transmitted usually doesn’t have all the data required to create a cloned magstripe card.
2. Google Wallet is not like an eWallet. It is closer to contactless EMV than being an eWallet solution.
3. The shortcoming of EMV and eCommerce are mentioned here and on other different blog posts. I agree that it would be great if EMV would offer better online support. But the problem is that EMV card readers have never become widely used. That’s a different story though. But you also fail to mention Visa’s Secure3D and MasterCard’s SecureCode programs to protect card-not-present transactions.
Sorry to burst your bubble, but the vast majority of ATMs in the world, even in Europe, do NOT have EMV readers, they work only from the magnetic stripe. The reason is that they must do this in order to process transactions for all customers, not just those from areas that have EMV. That is the same reason that EMV terminals have magnetic stripe readers.
You comments regarding EMV are all valid until you get to situations where the retailer is doing their own switching of transactions. It is those situations where the EMV encryption becomes a moot point because the retailer is decrypting the EMV so that they can properly process the transaction. Yes, they re-encrypt the data to send to the appropriate processor, but the damage has already been done as their switch is now storing cardholder data.
Google Wallet is a combination of a limited function eWallet and an NFC application. Google Wallet securely stores a user’s credit cards and then makes those credit cards available for use through NFC readers when a user authenticates them self to Google Wallet.
There are a variety of issues with card brand’s various on-line transaction security programs that have been well documented. In addition, these programs are outside of using the properties of EMV and really make no sense when you take into account EMV. If the card brands were really serious about EMV adoption, they would have given away USB EMV readers for online purchases and the development of a standard API for those readers.
I hope Visa clarifies themselves before folks get trigger happy.
•At least 75% of the merchant’s transactions must originate from dual interface EMV chip-enabled terminals
Does this mean that if all my terminals are EMV chip-enabled – this requirement does not indicate that my customers have to be using EMV cards, they can swipe away..
It seems like there will be a big step backwards if all it takes is a new terminal for a merchant to no longer have to validate PCI-DSS compliance.
No, Visa requires that 75% of your transactions are EMV. I think their wording was not as accurate as it could have been.
based on your “visa is upset” article, it seems that the customer does not have to be using chip and pin ….err EMV enabled cards to qualify for the exemption.
Exactly. Like what I said, what is the benefit to the merchant to spend tons of money to swap out terminals? Oh, I do not have to do a ROC. Wow, I spend millions to save a few thousand. There’s ROI – NOT!
@PCIGuru, in reference to your September 7, 2011 at 7:28 AM post:
Your comment that there’s little ROI because a ROC only costs a few thousand dollars seems a little nearsighted.
PCI does not cost a few thousand dollars…. The ROC is one (small) part of being PCI compliant. Larger companies could spend millions to make their networks PCI compliant. Such extreme security measures aren’t needed when you don’t need to secure such high-value data. On top of that there’s the inherent risk of having to be responsible for PCI data, which opens the company up to millions or more in fines.
If EMV eliminates the high-security needs and risks, then I think there is a greater potential for the ROI to be met.
Visa’s program announcement implies that EMV/contactless alleviate the security risks, but they do not alleviate the risks, they just change the risks.
This is what drove merchants nuts at the community meeting. At the ‘Breakfast with the Card Brands’, the Visa tables were all abuzz about the EMV/contactless and no ROC. However, merchants were confused because the PCI SSC has stated the day before that Visa’s EMV/contactless program did not remove the merchants’ requirement to ensure they were compliant with the PCI standards. The bottom line is that Visa’s EMV/contactless program only removes the requirement, at least for Visa, for the merchant filing of a ROC. So, on the ROI side of things which is what I was basing my ROI analysis on. However, a merchant still has to do a ROC for all of the other card brands they accept, so even that ROI is illusory unless the merchant only takes Visa which is extremely rare.
Another thing that drives merchants nuts about EMV/contactless is with its applicability to eCommerce – or lack thereof. EMV/contactless does nothing for improving security and stopping fraud with eCommerce. When pressed, the Visa people had to back off and tell merchants they would get back to them regarding EMV/contactless and eCommerce. eCommerce is where fraud is growing at double digit rates, yet Visa is so tied into EMV/contactless, that they are trying everything to push it into the US market to recoup their investment, even when it is not the solution.
Large merchants are also holding back on EMV/contactless because of eWallets such as Google Wallet. If a merchant can get a bar code with a unique transaction identifier that can be scanned, why would you want to invest in EMV/contactless terminals when your existing technology is good enough? You don’t, so the large merchants are just going to wait things out and let the technology work itself out.
And finally, for large merchants, they are typically going to have hundreds, if not thousands, of card terminals and/or POS stations. Most have just refreshed these devices within the last two to three years because of other security requirements. So Visa asking them to refresh again to support EMV/contactless to save on filing a ROC is just not going to be cost effective.