EMV in the US: The Answer to Breach Protection?

By April 17, 2017Blog

The migration to EMV – the Europay, MasterCard, Visa standard for chip-based payments – in the U.S. has been underway for years, even more than a decade. But for the majority of U.S. merchants, this migration effort didn’t kick into high gear until 2014, in the wake of the massive data breach at Minneapolis-based big-box retailer Target.

That breach compromised payment and personally identifiable information linked to some 110 million Target REDcard holders and customers.

The onslaught of mainstream media coverage, congressional hearings and a corporate shakeup at Target Corp. that ultimately led to the resignation of Target’s CEO in the wake of the breach were the primary forces that brought EMV to the forefront.

It all, perhaps, was a good thing, even though all payments experts know that EMV would not have prevented the Target breach, and that the fraud liability migration date for retailers that suffer a counterfeit card loss linked to magnetic-stripe transactions was long ago been set by most card brands for October 2015.

Still, EMV was not something U.S. merchants talked much about or even knew much about until Target – and once Target hit, many found themselves scrambling to get up to speed.

Wait, what is this card called?

The new EMV cards in the U.S. might be called any of the following terms:

  • Smart card
  • Chip card
  • Smart-chip card
  • Chip-enabled smart card
  • Chip-and-choice card (PIN or signature)
  • EMV smart card
  • EMV card

Now, nearly four years after the Target breach and nearly two years after the fraud liability shift date, many U.S. merchants have yet to complete their EMV migrations. And some are opting to just ignore EMV all together, instead choosing risk over reward. Others have invested in the technology – by upgrading and/or replacing their payment terminals to accept both mag-stripes and chips – but they’ve not yet activated these devices because their still awaiting EMV certification from the card brands and their networks/processors.

And this is where EMV gets tricky, and requires reliance on trusted payment vendors, suppliers and partners.

There’s a backlog for certification, which is why so many consumers continue to see tape, notes and customized cards over chip readers at points of sale they frequent even today. These transactions default to mag-stripe, which opens the merchant up to counterfeit fraud risk and certain card-breach compromises, such as skimming.

EMVCo, which comprises and is overseen by card brands American Express, Discover, JCB, MasterCard, UnionPay and Visa, manages EMV specifications and related testing processes – processes that are constantly evolving. EMVCo’s roles include card and terminal evaluation, security evaluation and management of interoperability issues.

What’s more, certification requires three levels of compliance, according to the EMV Migration Forum:

  • Level 1, which covers hardware.
  • Level 2, which ensures the compliance of the payment kernel.
  • Level 3, which ensures that network specifications and acquirer requirements have been met.

Level 1 basically encompasses EMV chip card acceptance at the payment terminal. Level 2 guarantees a complete EMV transaction flow, and tests compliance with the debit/credit application requirements. d Level 3 is defined by the payment networks, and includes a set of integration testing requirements. EMV specifications do not cover communication protocols, risk control acceptance and machine interfaces; those must be specified by the national or regional payment authority.

It’s not an easy process. And Level 2 compliance/certification is often the most daunting. Visa and MasterCard, for instance, have slightly different requirements for EMV, as do the networks, where debit routing is concerned. Relying on a trusted partner for adequate and accurate certification in this area is critical.

Finding solutions and vendors that have been vetted by entities such as the PCI Security Payments Council and EMV Migration Forum for payment security is key.

If you’re uncertain about where your payment system stands when it comes to EMV compliance, contact the experts at Cryptera. The company creates some of the most advanced EMV-compliant payment solutions in the market and consults with integrators, manufacturers and deployers on meeting or exceeding today’s payment standards.