Wednesday, January 4, 2017

US-EMV Deadlines

And yet again, it's been a while since I posted to my blog and, in turn, it's been a while since I ruffled some feathers. So, let's start 2017 with a bang!

Over the Christmas break read an article in Digital Transactions News: How EMV-Related Chargebacks Drove Florida Merchant Duo to Sue Networks And Issuers. While reading the article, my initial thought was, "There's nothing new here. They're simply documenting how the EMV rollout went (and still is going) for many U.S. merchants." Then, in the final paragraph I read a quote from Molly Wilkinson, executive director of The Electronic Payments Coalition, a Washington, D.C.-based lobbying group that represents card networks and issuers: "Merchant groups have known about the transition to EMV cards for five years but instead of getting their act together they have tried to delay, obfuscate, and reject this solution – all while leaving customers exposed to hackers and counterfeiters." This statement has so many flaws that I'm not sure where to start, and it clearly demonstrates the ignorance of the coalition – or is altogether pushing a blatant lie.

Let's start with the merchant groups. Simply put, they are advocates for the merchants, not tools for the card brand mandates. They have no control over what the networks support, the various requirements of physically performing an EMV transaction, or the certification requirements of EMV solutions. Merchant groups have little to no role in the supposed five-year preparation window – more on this later. I would be interested in hearing exactly how these merchant groups delayed or obfuscated the U.S. EMV rollout. Now let's discuss this "rejection of the solution." They had reasons for the rejection, as I will explain.

IMHO, the largest factor of the U.S. EMV rollout failure was a lack of forethought by the card brands and EMVCo in recognizing the differences in the U.S. marketplace. EMV for the most part has been a great success in Europe and it was assumed that EMV "plans" could be lifted from Europe and plopped onto the U.S. as-is. The problem here is the plan included a thorough end-to-end testing of the "solution." In Europe, a majority of the solutions are simply stand-beside terminals with little or no integration, so certifying a couple terminal solutions with a couple of banks in each country, no big deal – project complete. Here in the U.S. , there is a much bigger diversity of banks, processors, and terminals, and a majority of the marketplace uses fully or semi-integrated solutions with the point-of-sale (POS). This translates into an exponential number of "solutions" to certify in the U.S. compared to its European counterpart. Now before people get bent that I'm bashing one or the other, my point is not that one is better than the other, my point is they are simply different and that there was a failure to plan for this difference – and the blame certainly doesn't fall on merchant groups.

Let's revisit the five-year EMV preparation window. The card brands scheduled out various deadlines for banks and processors to be EMV ready within this preparation window, and before the October 1, 2015, liability shift deadline for merchants. There were two issues here. I don't know the wording of the mandate to the processors, but from what I experienced, as long as a processor could demonstrate a working EMV solution (I'm unsure if certification was required or not), then the deadline was met. For many processors, host specifications supporting EMV were not published to integration partners (like gateways) until around May or June of 2015. And, none that I am aware of had solidified their certification process, which is a big part of an EMV solution. Most EMV solutions back then took between 4-12 months to certify. It's a little better now, but not by much. Assuming the specs were published in May, allowing for a 30-90 day development cycle plus a six-month certification, means the average "solution" would have been certified and production ready no earlier than February or March of 2016 – this is a good 4-5 months after the EMV merchant deadline.

Then we have the October deadline. Why October? Who picked this deadline? Just before the holiday shopping season when most merchants (at least larger merchants) have technology freezes in place in preparation for their busiest time of year. I'm not sure what the merchant groups were or were not conveying to the card brands or the coalition, but if I were in charge, this would have been a no-go issue.

Now, the doozy: "all while leaving customers exposed to hackers and counterfeiters." This propagates the misbelief that EMV secures the account information. EMV does not protect the card data. EMV is an authentication mechanism only. You must add point-to-point-encryption (P2PE, sometimes also referred to as end-to-end-encryption or E2EE) to secure the data. Authentication guarantees (relatively speaking) that the card is authentic and was not forged; it does not stop prying eyes from seeing the account number and expiration date in the clear. P2PE hides the data from prying eyes. The U.S. was already making a shift to P2PE, but the problem was that incorporating EMV meant a new batch of uncertified terminals entering into the solution certification chain.

Hopefully this clarifies some of the misinformation flying around about how merchants are to blame for the U.S. EMV rollout failure – or at least the missed deadline.