EMV in the U.S.Liability shift; what does this mean for the U.S.?

EMV in the US

Fraud is on the rise in the U.S. A liability shift was announced by the major payment

schemes, fuelling the move to EMV. Moving to EMV would, in theory, prevent the U.S. from

becoming the primary target of fraudsters. This liability shift directly affects acquirers,

issuers and merchants as it relates to fraud. This means that the party, either the issuer or

merchant, that does not support EMV, accepts liability for forged card transactions.

Since the U.S. liability shift announcement by Visa was made, many papers and articles

appeared about this topic. But what does it really mean for the U.S.? UL’s transaction

security team answers essential questions about what the liability shift really means for

issuers, acquirers and merchants with regards to costs, risks and benefits.

Q: What is different to the situa-tion in the U.S., compared to the rest of the world? A: There are a few reasons why the

situation in the U.S. with regards to the

implementation of EMV is unique to

other migrations in the world. The largest

implication for banks is the high potential

for card-present fraud reduction. Card

fraud has always been a concern but it was

considered manageable; the revenue from

card interchange fees was sufficient to

cover the losses. The Durbin Amendment

and regulation II have changed that

equation, as these regulations reduce

interchange fees.

Card fraud in the U.S. reportedly already

costs the card payment industry $8.6 billion

a year and industry experts are concerned

losses will rise as fraud migrates to the U.S.

from EMV-ready countries. Perhaps now

more than ever, banks have good reason

to evaluate the extent to which embedded

smart chips can reduce their losses from

card fraud.

Losses from card-related fraud are

increasing and the smart chip enables

more robust cardholder verification to

protect against consumer-level fraud,

such as forged or lost/stolen cards, for

EMV transactions. On a global scale, the

total losses from card fraud are steadily

increasing. As regions including Europe,

Canada and Asia/Pacific continue to mark

positive results in the battle against card

fraud, the pressure on the U.S. to migrate to

the EMV standard becomes stronger.

Then there is the U.S. infrastructure; there

are many different debit networks. These

networks all need to know upfront what

Questions and answersWhat the liability shift really means with regards to costs, risks and benefits.

page 2

their requirements are before starting to

invest in new infrastructure to support

the EMV implementation. As yet these

requirements have not been developed.

Implementing new infrastructure

without understanding upfront what the

requirements are will add major risk to any

implementation.

Whilst all the above implicates that the

US ‘lags behind’ in technology when it

comes to payment transactions, they do

have the advantage of being able to learn

valuable lessons from other countries that

have already implemented EMV. These

lessons can help to reduce costs, define

scope and ensure a smoother transition

to EMV. It also provides the U.S. with

the unique opportunity to select EMV

configuration options that take advantage

of their existing online communications

infrastructure. Lastly, it provides the

advantage of implementing contactless

technology at the same time. As stated by

Smart Card Alliance, the “U.S. may evolve

to a hybrid combination of options to

best support venue, transaction type, and

compatibility with the rest of the world”.

Q: What is the cost versus the benefit?A: With every change of infrastructure –

be it cards, terminals or POS devices – an

investment cannot be avoided.

However, putting fraud-prevention

measures in place will pay off in the long

run both merchants and acquirers as well

as issuers. As an issuer, you can raise your

interchange fees a bit if you put fraud-

prevention measures in place. Another

incentive given by the schemes is waiving

the Payment Card Industry Data Security

Standard (PCI DSS) compliance validation

requirements; this to encourage merchants

to invest in contact and contactless chip

payment terminals.

Whilst the initial investment is considerable,

implementing EMV chip technology

in the U.S. could speed up mobile and

contactless payments. The devices that

accept EMV chip cards are dual contact/

contactless devices. By installing these

devices to accept EMV, merchants are also

preparing themselves to accept mobile and

contactless payments. This can be seen as a

major benefit to an initial costly investment.

In a study based on a fictitious bank with

5 million cardholders and average market

characteristics, MasterCard Advisors

estimated losses could be as high as $25

million if EMV migration is delayed until

2015, rather than starting in 2013. It’s clear

that there is the potential to significantly

reduce losses and take advantage of added

benefits by migrating to EMV sooner rather

than later.

And finally, cardholders will also see

the implementation of EMV as a huge

benefit. With market penetration of EMV

technology deployment growing around

the world, the magnetic stripe technology

becomes more and more outdated. Tens

of millions of U.S. cardholders have been

inconvenienced abroad over the last few

years by being refused to accept their cards

and even more by not being served at

unattended terminals.

Q: What are the risks of not migrating to EMV?A: Delaying migration to EMV may cause

an increasing risk of loss, largely due to the

Every change of

infrastructure requires a

significant investment.

Reap the benefits of the

EMV discussion by choosing

a solution that fits a

combination of technologies,

to ensure you are ready for

the future.

page 3

EMV in the US

page 4

EMV in the US

impact of fraud migrating from countries

where EMV deployment is more advanced.

Delaying EMV implementation could

impact on the rise of US fraud, as well as on

the decline of cross-border revenue; fewer

merchants in EMV-mature countries will

accept cards that are not EMV compliant.

Secondly, EMV migration will spark the

development and acceptance of additional

technologies (e.g. mobile payments) and

as a bank or merchant you need to assess

what impact this will have on the future.

The EMV migration could be a good start to

future-proofing your payment solutions.

Q: Is EMV going to be here for the next 10 years?A: EMV is a standard towards a more secure

payment solution, and has been around

for nearly 20 years already. And now, with

NFC technology and mobile payments

developments, EMV is evolving. EMV is

collaborating with the NFC standards

organizations on building EMV compliance

into NFC payments. EMV technology

and mobile payments require similar

infrastructure requirements. There could

be an increased EMV compliant processing

system added to the payment ecosystem

across the world, meaning that EMV will

probably be here for a long time to come.

Q: How should banks/merchants handle the migration to EMV?A: There is a not a specific guide or a set

process on how to handle the migration to

a new technology. However, understanding

some fundamentals is essential.

Before getting started, it’s always a good

idea to educate yourself on the topic you

are going to invest time and money in.

Merchants, issuers, acquirers and other

involved stakeholders need to learn about

EMV; including the technical standard, the

implementation process and infrastructure

requirements.

Secondly, it's important to know your

options. There are various EMV-compliant

card programs that can help you get

started. This can include pilot programs

that do not fully commit to the

infrastructure investment of an in-house

bureau; central issuance or instant issuance

of EMV-compliant cards; or PIN change and

PIN selection. And, it can mean determining

what is right for you and your cardholders,

such as offering contact, contactless or

dual-interface cards.

Also ensure to gain a clear understanding

on the costs involved when starting an

EMV project. This includes everything from

infrastructure changes to cost per card.

Finally, future-proof your solution by

understanding how NFC technology is

related to EMV technology. The adoption of

a dual-interface chip technology will help

prepare the U.S. payment infrastructure for

the arrival of mobile payments supported

through NFC. Understanding the migration

to NFC is important to consider in terms

of how NFC technology will evolve in

the financial and payment landscape,

including the affect it will have on

necessary infrastructure to accept certain

technologies.

Q: What are the timelines and project risks? A: Important deadlines can be found at

the end of the document. Apart from that,

The approach to successful

EMV migration starts

with education. Gain an

understanding of what EMV

is about; know your options;

consider costs carefully and

future-proof your solution

to support mobile payments

developments.

we have set out the issues to look at when

looking to migrate to EMV and contactless

technology:

1. EMV and contactless technology have

a major impact on the entire acceptance

infrastructure and require thorough

planning to ensure a smooth migration.

Ensure you understand all deadlines

set by all major payment schemes and

collect their requirements for the EMV

implementation.

2. EMV alone is something that requires

many hours of training to understand. With

contactless and possibly mobile added

to this and being different for each of the

brands puts more resources required for

the training that is needed. Don’t overlook

the time and investment needed to

take in the necessary knowledge. Being

well-informed is the first step of a successful

technology change.

3. Take testing and certification in

consideration as each brand has its own

certification process and requirements

that need to be adhered to. A robust test

plan needs to be in place to enable timely

certification of a number of different

brands. Taking the time to properly test the

infrastructure (both chip and terminal) will

eventually proof to be a worthy investment.

4. PCI enhancements including P2PE

should be considered in addition to the

implementation of EMV and contactless

technology to ensure deployed devices will

be compliant for proposed PCI changes.

Considerations for issuers:

When making an educated decision

on whether or not to migrate to EMV,

issuers may want to askl themselves the

following questions: Where are you in the

development lifecycle? Do you believe the

dates will hold? What type of solution will

you support? Will you force reissue all cards

by 2015 or use existing reissue schedule?

Will you start to reissue when the industry

is ready (and potentially miss the liability

shift date)?

Considerations for merchants:

Merchants on the other hand have different

questions to consider, if they are still in

doubt whether to migrate to EMV. Based

on a seven to year POS lifecycle, merchants

could take advantage of their existing

replacement cycle, if meeting the liability

shift date is not critical for them. This is

however a risky strategy as it could lead to

multiple certification exercises and require

support of two different POS systems.

Merchants could also deploy hardware

in advance of soft/firmware updates

(which buys time and ensures hardware is

consistent across all locations and allows

for same software utilisation), there is a

risk that the hardware will be obsolete if

software upgrade or hardware deployment

takes more than five years.

Q: Should we skip EMV and implement mobile technology instead?EMV technology is a core component

of mobile payments (based on NFC

technology), and can be viewed as a

prerequisite for NFC mobile payment

adoption.

page 5

EMV in the US

“As the Canadian payment industry commences

its long-term migration to EMV Chip over the next

several years,” said Global Payments Canada President,

Jordan E. Cohen, “we are committed to providing

our merchants with the most robust and advanced

payment solutions in the market.

UL's comprehensive testing and certification

environment is just one example of how we are

facilitating a seamless EMV Chip migration for our

customers.”

By adopting EMV, much of the work that

is required to enable NFC technology

is already out of the way - notably the

dynamic authentication upon which both

technologies are based.

The likelihood of mobile payments

taking off through the adaptation of NFC

technology is much greater as the number

of NFC-enabled smartphones (currently

on the market and currently in use) and

contactless POS terminals are constantly

growing. Although we may not be able to

predict exactly when NFC-based payments

will take off, we can say with certainty

that it will happen (also considering the

large number of NFC pilots in the world).

Preparing yourself for this development

early can make market entry easier and

cheaper.

Considering the similarities in the

technologies, the requirements pushed

by the schemes and the rest of the world

having implemented EMV already, mobile

payments will most likely not be the

solution to be chosen over EMV, however

they are one of the drivers to smarter

solutions in a rapidly changing market

place.

page 6

EMV in the US

About UL Transaction Security

UL is the world leader in advancing safety with

over a hundred years of history. Employing

more than 10,000 professionals in over 100

countries, UL has five distinct business units

- Product Safety, Environment, Life & Health,

Knowledge Services and Verification Services

- to meet the expanding needs of our custom-

ers and to deliver on our public safety mission.

Through the acquisition of RFI Global, WIth-

am Laboratories and Collis in 2010 and 2012

respectively, UL is uniquely positioned as the

world’s number one competence center in

transaction security technology. UL acts as

your independent, trusted partner for end-

to-end transaction security services for the

mobile, payment, e-Ticketing and ID manage-

ment sectors on a global scale.

UL’s comprehensive transaction security ser-

vice line provides advisory services, expert

training courses, test tools and simulators, test

services and certification and security evalua-

tion services. Our thought leadership, close

involvement with leading industry bodies and

extensive experience enables UL to keep up

with the rapid pace of transaction innovation

for years to come.

Important dates and deadlinesVisa

• August 9, 2011. Visa announced plans to

accelerate chip migration and adoption

of mobile payments in the U.S., through

retailer incentives, processing infrastructure

acceptance requirements and forged card

liability shift.

• October 1, 2012 – PCI Audit Relief: If more

than 75% of merchant Visa transactions

originate from EMV-compliant POS

terminals that support both contact and

contactless transactions, the merchant may

apply for relief from the audit requirement

for PCI compliance.

• April 1, 2013 – Acquirer Compliance.

Acquirers and sub-processors must be

enabled to handle full EMV chip data in

transactions.

• October 1, 2015 – Counterfeit Card Liability

Shift. The party that has made investment

in EMV deployment is protected from

financial liability for card-present forged

fraud losses on this date. If neither or

both parties are EMV compliant, the fraud

liability remains the same as it is today.

• October 1, 2017 – Counterfeit Card Liability

Shift, Automated Fuel Dispensers. This

extends the card-present forged card

liability shift to automated fuel dispensers.

MasterCard

• January 30, 2012. MasterCard announced

their U.S. roadmap to enable the next

generation of electronic payments, with

EMV the foundational technology.

• October, 2012 – PCI Audit Relief: If

more than 75% of merchant MasterCard

transactions originate from EMV-compliant

POS terminals that support both contact

and contactless transactions, the merchant

is relieved of audit requirement for PCI

compliance.

• April, 2013 – Acquirer Compliance.

Acquirers and sub-processors must be

enabled to handle full EMV chip data in

transactions.

• April, 2013 – Cross-Border ATM Liability

Shift. MasterCard will extend its

existing EMV liability shift program for

inter-regional/cross-border Maestro ATM

transactions taking place in the U.S.

• October, 2013 – Account Data

Compromise (ADC) Relief for merchants.

On this date, if at least 75% of MasterCard

transactions originate from EMV-compliant

contact and contactless POS terminals, the

merchant is relieved of 50% of account data

compromise penalties.

• October, 2015 – Fraud Liability Shift.

MasterCard liability hierarchy takes effect.

The party that has made investment in the

most secure EMV options is protected from

financial liability for card-present fraud

losses for both forged and lost, stolen and

non-receipt fraud on this date.

• October, 2015 – Account Data

Compromise Relief: On this date, if at least

95% of MasterCard transactions originate

from EMV-compliant POS terminals, the

merchant is relieved of 100% of account

data compromise penalties.

• October, 2017 – Fraud Liability Shift,

Automated Fuel Dispensers. MasterCard

liability hierarchy takes effect for

automated fuel dispensers.

Discover

• March 15, 2012. Discover announced

implementation of a 2013 mandate for

acquirers and direct-connect merchants

in the U.S., Canada and Mexico, to support

EMV. Discover’s approach will support all

card authentication channels (online and

offline), all cardholder verification methods

(including both chip and PIN or chip and

signature transactions), and all commerce

channels (contact and contactless,

including mobile).

American Express

• June 29, 2012. American Express

announced its U.S. EMV roadmap to

advance contact, contactless and mobile

payments and its plans to begin issuing

EMV-compliant cards in the U.S.

• April, 2013 – Acquirer/Processor

Compliance. Processors must be able

to support American Express EMV

chip-based contact, contactless and mobile

transactions.

• October, 2013 – PCI DSS Reporting Relief.

Merchants will be eligible to receive relief

from PCI Data Security Standard (DSS)

reporting requirements if the merchants’

POS acceptance locations, where 75% of

their transactions occur, are enabled to

process American Express EMV chip-based

contact and contactless transactions.

• October, 2015 – Fraud Liability Shift.

American Express will institute a fraud

liability shift policy that will transfer liability

for certain types of fraudulent transactions

away from the party that has the most

secure form of EMV technology.

• October, 2017 – Fraud Liability Shift,

Automated Fuel Dispensers. American

Express fraud liability shift takes effect for

transactions generated from automated

fuel dispensers.

page 7

EMV in the US