Computing Applications

Ready or Not, Here They Come

Unlocking the latest in credit card security.
Chip-based credit cards are coming to the United States, featuring the latest in encryption technology. This will create enable more secure transactions, and cards that will function wherever the customer goes.

Magnetic stripes on credit cards – a technology that dates back nearly five decades – will soon be a thing of the past. The United States is one of the last hold-out nations to move away from mag-stripe cards and is now on a course to migrate to chip-based cards. With the U.S. on board, payments will become more secure, and customers will be able to use their cards seamlessly at home and abroad.

The chip card – or smart card, as they’re often referred to – isn’t a new technology. The standard was first introduced in 1996 and is known as EMV, which takes its name from the payment networks that helped develop the specification (Europay International, MasterCard, and Visa). EMVco LLC, the official standards body for EMV, is owned by American Express, Discover Financial Services, JCB, MasterCard, UnionPay, and Visa; the organization is responsible for the "EMV Integrated Circuit Card Specifications for Payment Systems," the formal standard designed to ensure payment interoperability worldwide. Since being introduced, EMV has been adopted in 80 countries, and more than 1.5 billion smart cards have been issued worldwide.

It wasn’t until 2011 that the payment networks in the United States set a migration timeline for merchants that accept cards, as well as for the financial institutions that issue them. Each of the payment networks – Visa, MasterCard, American Express, and Discover – published their own EMV roadmaps, and all agreed upon a "liability shift" that will go into effect in October 2015. The liability shift essentially shifts the responsibility for any fraud losses on credit cards from the card issuer to the merchant, if the merchant is not using EMV-compliant payment terminals. Up until this point, it has been financial institutions that suffered the loss when fraud occurred at the point of sale. This important date will help ensure that merchants have equipped themselves with the latest technology.

Why have the payment players in the U.S. decided that now is the time to move to EMV? Fraud is certainly one of the contributing factors. "EMV is a more secure transaction in EMV-enabled markets," says Rick Oglesby, a senior analyst with Aite Group. "Fraudsters will follow the path of least resistance, meaning that they will move to a country that does not have EMV. This puts a big bullseye on the U.S."

Wells Fargo, a leading retail bank and issuer of credit and debit cards, concurs with this assessment: "If you look to our neighbors to the north and south, both are in the middle of EMV conversions," says Peter Ho, manager of Digital Payments for Wells Fargo’s consumer financial services business. "The U.S. is therefore the perfect target."

The embedded microprocessor chip in EMV cards encrypts data differently for each transaction, making it exponentially more difficult for fraudsters to gather information than from mag-stripe cards, which contain static data that is more easily compromised. The UK, which had a card fraud loss rate three times higher than in the U.S. prior to the implementing EMV, saw its fraud rate from counterfeit cards drop by 63 percent from 2004 to 2010.

Another key driver behind the move to EMV is the lack of global interoperability. Wells Fargo’s Ho said that some international merchants have "flat out told their employees, ‘no chip, no transaction.’" This has created problems for US travelers abroad who are unable to use their US-issued mag-stripe cards at international retailers, restaurants and train stations. "There is a customer convenience and customer experience point of view" that is driving the move towards EMV, says Ho.

Many U.S. credit card and debit card issuers are still in a wait-and-see mode, but others have experimented with EMV cards in some capacity. Chase Card Services, the credit card arm of JPMorgan Chase, was among the first major U.S. banks to issue EMV cards, focusing on cards used by frequent international travelers, such as the British Airways Visa Signature Card. Other leading issuers, including Wells Fargo, American Express, Citi, and Bank of America have dipped their toes into EMV card issuance, and will likely accelerate as the merchant market becomes more prepared.

Getting cards in the hands of users is just one step in the process of moving to a global standard and must be, in fact, preceded by other important pieces of the puzzle that are necessary to ensure the cards actually function. In April 2013, merchant acquirers – the intermediaries responsible for processing payment card transactions – were required to show that their systems were capable of supporting EMV payment transactions. This was the first step in the process that extends out to 2017, when all merchants will be required either to have EMV-compatible payment technology, or take responsibility for potential fraud losses.

For their part, terminal manufacturers were prepared for the eventual move to EMV in the U.S. Aite Group’s Oglesby said top manufacturers were actually disabling EMV functionality in equipment sold in the U.S., while the same terminals were being sold in other EMV-ready markets with this feature turned on.

Getting EMV-compliant terminals to the market is not going to be a problem; "since August 2011, terminal manufacturers began selling upgraded EMV terminals here, so there is a good flow of the technology in the market already," says Oglesby. He also says that the normal equipment replacement cycle of about five years means that most terminals will be ready when the majority of cards hit the market. The greatest challenge is likely yet to come; ensuring that these terminals are up to date with the latest software will create more headaches for terminal deployers and merchants than any other issue.

The EMV standard has yet to be finalized in the U.S., and issuers have multiple possible configurations for how they want their cards to function. The software that resides on the individual terminals needs to be updated as the standards evolve. Stand-alone terminals will be the most difficult to upgrade, creating problems for merchants – especially smaller merchants that do not have the information systems infrastructure and support that large chains do. "Major global merchants that already do business in other countries get it – they’ve already been through it. US-only merchants – they don’t know what’s coming," said Oglesby.

Oglesby says cloud-based terminals "will be of increasing importance in the U.S." Cloud-based servers present the best opportunity for keeping software up to date, as the millions of terminals located at merchants across the country can be updated remotely, with little to no intervention.

While there are many challenges ahead, the good news is that the U.S. can learn from the experiences of other nations. "There is a wealth of industry knowledge and best practices available from other markets that have already migrated to EMV," says Randy Vanderhoof, director of the EMV Migration Forum, a cross-industry body that brings together the many constituents in the payments space. The migration timeline should be sufficient to allow all parties in the payments ecosystem to adapt to the new standards. Though there will be some bumps in the EMV migration road, the ultimate benefit will be a more secure and globally interoperable payments system.

Mark Broderick is a Tampa, FL-based senior research analyst covering the financial services and payments industries for ORC International.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More