Making the Bitter EMV Migration Pill Easier to Swallow
By Jeremy Gumbley, CTO of Creditcall
As one of the last major countries to tackle the transition to EMV, merchants in the U.S. are left to navigate looming deadlines for an inevitable, and necessary transition to Chip technology. While the process can be tedious, complex and daunting, there are ways to ease the transition.
We often hear many concerns (and often misconceptions) from merchants when navigating the tricky process of migrating their processing system. In order to provide them advice on how to make transitioning easier, there are 5 major pain points:
1. Picking a PINpad
One of the first steps in merchant migration requires the selection of a PINpad. But this creates several variables to consider within the decision-making process. For example, what is the environment of the sale—attended or unattended? If the environment is unattended, there are a few questions merchants will need to ask themselves:
– What CVMs (Cardholder Verification Method) do I want to support?
– How important is PIN Debit? (This will influence the need for a PINpad)
– Do I want to Support full EMV with CVMs so that foreign EMV cardholders feel at home?
If the environment is unattended, a contactless unit will probably be required, and physically take up a bit more room. When deciding on a PINpad, merchants have to consider whether to support Chip and PIN or Chip and Signature. Chip and PIN is the more secure route—when Chip and PIN was rolled out in the UK, total losses from fraud fell from 218.8 million pounds ($356.5 million) in 2004 to 98.5 million pounds ($160.5 million) in 2008. In environments where debit cards are prevalent, PIN will need to be supported.
2. Updating processor interfaces for EMV messages
Most processor interfaces have been created to authorize magnetic stripe data, in some cases they were created many years ago and have remained untouched ever since. These interfaces require an update to support the richer dataset that an EMV transaction generates. This can be a more complicated endeavor, as merchants have to depend on third parties to update their systems, or they may have to recreate the interfaces as the programming code has not been maintained or the original developer has left. Another factor to consider is the sheer volume of merchants who will be undertaking the same process and whether their processor partners can keep up with demand.
3. M-TIP/ADVT/AEIPS/DPAS certification
Perhaps the biggest change with EMV is the rigorous certification regime. Most merchants are unaware of the multiple layers of brand certification required before a solution and go live. If merchants are amply prepared and budget enough time for the various certifications, the migration process is made much easier. In mature EMV markets a typical certification cycle can take between 10-16 weeks. Additionally, it is advisable to allow extra time for a first certification for documentation interpretation errors, unforeseen technical issues and test host and analyst availability. Certification is not a one-off process, there are a number of factors that may require additional rounds of certification in the future on the same solution.
4. Terminal Management System
All EMV-enabled solutions will require frequent data updates to cover off new data elements such as CA Public Keys and Data Object Lists. For example, having the correct CA Public Key is critical to the cryptographic operations of EMV. This is often an overlooked part of the process and is critical to the successful implementation of EMV.
5. Certifying for PCI P2PE
The PCI P2PE (Point-to-Point Encryption) standard ensures that solutions meet stringent requirements for card data protection. Like many PCI standards, PCI P2PE is detailed, security-focused and requires a significant effort to become compliant. PCI P2PE also de-scopes some of the problematic areas of PCI-DSS and PA-DSS making it a win-win for the merchant and the industry.
While migrating to EMV may seem a daunting task in a payments landscape like the U.S. where it is not only inevitable, but approaching a looming liability shift – it is a necessary shift in order to protect customer data. When approached with these key points in mind, migrating to EMV becomes a much easier pill to swallow.
Jeremy Gumbley gave a presentation at CARTES America 2014 on the ‘How to Make the Bitter EMV Migration Pill Easier to Swallow’.