For the past two years, acquirers and processors have taken aim at the lengthy EMV chip-card certification process as a major stumbling block for U.S. merchants preparing to upgrade from magnetic stripe technology in time to avoid a shift in fraud liability.
The certification process generally takes months, as all of a merchant's hardware and software in the EMV transaction routing process is tested for accepting the various applications and protocols specific to each card scheme.
Any merchant not deep into that process by now is not likely to be ready by Oct. 1, when card networks' mandated fraud liability shift takes hold. The party not able to accept EMV transactions at that time accepts the costs associated with any fraud. Elavon, a unit of U.S. Bancorp, feels it may have an answer for speeding up that process.
The Atlanta-based processor has converted its Simplify payment application to a pre-certified EMV app, taking card data out of the scope of the Payment Card Industry data security standard and shaving months of "angst and knowledge [merchants] don't have to have" in the EMV certification process, said Marianne Johnson, global executive vice president of product and innovation for Elavon.
Many larger merchants are already underway with their EMV conversion, but many mid-size and smaller merchants are just beginning to educate themselves, Johnson said.
"Anything that makes the EMV testing process easier for small or mid-size merchants is good news for the networks," said Tim Sloane, director of emerging technologies advisory services for Boston-based Mercator Advisory Group.
Elavon owns the security key for its encryption and tokenization services, much like some solutions from Heartland or First Data, turning Simplify into an EMV-compliant tool that would "make the networks very happy," Sloane said.
Though Elavon is taking on the role of certifying a system for the networks, the company may face a challenge with merchants who use different software for loyalty programs or when storing customer data for other uses, Sloane said. Elavon would have to change all of those programs to adjust to the encrypted data stream, he added.
"But it is absolutely brilliant and will greatly simplify PCI compliance [during the EMV transition]," Sloane said.
Prior to the EMV shift, Simplify operated as a data encryption system at the point of sale. It is now certified to handle EMV transactions by carrying out EMV cryptograms, data encryption and tokenization from a secure element in the terminal. It protects cardholder data in transit, in use and at rest, sending transaction data to Elavon's Fusebox Gateway to generate a token.
"The merchant does a 'mini certification' with us, and we take care of the EMV certification, so they don't have to do a re-certification with any EMV changes down the road," Johnson said.
Getting merchants out of scope of the PCI standard, which describes how companies must protect any payment card data they handle, is a trend that will gain momentum because merchants now realize they have to protect networks on multiple fronts, including systems not typically associated with payments, Johnson said.
The highly publicized Target data breach in 2013 began when hackers were able to steal the credentials to the company's H-VAC system. The incident illustrated the depth of cyber attacks into retailer networks and reinforced the opinion that data protection should come in multiple layers.
"This is the new normal, and a merchant can no longer not do these types of protections," Johnson said.
The EMV-certified Simplify app would protect merchants who have non-payment software operating other aspects of their business, Johnson said. "The integrated software we are putting on that device would take that whole system out of scope for PCI, and that's where the magic begins," she added.
Currently, White Castle restaurants are deploying Simplify in a secure element, Johnson said.
Because processors and acquirers have been seeking ways to make the EMV process an easier task, Elavon's news at first glance may seem "too good to be true," said Angela Angelovska-Wilson, a financial services and banking lawyer at Reed Smith LLP.
But it signals a new phase of the EMV process if Elavon takes on the certification tasks for merchants and gains network approval, Angelovska-Wilson said.
"Many processors are moving forward with their certification, but most are still in the process of receiving that certification," Angelovska-Wilson said.
In some cases, merchants have been seeking agreements with processors for tokenization and other services related to EMV, but the processor may not be ready to deliver, she added.