The EMV Migration Forum has recruited a test group of merchants, retailers and issuers to begin handling EMV-chip cards in Orlando, Fla., early to spot and fix problems before the card networks' deadline of October 2015.
The first phase of the implementation will help monitor how the technology performs, and enable stakeholders to share information with other participants "before they make the major investments and planning to roll out [EMV] on a national level," says Randy Vanderhoof, director of the EMV Migration Forum and executive director of the Smart Card Alliance.
The U.S. is in the process of moving to the EMV standard, which improves security over magnetic-stripe cards. Most merchants who miss the October 2015 deadline would face an increase in fraud liability; fuel merchants have until October 2017.
"We believe the Phase 1 program is a great opportunity to work with our partners in the ecosystem in Orlando to roll out EMV and obtain early feedback," says Erik Vlugt, vice president of product marketing for VeriFone, which will be participating in the test. The forum hopes to implement the test in the fall of 2014 or early 2015, Vanderhoof says.
The test is designed to provide clues on security work that would remain after the migration. EMV, for example does not address security for card-not-present transactions. And while EMV reduces fraud at the physical point of sale, since the chips in the cards cannot be used to make a counterfeit card, merchants must still secure payments data as it travels to the processor, Vlugt says.
To secure payment information, some merchants use end-to-end encryption to protect consumer data so it can be reused in card-not-present channels, Vanderhoof says. Other methods include issuing consumers one-time passwords when shopping online, either from their bank or through personal handheld EMV readers, Vanderhoof says.
Additional options include device fingerprinting, which vets security risk based on the user's computing device, and risk scoring, which sets the amount of authentication needed based on the user's profile. There will be some challenges to the test's participants to share more information than normal.
"Merchants don't typically share much information about how their payment strategy evolves but there's going to be a lot of important lessons learned in terms of marketing and education," Vanderhoof says. We want to "ensure that we have a smooth and seamless implementation in this country; [with the test] we can hopefully find the problems that may happen early enough before they start to affect other parties in the marketplace."
The recent Target Corp. data breach drew attention to the merits and shortcomings of chip-based cards. Despite regulatory and legal uncertainties that could affect EMV migration in the U.S., MasterCard Inc. recently stated that it intends to stick to its October 2015 deadline. While many credit unions across the nation are fast-tracking their EMV efforts after the Target breach, other players, including banks and merchants are awaiting guidance from Visa regarding a possible shift in its EMV timeline.