How EMV has grown beyond the chip on a card
Nearly four years after the first standard for chip cards was published in 1995, the major card brands created EMVCo to develop, manage, test and accredit future EMV specifications and interoperability.
As such, the privately owned corporation is often seen as an extension of the card brands that deals only with chip-based EMV plastic cards while forcing new standards onto the payments and security industries. But with the rise of e-commerce, payment wearables, contactless payments and the need for tighter security during the COVID-19 pandemic, EMVCo's role has come into sharper focus.
The development of the Secure Remote Commerce specification, or the Click to Pay button, as well as the 3-D Secure 2.0 upgrade, tokenization, encryption, biometrics and various card and mobile device specs for QR codes or Near Field Communication have taken EMVCo far beyond contact chip cards.
"The U.S. seems to have adopted the phrase EMV technology when talking about the chip, and they use that interchangeably with 'chip technology,'" said Brian Byrne, director of engagement and operations at EMVCo. "It makes it difficult for us to explain who we are and what we do."
But one thing has not changed for EMVCo. The organization does not deploy the technology it develops and tests.
"One thing we lose sight of sometimes, at the national level, is that every country is going to figure out how they want to use the new technology to best meet their own needs," Byrne said. "There are different uses for each country, and EMVCo presents the technology to be able to be used that way."
In short, EMVCo provides the tools and makes sure they work under various circumstances — with interoperability being its main focus — and may not know right away how the payments networks are using those tools.
"We do enable new technology or increased security, as all of these things evolve, and EMVCo is working on them to support the ecosystem," said Bastien Latge, director of technology at EMVCo.
Contactless specifications could include signature authorization, PIN at the terminal or PIN online, or biometrics, Latge said.
"But the customer verification methods are set up by those who design how they want that process done," he added. "In terms of contactless, most of the transaction value limits have been changed to higher amounts, so there are no verification platforms needed on those."
The EMV family
Members of the EMVCo corporation include Visa, Mastercard, American Express, Discover, JCB International and China UnionPay. But EMVCo casts a wide net of technology providers and payments organizations that it communicates with when developing specs. It's a list that includes virtually every key payments company, technology provider, security firm or financial services organization.
Some firms provide feedback, while others more closely engage with EMVCo in supporting the payments ecosystem — such as the European Payments Council, U.S. Payments Forum, W3C, and Payment Card Industry Security Standards Council.
"I think that EMVCo does what it does very well, and the growth of alternative payments and payment delivery channels like the W3C Payment initiative actually help to clarify their role," said Thad Peterson, senior analyst with Aite Group. "They are about the secure transmission of data for the global payment card networks, and they are clear that this is their remit."
Other payment alternatives are increasingly visible and garnering a larger share of the non-card payment ecosystem, and EMVCo doesn’t really need to be concerned about that, Peterson added.
"Payment cards dominate global non-cash payments and while growth of alternatives will continue to expand, the global card networks will be core to payments for the foreseeable future," Peterson said. "The work that EMVCo is doing to increase the security around card based transactions is important to every player in the ecosystem, whether or not they are a card network participant."
Merchants get a say
Even more telling in the growth cycle of EMVCo is that it counts merchant organizations among those it considers important voices on its board of advisors. This had not always been the case, leading to some animosity among merchants who already had plenty of darts to throw at the card brands regarding the costs of card acceptance.
The Merchant Advisory Group is a member of the EMVCo board of advisors and, while it may not be a perfect system, the merchants have found it to be a much better process than making comments after the decisions have been made.
"We have spent a lot of time with both EMVCo on the specification and the networks on the implementation of Secure Remote Commerce," said John Drechny, CEO of Merchant Advisory Group. "Many of our suggestions have been taken and we believe the spec is better because we had the ability to be part of the conversation."
That type of input doesn’t mean merchants in general still don’t have concerns around the implementation. And once EMVCo puts a tool in place, the deployment and operating rules fall to the networks.
"One of the biggest concerns for merchants is around the fact merchants place more trust when receiving the credential through the SRC product yet they still own the liability of the transaction," Drechny noted.
Merchants also don't want to lose the ability to decide by brand which wallet they want to make available on their site.
"Before SRC, merchants could choose to implement Visa Checkout and not implement Mastercard Masterpass," Drechny said. "With SRC, if merchants implement the spec, they must accept cards for all wallets in which they generally accept the card."
Facing the future
EMVCo has largely sat out of the disputes between merchants and the card brands. But that doesn't mean it can't help both sides.
Seven years ago, independent debit networks, merchants and the card brands engaged in a sometimes heated debate over how to route debit transactions through EMV technology in order to comply with the Durbin amendment mandate to allow merchants at least two routing choices. It became a hot topic in the U.S. simply because it has far more independent debit networks than any other country already using EMV chips and the question about routing options had not initially been addressed.
Ultimately, Visa and Mastercard said they would share the common application identifier technology and coding needed for all merchants to comply with the new law, and for independent debit networks to be options.
"There were a lot of business questions around the common AID question to support domestic debit networks, but from EMVCo's standpoint it was determined very quickly that the spec was actually flexible enough to do whatever the U.S. needed to do," EMVCo's Byrne said. "It would work as developed, rather than building out something new for what the U.S. needed."
That general principle regarding flexibility applies to all specs that EMVCo builds, including the new SRC for e-commerce, Byrne added.
As for 3-D Secure, EMVCo got involved in the 2.0 update, but was not part of the initial technology developed through Visa. The cumbersome process for 3-D Secure when it initially launched — a second password entered at the point of purchase, causing much cart abandonment — became much smoother after EMVCo rewrote the spec and added enhancements for it to work on apps and mobile phones.
"We didn't really tinker with the old spec," Byrne said. "We really took the concept and redid it, as the difference between those two specs is significant."
It's important for EMVCo to obtain feedback from any industry in which advancing payments technology would be vital.
Essentially, EMVCo specs evolve based on much of that feedback, particularly in terms of making sure the specs work in all scenarios.
"A good example is feedback from the gaming industry," EMVCo's Latge said. "We had released EMV for years and the gaming industry kept coming to us and wanting the ability for a person to buy something during the course of their game without spending five or 10 minutes to do so."
As a result, Latge said, it is likely that 3-D Secure would ultimately be enhanced to make it possible "for a gamer to buy things during the game and do it quickly without interrupting the game taking place."
Don't confuse it with PCI
While EMVCo does confer with the PCI Security Council often, the two bodies have different roles — and do not have any authority to approve or reject each other's specifications.
"We think there is a very complementary nature to the work that we do," Byrne said.
The major card brands came together in the early 1990s to combine the various security standards they had established for different global markets and formed the concept of PCI compliance and the data security standard. Within that standard, PCI provides numerous guidelines, recommendations and specifications to follow in operating a secure payments network.
"We put out a new spec that, by its nature, is going to be involved with card payments. And that is what we do," Byrne said. "How that sensitive data is protected, that is PCI's world and they look at it from that perspective."
Still, EMVCo's testing and certification processes support emerging payment card acceptance requirements — heightening PCI's awareness of what is coming and what sort of security measures it might need to develop and institute.
Most recently, EMVCo has focused on enhanced contactless spec development and testing infrastructure to support deployment of contactless payments, as well as providing a new EMV terminal integration testing framework that reduces the time it takes for terminals to go live.
In addition, new terminal certification processes assure good consumer experiences when commercial off-the-shelf devices like mobile phones are used at a terminal, and an updated security evaluation process supports software-based device payment applications and the internet of things.
"We want the work we do to make it easier for everyone to compete, and that is one of the reasons that EMVCo specs have always been royalty free," Byrne said. "It's for those global and regional payment networks around the world who want to build their own card-based solutions."