U.S. merchants, card issuers, and payment processors are beginning to switch over to EMV. However, there are frequent reports that large numbers of U.S. merchants are not ready.
Various industry trade groups have contested different aspects of the U.S. EMV liability shift and the processors are in need of more staff to complete EMV certifications fast enough to keep pace with demand. What's needed is a layered approach that includes point to point (P2PE) encryption along with tokenization.
Merchants, small card issuers and small merchant banks stand to bear the greatest burden of the EMV shift. Merchants must invest in EMV-capable terminals and system solutions at a substantial cost.
Because EMV cards are much more expensive to produce than traditional magnetic stripe cards, small card issuers and co-issuers are also burdened with the costly retooling of the cards they issue. If they issue contactless EMV cards, these can cost up to two times more than a typical EMV card. Finally, small merchant banks, independent sales organizations (ISOs) and agents have very little control or say over the makeup of the payments industry and stand to lose the most from this liability shift if they cannot influence change or get their merchant customers prepared for EMV.
EMV technology was designed to authenticate cards at card-present payment terminals. It helps to prevent the use of fraudulent cards in stores better than traditional magnetic stripe cards. However, EMV is not 100% secure nor was it designed as a security method to protect the merchant’s payment environment. This means that a well-constructed EMV solution requires the use of layered security to protect sensitive cardholder data, including:
P2PE.All card data should be encrypted—nomatter the payment type—from the time it is keyed, swiped, inserted, or tapped (such as when using mobile wallets). Merchants should use a device that encrypts at the point a payment terminal interacts with a card or mobile wallet so that no payment information is ever in the clear and at risk of being stolen by a savvy hacker. This shrinks the merchant’s cardholder data environment to the secure device level, reducing much of the merchant’s breach profile and their PCI DSS scope along with it—something that EMV alone can’t do.
Tokenization. All card data should be removed from the merchant environment and placed under the protection of an organization that considers the security of their merchant customers’ payment processing its primary job. To do this, merchants must adopt a security- or storage-based tokenization solution, which replaces sensitive cardholder data with non-decryptable information that is meaningless to all but a select few. This differs from emerging “payment token” solutions, such as those offered by mobile wallets, by providing security for merchant systems, not just individual consumers.
EMV. EMV has merit for authenticating card-present transactions. Still, merchants should implement EMV in a strategic fashion, making sure to add the layered security of P2PE and tokenization to protect their customers’ payment information from data thieves by removing that sensitive data from the merchant environment entirely.
Though big undertakings such as the transition to EMV can be confusing, merchants must not be pressured into a quick solution that doesn’t meet their specific needs. Instead, they should take the time necessary to implement EMV as a step in the path to true security, not as a security solution in and of itself.
By layering EMV with the security of P2PE and tokenization, merchants can better authenticate cards used at card-present payment terminals, with the added bonus of securing that card data throughout the transaction process and within their systems and networks. This will ensure that their environment – and their customers’ payment information – is protected against the attacks of hackers.
J.D. Oder II serves as Shift4's Senior Vice President of Research and Development and Chief Technology Officer.