TMCnet News
EMV Security [Credit Union Management](Credit Union Management Via Acquire Media NewsEdge) As key dates approach, CUs start to issue chip cards ahead of the merchant terminals that will process them, and explore tokenization. Action is still slow, but there's danger in waiting. After a long delay, U. S. card issuers are preparing to fight counterfeiters by introducing EMV chip cards. Doing so in the next year may be particularly beneficial for several reasons. "It is in the issuers' best interest to ensure all of their cardholders are carrying a chip card within the next 12 months," insists Bob Lowe, VP/business development at Shift4 Corp. (www.shift4.com), a Las Vegas-based payment company. Liability is set to shift on Oct. 1, 2015, at which point merchants, not issuers, generally will take the fraud losses that occur when EMV cards are presented (more on this below), he explains. A major credit union that already has converted its credit cards to EMV is $2.6 billion Virginia Credit Union (www.vacu.org), Richmond. All 60,000 outstanding cards now carry embedded microchips, reports CUES member Deb Wreden, SVP/ product and delivery strategy. A small test of 2,000 cards was mailed in January, and the remainder of the cards in the portfolio were delivered in February. Virginia CU wasn't positioning itself as an EMV pioneer so much as it was looking ahead; it was converting all its cards from Visa to MasterCard and decided to make them chip cards at the same time. The benefit to forging ahead was avoiding a second big reissue a year or two later, Wreden explains. Virginia CU found that EMV card stock costs three times as much as mag-stripe-only card stock, she reports. It also found that vendors can't stock up on EMV cards because the chips expire after seven years. While the cards Virginia CU is offering are all EMV, transactions in the United States are all still mag-stripe because merchants have yet to deploy EMV terminals, CUES member Chris Saneda, SVP/chief information officer notes. He's heard rumors that Walmart may start introducing the new point-of-sale technology soon. "We won't see any significant drop in fraud for a while," Saneda says. Counterfeit fraud will drop slowly as merchants introduce new terminals, he predicts. "We know that EMV is coming, and now we're ready," he concludes. Most CUs have yet to issue EMV cards. As a small credit union, "we'll let others take the lead and rely on our vendors to do the research and development and help us get ready," says CUES member Ernest Allen, CCE, president/CEO of $20 million Florida A&M University Federal Credit Union (www.famufcu.com) in Tallahassee. "As a university CU, we have members who travel abroad, so we'll be ready before the due dates, but we're not busy inventing solutions as this point." "We don't have a credit card portfolio, but we're interested in debit card security and avoiding those losses," reports CUES member Michelle Balog, executive vice president of $195 million NuMark Credit Union (www.numarkcu.org), Joliet, 111. "At this point, we're waiting and relying on our vendor [CUES Supplier member PSCU (www.pscufs.com), St. Petersburg, Fla.] for EMV direction. We're pretty much at the mercy of the large networks and their policies. We'll comply but not until we're ready, or maybe until EMV compliance becomes mandatory." Stripe vs. Chip How the data are stored is the difference between a traditional card and EMV, which once stood for Europay MasterCard Visa, the three card associations that developed the chip card standards. The traditional card puts data in the magnetic stripe on the back of the card, where it is easily accessible to skilled thieves. "Data on the mag stripe is clear, sequential and easy to read-essentially in the clear," notes Barney Moore, manager of portfolio consulting services for CUES Supplier member Card Services for Credit Unions {www.cscu.net), a Tampa, Fla., payments association that, with processor FIS (www.fisglobal.com), Jacksonville, Fla., provides card services to some 2,700 CUs. "In the microprocessor chip embedded in the EMV card, the data are more complex and harder to read." Even more significant from a fraud prevention standpoint, data in the mag stripe is static; the same data gets used over and over for every transaction tied to that card. The EMV chip supplies a critical number that changes with every transaction, he explains. Conversion will be a slow process, particularly on the merchant end, which is why all EMV cards will also carry the traditional mag stripe for the foreseeable future, Moore predicts. Merchants that lack the EMV readers will continue to process swiped cards. In those cases, security will not improve. CUs currently face no mandate or deadline for implementing EMV cards, Moore reports. What they do face is an October 1, 2015, date on which liability for fraud will shift from the issuer, which currently bears liability, to the "least secure entity," he explains. If a cardholder presents an EMV card to a merchant that still uses a mag-stripe reader, the merchant would be the least secure entity and would be liable for any fraud that occurred. If the merchant had an EMV reader and the cardholder presented a traditional card without the EMV chip, the issuer would be less secure and would bear the liability. The CU Response As a result, many CUs are resigned to issuing EMV cards eventually, but are not enthused by the prospect, Moore reports. "It's tough to justify internally the implementation cost unless you're experiencing serious fraud losses," he says. The chip cards themselves will cost more than the mag-stripe cards. The authorization processing will be more complicated and therefore probably more expensive. Some operating systems may have to be modified. And there will be the huge project of replacing a whole portfolio of cards and educating cardholders to understand and accept a different pointof-sale experience. Some U.S. CUs are introducing EMV cards by segment, Moore reports: giving them to global travelers, for example, who encounter primarily EMV merchants outside the country, or to fraud-prone segments or to members living along the Canadian border who may find them helpful when shopping north of the border, Moore says. "The cost is real and immediate," he notes. "The benefits are theoretical and delayed, except for those with large current fraud losses," he admits. That's why only a few CUs have forged ahead and issued EMV cards so far. "Most CUs are staying on the sidelines or moving slowly to test the waters," he reports. So far, only about 1 to 2 percent of the cards in circulation from U.S. issuers are EMV cards. Projections suggest that 96 percent of those cards will be EMV by 2018, so a lot of conversion will happen in the next four years, he suggests. While waiting postpones the financial pain, it has its own risks. "Issuers that don't shift to chip cards could become targets for more fraud as they start to stand out as weak links," Moore points out. "And resources are limited. As the October 2015 date approaches, there will be a rush of financial institutions seeking to convert and relying on processors to set them up for EMV issuance. Conversion takes time, and processors won't be able to handle a lot of financial institutions at once. "There could well be a bottleneck, and not every CU may be able to implement when they want to," he warns. "It's best to start now, establishing a multi-disciplinary project team within the credit union and working closely with your processor." Plan on about a year for completing the project, he advises, and include IT, marketing and operations on the team. Cardholder Behavior, Too The technical modifications needed to implement EMV include manufacturing the cards to include the microprocessor and installing point-of-sale equipment that can read the chip, but cardholder behavior will also be affected. "People are used to swiping a card and putting it back in their wallet," Moore explains. "With the EMV card, you don't swipe it; you insert it in the reader and leave it there for a few seconds while the authorization occurs. People may swipe the cards first in the familiar way and then be prompted by the equipment to insert them. It will take some getting used to. Tokens A key thing to keep in mind is that EMV cards only reduce fraud for card-present transactions where the chip on the card is physically connected to the credit networks. "Nothing about EMV prevents cardnot-present fraud (such as happens with Internet purchases), which is why almost every country that has implemented it has seen an increase in online fraud after launching EMV. Unfortunately, the solutions they've come up with-things like Verified by Visa (http://tinyurl. com/verifbyvisa)- are cumbersome and unpopular," Lowe points out. Verified by Visa is essentially a card registration process, which allows cardholders to set up a password for use of the card, but many users fear the registration process itself is fraudulent. Preventing card-not-present fraud will require tokenization, Saneda says. A token marries the valuable permanent account number to a useless token number, Moore explains. The token number, instead of the permanent account number, is transmitted between secure points. If thieves steal the token number, they can't use it to get money. Thieves can only get the account number on the secure ends, where the account number is converted to the token number and where the received token number is converted back to the account number, he explains. The token system is still under development, but it would likely work this way: A merchant, for example, would request a token from a specialized token service provider. That service would provide the token to the requester. The requester then would transmit the token to authorize and process a purchase transaction. There could be multiple tokens for one account, he adds. Issuers will ultimately have to be involved, but the development work is being done by the card brands and merchant processors, Moore reports. Issuers could face incrementally higher transaction authorization and processing costs but not responsibility for building and maintaining the infrastructure. "Tokenization and EMV together are what will put the brakes on card fraud, but tokens are still mostly an idea," Saneda adds. "We've listened to some presentations. We're watching developments, but we aren't ready to move yet." Online retailers have developed sophisticated data-screening techniques for detecting fraud, but it's not a big concern at most CUs, Lowe says. "The merchant that shipped the goods gets the chargeback when it's fraudulent. Merchants bear the loss, so they fight the fraud. Historically, issuers have not been heavily involved in combatting card-not-present fraud." That said, he advises CUs with merchant members that make card-notpresent sales to get involved. "They need to help their business members make good decisions, and that means they have to understand things like tokenization and end-to-end encryption. "Keeping card data safe is everyone's business," Lowe insists. "Even if they (issuers) don't bear the fraud losses, when merchants are hacked and card data is compromised, issuers bear the cost of issuing new cards, and EMV cards will be more expensive to reissue than mag-stripe cards." Just for card stock, the difference could be something like $1 per chip card compared to 20 cents per mag-stripe card, but the true cost of reissuing cards is more like $20 per card, he insists. "The process is a lot more expensive than the raw cards." The technical modifications needed to implement EMV include manufacturing the cards to include the microprocessor and installing point-of-sale equipment that can read the chip, but cardholder behavior will also be affected. Resources Read bonus coverage about plugging card-related security holes in "Card Security: What Works and What Doesn't" at cues.org/081814whatworks. CUES Supplier member and strategic provider Cornerstone Advisors helps credit unions evaluate their channel usage plans. Learn more about their strategic technology planning services at cues.org/crnrstone. Richard H. Gamble Is a freelance writer based in Colorado. (c) 2014 Credit Union Executives Society |