Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line (Whitepaper)

550
views

Published on

For years the United States payments industry has resisted moves to switch from payment and ATM …

For years the United States payments industry has resisted moves to switch from payment and ATM
cards that rely on the magnetic stripe (mag stripe) containing a card’s account information to “smart
cards” embedded with more secure microprocessor chips, which other countries began using in the
1980s. In the U.S., a strong telecommunications system has enabled credit and debit card issuers to
authorize virtually all transactions electronically. For more info: www.nafcu.org/vantiv

Published in: Economy & Finance, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
550
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ® EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in Line March 10, 2013© Copyright 2013 Vantiv, LLC. All rights reserved.Vantiv, the Vantiv logo and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA andother countries. ® indicates USA registration.
  • 2. EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in LineIntroductionFor years the United States payments industry has resisted moves to switch from payment and ATMcards that rely on the magnetic stripe (mag stripe) containing a card’s account information to “smartcards” embedded with more secure microprocessor chips, which other countries began using in the1980s. In the U.S., a strong telecommunications system has enabled credit and debit card issuers toauthorize virtually all transactions electronically. In countries that could not secure such immediateauthorizations to prevent use of counterfeit mag-stripe cards, card acceptance was limited becauseof fear of fraud, leading Europay, MasterCard, and Visa to initiate development of the EMV chip cardstandard. The U.S. fraud rate long remained tolerable for financial institutions despite the near univer-sal domestic acceptance of U.S. issuers’ mag-stripe-only cards at ATMs and point-of-sale terminals.But that is changing.2012 Vantiv research showed that 43% of consumers were interested in EMV smart cards becausethey see the cards as more secure than mag-stripe cards. In research conducted by Vantiv and Mer-cator Advisory Group in early 2013, 15% of those surveyed reported already owning a payment cardcontaining a computer chip; of that group, 5% reported having used their chip cards within the U.S.and 24% outside U.S. borders. Since few payment terminals in the U.S. are equipped to process chip-based cards, this data likely reflects that users who owned a chip card had to swipe it most of the timeto make payment in 2012.Thieves tend to follow the path of least resistance, and concerns are rising in the U.S. that it’s just amatter of time before they zero in on the country’s weakest links. Mag-stripe cards easily are counter-feited, whereas cards with an embedded microprocessor chip are not. While Thieves often use coun-terfeit cards to initiate purchases, no doubt they’d prefer to use them to secure cash. ATMs that takemag-stripe cards make great targets. All that fraudsters need to gain access to someone’s account isthe individual’s card information and personal identification number. They can use a miniature “skim-ming” device placed discreetly above an ATM’s card slot to capture the information from the mag-stripe and use a properly positioned camera to capture the PIN when the legitimate cardholder entersit on the ATM’s keypad.The adoption of the EMV standard (ISO 7816) globally outside of the United States—along withincreased concerns about ATM-based card fraud—has led the four major payment card networks toimplement “road maps” designed to foster EMV adoption by card issuers and merchants in the UnitedStates. The initiatives rely on transfer of liability on issues of fraud to parties that fail to meet thedeadlines or “milestones” outlined in the road maps. MasterCard and Visa have established liabilityshifts concerning U.S. ATM use. Although most of the EMV deadlines for payments do not begin until2015 or later, MasterCard’s first liability shift affecting ATM deployers is scheduled to take effect inApril 2013. 3
  • 3. EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in LineMasterCard and Visa Tackle ATM EMVUnder MasterCard’s EMV liability shifts, within the next three years all U.S.-based ATMs must becapable of accepting Maestro EMV cards, or their owners and operators risk increased responsibilityfor any fraud that occurs through the machine. Visa’s shifts for Plus and other Visa transactions have alater date. (Maestro is a MasterCard PIN-debit brand, and Plus is Visa’s ATM network.) (See Figure 1.)Figure 1: U.S. ATM EMV Road Maps Source: By permission of Mercator Advisory Group 4
  • 4. EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in LineEMV Compliance ComponentsWhy EMV Cards Are SaferEMV is a global chip card standard managed by EMVCo, which is owned now by MasterCard, Visa, JCB,and American Express. As of the second quarter of 2012, there were 1.55 billion EMV cards in circula-tion worldwide.The gold or silver square on an EMV card, the card’s contact plate, covers an embedded microproces-sor, which is a small computer that supports security and other features not supportable by mag-stripe cards. The contact connects the chip to a reader when inserted into an ATM or payment termi-nal and facilitates the exchange of data and power to the chip. For a contactless transaction, the usertaps the chip card against a terminal that can read the chip from up to 3 centimeters away, energizingit and allowing the data exchange to occur via a radio frequency. EMVCo specifications define thecommunication protocol between contactless cards and merchant payment terminals, and the meth-od for selecting the contactless application to use.Some EMV card issuers require only users’ signatures to authorize transactions, especially for relative-ly small purchases. But all issuers require a PIN when using an EMV card to access an ATM.Global issuers still tend to include mag-stripes on their EMV cards so their cardholders can use themin places where EMV is not commonly used. Even when such a card is being used in locations notequipped for EMV, a service code in the magnetic stripe indicates that the card also contains a chipand thus shows the issuer that the card is authentic when a transaction is being authorized.The Broad GoalEffective April 19, 2013, owners and operators of noncompliant U.S. ATMs will be liable for all poten-tial counterfeit fraud on internationally issued MasterCard Maestro PIN-debit cards used at their ma-chines. In 2016, all ATM owners and operators would become liable for fraud on domestically issuedMaestro cards as well if their machines cannot accept EMV cards.Visa will assign liability for counterfeit fraud ATM transactions to any acquirer or issuer that has notadopted EMV chip technology by a later date. For all Visa- or Plus-branded cards, U.S. third-partyATM acquirer processors and subprocessors must be able to support EMV chip data by April 1, 2015.Liability shifts to non-EMV ATMs in the U.S. on October 1, 2017. 5
  • 5. EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in LineIn the U.S., Visa, MasterCard, and American Express all have set October 15, 2015, as the date for li-ability to shift for payments to the least-secure link in a transaction. Discover is beginning the shift onOctober 1, 2015. If, for example, a cardholder with an EMV chip card must use the mag stripe to com-plete a purchase because the merchant’s terminal was incapable of accepting chip-based payments,the merchant acquirer would be responsible for any counterfeit fraud associated with that transaction.In turn, the acquirer likely would pass on the cost of the fraudulent transaction to the merchant.This shift will be relevant for all forms of card-present transactions, including signature credit, signa-ture debit, PIN debit, and signature-exempt because the issuer is generally liable for fraud in thesetypes of transactions. Because automated fuel dispensers are both difficult and costly to upgrade,each card network has given gasoline retailers an additional two years to comply. Visa, MasterCard,and American Express shift fraud liability to fuel vendors on October 15, 2017, and Discover will do soon October 1, 2017.With the rapid approach of MasterCard’s initial liability shift in particular, owners and operators ofATMs are confronted with two choices: Meet the deadline by upgrading their ATMs or buying newEMV-compliant machines, or wait until the later 2016 deadline and risk fraud liability in the hope thatthe switch will be more cost effective in three years.Lessons LearnedATM-Related Fraud Losses Will DropAlthough the merits and disadvantages of EMV payment technology versus mag-stripe technologyare debatable, one of the clear benefits to EMV technology is the improved security of personal andfinancial information. ATM-related skimming losses in Europe fell by 63% between 2006 and 2010 asEMV-compliant ATMs became the preferred machine type in the region, according to the EuropeanATM Security Team (EAST).It is no coincidence that ATM skimming, arguably the most damaging of ATM-related fraud attacksbecause of the potential for multiple cards to be compromised, fell sharply as the number of EMV-compliant ATMs rose to 97% of all European ATMs from 63% in a matter of four years.As fraudsters shift their attention to the U.S., expect the initial targets for cloned European cards tobe machines deployed in cities where European vacationers often travel, such as New York, Chicago,Miami, and Los Angeles. Eventually as those machines are upgraded the focus will shift to wherethieves perceive most ATMs aren’t able to read EMV chips, such as small towns and rural areas. Be-cause small financial institutions tend to operate in such regions, they will be especially vulnerable to alarge fraud attack. 6
  • 6. EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in LineATM deployers in smaller communities should evaluate how often holders of cards issued outsidethe U.S. use their machines. This will help to determine how much financial loss could be incurredbecause of the liability shift versus the cost to do an EMV upgrade. In the end, though, as othernetworks’ liability shifts take hold to encourage EMV, making the upgrade will become a necessity, soan institution’s decision should be based on when, not whether, to upgrade.Some European issuers might use decisioning tools to watch for unusual transaction patterns andblock their cards at an ATM a cardholder doesn’t normally use or where fraud is relatively common.This might help reduce fraud exposure in the interim for U.S. operators of non-EMV-compliant ATMsbut will also frustrate cardholders attempting to use the machines.In Europe and Canada, the card networks extended their initial liability-shift deadlines, but as of theproduction of this report they had given no indication they would make similar accommodations inthe U.S. One insider says some large ATM deployers won’t meet MasterCard’s 2016 deadline becausethey don’t have the resources to get it done. They might not be able to comply until 2020, and suchan extension would be in line with the experiences of other countries.Potential Costs and Other AnalyticsApproval ProcessCosts resulting from ATM skimming in the United States total approximately $1 billion annually, ac-cording to the U.S. Secret Service. Although skimming is only one means of ATM fraud, the figurehighlights the need for improved security standards. For owners and operators of ATMs, the costs toupgrade machines might seem daunting. But take into account both the proven results of decliningATM fraud with broad EMV deployment in Europe and the increased fraud liability without EMV mi-gration in the U.S., and spending a few thousand dollars per machine becomes far more attractive.For all potential and existing EMV-compliant ATMs, the terminal must meet two levels of approval.Level 1 approval ensures the machines can read and process the EMV chips on payment cards. This isthe vital process in which data are transferred between the card and the terminal; it involves only theintegrated circuit card (ICC) reader. Level 2 approval relates to software and the terminal’s ability toprocess the data; this directly affects the encrypting PIN pad (EPP), the ICC reader, the security mod-ule (if applicable) and the software, both basic and application. In light of these standards, ATMs notproduced to be EMV compliant will need upgrades to replace or update machinery.Such costs can range from $500 to $5,000, depending on the extent of needed upgrades. The aver-age range is $3,000 to $4,000. Helping to offset such costs will be improved marketing opportunitiesand enhanced security features that reduce potential fraud-related losses; specific returns on invest-ment will vary based on a deployer’s unique circumstances. 7
  • 7. EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in LineThe ATM vendor is responsible for obtaining the letter of approval from EMVCo for its terminal, andthe acquirer bank is responsible for getting EMVCo’s approval of the supplier. As of late October2012, EMVCo had approved 200 vendors and 599 vendor interface modules (IFMs) for level 1 con-tact. Additionally, EMVCo approved 645 application kernels (a software module developed to supportEMV debit and credit card functions) and 138 vendors who distribute the kernels. To be compliantby the MasterCard 2013 deadline, banks and independent operators of ATMs must obtain these twolevels of approval, which are critical to meeting EMV’s high security standards.Besides the two levels of terminal approval required by EMVCo rules, there are other concerns thatATM operators have to consider when making the switch (Table 2). Table 2: EMV ATM Compliance Considerations Source: Smart Card AllianceRegional Card NetworksUnlike in most other countries, the U.S. is in an unusual position of having multiple debit card net-works. The Durbin amendment to the Wall Street Reform and Consumer Protection Act (Dodd-Frank)is having an impact at the point of sale in that issuers must provide merchants with at least twonetworks from which to choose to route their transactions. Although issuers may support multiplenetworks through application identifiers on their EMV cards, ATM deployers likely will not face similardecisions because they are exempt from Durbin. 8
  • 8. EMV Liability Shift: Why Financial Institutions Should Get Their ATMs in LineIt is possible to configure an ATM to display a “Select Network” screen that prompts the cardholderto select which network to route the transaction, but that rarely, if ever, has been done. In the UnitedKingdom, typically a form of automatic selection is used, based on application priority, to prevent theselection screen actually being displayed so as to avoid confusing most consumers.PIN ManagementOccasionally, situations may arise in which a cardholder’s online PIN stored by the issuer can get outof sync with the offline PIN stored in the smart card. Typically when a cardholder makes an online PINchange request by inserting his card in an ATM and using the “Change PIN” function on the machine,the request goes up to the host for authentication. An issuer script is sent back to the ATM, whichthen passes it on to the card’s chip for execution.The chip must correctly process the issuer script so the internal offline PIN is updated to the samevalue as the host. If a problem occurred there could be a mismatch, perhaps because a bug in the ATMsoftware reported the script was successful when in fact it had failed. This is one of the reasons thatthorough testing is required of the end-to-end systems as part of the EMV rollout.ConclusionLiability is fast becoming an end game for ATM owners, particularly for smaller financial institutions.EMV adoption in the U.S. is inevitable, and financial institutions must have a plan to upgrade theirmachines based on input from their processor, software provider, and hardware vendors. The businesscase for upgrading to EMV may not be known until it’s too late, after fraudsters have actually takenadvantage of non-EMV-compliant ATMs.Doing nothing is a risky choice in a high-stakes game. The prudent choice is to upgrade sooner ratherthan later, especially if an institution has to make large upgrade decisions now for other reasons. Lookto a trusted service partner, such as Vantiv, to assist with thought leadership and technical expertisein this multistage process. 9