EMV Update for Self-Service Kiosks
EMV deadlines have arrived, but many choose to skip the upgrade. EMV is still split into two big camps. One that is compliant and the other which will be, but not yet.
By Richard Slawsky contributor
Which costs more, complying with new regulations or not complying and hoping for the best?
The question is particularly relevant when it comes to kiosk deployers complying with Europay, Mastercard and Visa (EMV) regulations. Invest in upgrading equipment, or run the risk of being hit with chargebacks and fines in the event of fraud?
Although the lack of clear incentives or financial impacts have prompted some to skip those upgrades, it may be wiser to begin the planning process now. When the inevitable kiosk fraud case makes headlines, it will likely set off a compliance rush that may leave some deployers waiting months or years to get their devices upgraded and certified.
Meeting EMV deadlines
The Wikipedia entry for EMV defines it as “a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.” EMV “smart cards” store their data on integrated circuits in addition to the traditional magnetic stripes.
The Path to EMV |
|
Because the chips are supposedly impossible to clone, smart cards offer vastly improved security compared with magstripe-only cards. But while smart cards include a magstripe along with the integrated circuit for backwards compatibility, the improved security only applies when used with an EMV-compliant card reader.
Although EMV compliance is an ongoing process in the United States, EMV technology has been standard in Europe for years with chip-and-PIN standard and contactless payment cards exploding.
“The card I use for business is probably 60% chip and pin 40% contactless by number of transactions, and I don’t think I’ve ever been asked to confirm a contactless payment by providing my pin,” said Nigel Seed, who runs KioWare Europe now. “A lot of people simply mistrust contactless and refuse to ever use it, in fact some people contact their bank and tell then to send them a replacement card without that facility, but busy metro type professionals typically do use it more than the average.”
To incentivize businesses to upgrade their card readers to EMV-compliant devices, the four major U.S. credit card issuers – Visa, MasterCard, American Express and Discover – established Oct. 1, 2015 as the deadline when credit card fraud liability will shift to merchants or processors if they do not have an EMV payment system ready.
If fraudulent card use occurs at a merchant that has not upgraded their equipment to EMV technology, the merchant eats the cost of the chargeback along with any fines or fees that may be levied. If that merchant’s processor has not made an EMV-compliant solution to the merchant, or if the card issuer has not issued EMV-compliant cards to its cardholders, the processor or card issuer assumes the liability.
Despite that deadline, though, deployers of self-service devices have been slow to bring those devices into compliance with EMV, in part due to the complexity and cost of upgrading. Making a kiosk or other self-service device EMV-compliant isn’t simply a matter of swapping out a card reader. Along with upgrading the payment terminal and software, other infrastructure involved in the transaction, such as data storage devices, must be upgraded as well.
EMV compliance affects all systems involved in the payment process, not just the payment terminal. Data warehouses are likely the biggest target of all and the eventual destination of data provided at a public terminal. If a retailer takes that highly encrypted data and then stores it as plain text on some in-house data warehouse that thru the vagaries of Microsoft networking is accessible via a simple vendor logging into a portal, they are vulnerable to EMV compliance issues.
In addition to upgrading hardware, compliance also involves the processor and the card issuers certifying that transactions are originating from an EMV-certified device, and that all software and middleware is PCI-DSS complaint as well as being compliant with international operability standards established by EMVCo, the consortium that manages EMV standards. That process could take several months.
What About A Pin Pad? |
When do I need a PIN pad? Here are the basics:
The United States has historically had two kinds of Cardholder Verification Methods (CVM); PIN for debit transactions and signature for credit transactions at attended terminals. A signature was not valid for unattended scenarios under the logic that a kiosk can’t check an ID or signature. In recent weeks card brands declared Signature to be obsolete and optional in the United States. This really had no impact on unattended as the standard for unattended credit purchases was No CVM. The vast majority of debit cards issued in the US are called “dual application,” meaning they also carry one of the card brand logos and as such can be used on both debit networks (with PIN) and credit networks (optional signature). Think of the phrase ”Visa check card.” The transaction is performed on the credit network, but the money really comes out of your checking account as opposed to a line of credit. Acceptance of PIN debit at a kiosk is optional, although there are cases where acceptance of debit is beneficial, such as bill pay kiosks where transactions could be potentially very large. This would be advantageous to a bill pay kiosk businesses when you consider a debit transaction has a fixed cost, while a credit transaction has a percentage of the sale amount fee. From the perspective of fraud protection it is sort of a non-factor because crooks don’t go around paying their bills with stolen cards. In the case of a kiosk in the mall selling $200 headphones, though, it would be advantageous from a cost of transaction perspective as well as the prevention of card fraud and product loss. Deciding if having a PIN pad on the kiosk is right for you really comes down to a few factors: What is the average sale amount, and considering that amount does the potential savings of the fixed cost of a debit transaction vs the % cost of a credit transactions justify the increased hardware cost of adding a PIN pad for debit acceptance? Essentially, what is the ROI of the PIN pad and ability to accept debit? What is the risk and true cost of loss of product at my kiosk, and does that warrant the cost of a PIN pad? As an example, let’s say a photo kiosk sale amount maxes out at $50, and using an estimated credit transactional cost of 3.5% as a baseline, transactions will cost $1.75 to run as credit. Given debit transactions typically hover around $1.25/$1.50, the outcome of the financial decision tree says maybe the increased solution cost of the kiosk with PIN pad isn’t showing a strong ROI, or at least one that cannot be realized in the short term. Furthermore, the risk and cost of lost product is low, and it will take selling a lot of prints to make up for the cost of the PIN pad. In this example it would make sense to forgo PIN debit acceptance at the kiosk and instead process debit cards over the credit network. |
“Each payment processor generally drives their own certifications, so timing varies pretty dramatically between payment processing certification teams,” said George Hudock, who handles business development with Datacap Systems, a developer of integrated payment systems.
“Most kiosk providers will use a third-party payments solution to avoid the on-going EMV certifications and maintenance, so most are able to avoid the EMV certifications directly,” Hudock said. “However, EMV certifications for unattended devices generally take 3-5 months once queued.”
Although it’s difficult to tell how many non-EMV-compliant kiosks are out in the field, experts say 50-60 percent of point-of-sale terminals aren’t EMV compliant. It’s likely that the percentage of non-EMV-compliant kiosks is similar. Still, experts say it could be several years before the vast majority of self-service devices in the marketplace are brought in line with EMV regulations.
Overall, the EMV migration in the United States is proceeding as well and as speedily as anyone could reasonably expect considering the somewhat tortured circumstances in which it was launched and the technical complexity and costs of its implementation, said Leland Englebardt, Practice Leader, Financial Services at New York-based UpshotAdvisors.
“Remember, it was not long after Dodd-Frank was enacted, which required many significant changes in payment card infrastructure, economics and rules,” Englebardt said.
“We are beginning to see the results in less counterfeit card fraud, which is good for everybody,” he said. “However, the security of EMV is materially enhanced by adding point-to-point tokenization and encryption. As cyber-crime is now the most active and challenging area of payments fraud, it’s possible that in the near future we will see more mandates and/or liability shifts for those technologies.”
EMV confusion still reigns
Part of what seems to be hampering EMV compliance is a lack of clarity on the part of deployers over where kiosks fall under EMV regulations. Is there a difference between attended and unattended devices? What about those that accept or dispense cash?
According to Visa’s Transaction Acceptance Device Guide Version 3.1, the term Unattended Cardholder Activated Terminal (UCAT) refers to an acceptance device managed by a merchant that dispenses goods or services, at which the card and cardholder are present, but the functions and services are provided without the assistance of an attendant to complete the transaction. These devices include cardholder activated fuel pumps, self-service vending units, and self-service payment devices in parking garages or at parking meters.
Devices that support cash dispensing and provide goods and services must comply with the Visa rules and regulations appropriate to the transaction:
• When dispensing cash, the device is considered an ATM and, therefore, must adhere to the Visa rules and regulations for ATMs.
• When dispensing goods or services, the device is considered a UCAT and must adhere to the Visa rules and regulations for unattended purchases.
Although unattended devices (e.g., ATMs, UCATs) may dispense goods and services as well as cash, transactions involving a purchase with cash back are not allowed. In other words, an unattended device may dispense either cash or goods and services in a single transaction but not both. In addition, UCATs that dispense scrip are not addressed because the Visa rules and regulations prohibit Visa card products from being used for scrip transactions. (Scrip is a two-part paper receipt redeemable for goods, services or cash.)
Attended Cardholder Activated Terminals, such as self-checkout terminals in supermarkets, are not considered UCATs and therefore are not required to meet UCAT requirements.
The guide also mentions a third category, “semi-attended,” to describe Semi-Attended Cardholder Activated Terminals in the Europe Region.
Semi-Attended Tips |
If you want to benefit from low cost EFT like Verifone VX820 series (<200USD) and you want to install in Semi-Attended environment you should cover unneeded and unwanted functions by a plastic form.
Pyramid did it for instance in the McD Europe case. The customer can benefit from the low cost EFT and the “white” form embeds the EFT in an elegant and ergonomic way and in same time it covers the magnetic card function on the side of VX820 which would be not needed and would only make customers unsecure which way to use the device. With our embedded form, that ensures that the customer uses or NFC or Chip Card function. |
“This has resulted in self-service manufacturers creating a third optional semi-attended solution, in conjunction with VISA, for those situations,” said Frieder Hansen, co-CEO of Germany’s Pyramid Computer. “Instead, for example, a plain IPP350 or 820 being used (attended), or for purposes of a UCAT using Ingenico 250 series, the third solution would be using an inspectable key-lockable option with a terminal like a 350.”
There is a perception that kiosks are always considered unattended from an EMV perspective, said Allen Friedman, VP of Payment Solutions at Ingenico Group.
“This is not always true,” Friedman said. “Some self-service implementations in attended environments where employee assistance is available, like at the grocery store, can be considered attended devices. If there is any time period where no assistance is available, then it is considered an unattended solution.”
There is also a card brand requirement for unattended devices to make a printed receipt available to cardholders for transactions above $15, Friedman said.
“Designs for kiosks intended to provide merchandise or services above that amount should include a receipt printer with their models to insure compliance,” he said.
Taking the risk
Although kiosk deployers are still asking for non-EMV compliant solutions, kiosk manufacturers seem to be coming down firm on needing EMV-compliant payment solutions for any custom deployment. New projects are likely to take EMV into account throughout the process.
On the other hand, some deployers are likely to stick with non-EMV compliant kiosks to the end of their lifespan.
“Deployers aren’t as educated on this as they need to be,” Laura Miller with KioWare said. “They think it doesn’t apply to them, aren’t aware of the risk or think that the risk isn’t high enough to warrant the additional cost.”
EMV-certified options are also still relatively limited, so kiosk providers’ preferred payments providers may not yet have an EMV-certified option for unattended applications.
“Kiosks are also expensive to upgrade to EMV due to a required change in casework to accommodate the updated EMV device,” Hudock said.
EMV & Cloud Services |
EMV credit transactions thru the cloud makes things easier. Keyboard wedge changed to HID changed to USB and now changes to Ethernet. A hospital environment with a copay for example in old days would require direct integration between the check-in device and the credit terminal. Which payment processor becomes an issue along with who writes the code.Nowadays you can offload the credit portion via cloud services and all that is required on the check-in or check-out terminal is simple HTTP and JSON call for authorization. The credit device takes over, conducts the transaction (thru preferred provider) via EMV certified kernel and then notifies the check-in/check-out that the transaction is complete.
You eliminate the development cost, and the credit devices can be leased monthly to reduce the upfront cost of going EMV. You do need an ethernet connection though. |
“The kiosk industry is more fragmented than retail/restaurant,” Hudock said. “This means that there are often multiple constituents involved in delivering the kiosk that need to be involved in the upgrade process, including hardware OEMs, software developers, payments middleware providers, payment processors and installers. Kiosk upgrades tend to take a little more time and planning than retail/restaurant due to the number of involved parties.”
Some of the reluctance for kiosk deployers to adopt EMV is understandable. If the kiosk is near the end of its life cycle, a deployer may choose to ride it out until it’s time to replace the entire device. In addition, the relatively low transaction averaged for many kiosks translates to less overall chargeback risk, which in turn means less incentive to upgrade.
Should a deployer choose to skip making their units EMV compliant, though, at the very least they should place additional attention on security to minimize the possibility of fraud. Those steps could include data clearing technology and secure browsers, end session on a particular page, session timeouts and so forth. In addition, point-to-point encryption and tokens are valuable security measures. P2PE ensures that card data is encrypted at the time of card insertion and maintains that encryption until it’s routed offsite. Tokens ensure that card data is not stored locally for voids or recurring transactions.
“There is less risk of internal compromise of data for a kiosk due to the hardened nature of the casework, but the largest card data security problem facing kiosks is likely card skimmers,” Hudock said. “Because these are generally placed on top of an existing reader, the card is skimmed before security measures like encryption or EMV would have any impact. Merchants need to periodically check their kiosks to confirm that they haven’t been tampered with.”
And as EMV cards and terminals become ubiquitous, banks’ authorization parameters may evolve to limit fallback approvals.
“A kiosk operator who doesn’t upgrade to EMV may find it harder and harder to get a positive mag stripe authorization,” Englebardt said.
“Notwithstanding the liability shift, banks seek to avoid the risk of counterfeit card chargebacks that trigger replacement/reissuance costs and cardholder attrition,” he said. “So revenue erosion is an additional long term business risk for kiosk operators not adopting EMV.”
Other Problems with EMV |
So you reside in U.S. and all your cards (for the last year) are the sturdier Chip cards right? And no problems since right?Well, not exactly. The process of manufacture still has kinks. Personally two of my cards have failed just due to electronic failure (both of them from Chase). So malfunctioning cards are a problem.
My Chip cards have needed to be replaced due to fraud instances twice (rarely did before). I am a low volume very restricted credit card user (except for online accounts). Why the increase of breaches? |
At the end of the day, though, what’s likely to motivate deployers to upgrade their devices will be the news of a major chargeback and fine associated with a device that wasn’t EMV-compliant.
“There are beginning to be some fines but not publicized and none that would be considered punitive by any measure,” said Geoff Leopold, division manager with Heartland Payment Systems. Still, it’s likely just a matter of time before a major incident occurs.
In addition, some payment processors have begun charging their customers EMV non-compliance fees. Those fees can vary, coming as a flat monthly or annual charge or a percentage of the deployer’s processing volume.
“The bottom line is that processors and banks want you to move to EMV equipment because it’s more secure for everyone,” write Ellen Cunningham in an article on the website CardFellow.com. “If you’ve been holding off on EMV-capable equipment you may want to think about upgrading before more processors begin imposing expensive fees.”
EMV Resources
How EMV works.
EMVCo manages EMV specifications and related testing processes. This includes, but is not limited to, card and terminal evaluation, security evaluation, and management of interoperability issues. EMVCo is a consortium with control split equally among Visa, MasterCard, JCB, American Express, China UnionPay, and Discover.
US Payments Forum — The U.S. Payments Forum (the “Forum”) is a cross-industry body focused on addressing issues that require broad cooperation and coordination across many constituents in the payments industry. Part of Secure Technology Alliance (see below).
The EMV Connection website provides up-to-date EMV migration information and educational resources. One of those is Chip Cards Facts-at-a-Glance. It is now US Payments Forum.
EMV Resources page of the Card Acquiring Service (CAS). Offers information and links to helpful EMV information, including the federal government’s move to EMV chip and PIN-enabled card acceptance.
Secure Technology Alliance — The Alliance brings together leading providers and adopters of end-to-end security solutions designed to protect privacy and digital assets in a variety of vertical markets.
EMV Contributor Acknowledgements
- Nigel Seed with KioWare [Europe]
- George Hudock with Datacap Systems
- Leland Englebardt with Upshot Advisors
- Frieder Hansen with Pyramid Computer
- Allen Friedman – Ingenico
- Bruce Rasmussen – Ingenico
- Laura Miller – KioWare
- Robert Chilcoat – UCP Systems
- Geoff Leopold – Heartland Systems
- Michael Lee – ATMIA Association
- James Kruper – KioWare
- John Menzel – Ingenico
- Deana Rich – Rich Consulting
- Troy Leach – CTO PCISecurityStandards.org
- Wayne Vanderkraak – OPT Connect
- Todd Ablowitz – Double Diamond Group
Thanks to all from us!