EMV Kiosk – Getting Past the Finish Line
If you concern yourself with the kiosk industry enough to read this article it probably isn’t the first time the terms “chip and pin” or “EMV” have come up in your workweek. In this write-up I hope to address some common misconceptions about EMV and how it effects kiosk manufacturers, ISOs, and kiosk business owner/operators. By the end you should have a good idea of what it takes for all of these groups to get their products past the “EMV capable” finish line.
It is not just the hardware:
EMV hardware manufacturers and distributors have spent the last few years focused on educating ISV/ISOs and hardware integrators that EMV is not just a matter of buying a new piece of hardware. A true solution is dependent on a marriage of hardware and software; and as marriages go it also entails a commitment. More on that to come…
EMV Levels:
EMV Level 1 means that a device physically meets EMV specifications for chip (contact), and in some cases NFC (contactless).
EMV Level 2 means that the firmware on a device performs to EMV processing specifications.
Both EMV Level 1 and Level 2 are the responsibility of terminal manufacturers. This hardware can be described as “EMV ready.”
Level 3 is achieved when a developer marries a device meeting the aforementioned Level 1 and 2 EMV specifications with their software, and commits to certifying it with a processor or processors, and then the card brands. This fully developed and certified solution can be described as “EMV capable.”
The cost and level of commitment:
The cost of this commitment can definitely set you back more than a designer engagement ring, depending on the ring of course. The cost and level of commitment varies greatly depending on the developer’s goals.
A developer can choose to pursue a direct certification with a processor (fully integrated) or decide to use a payment gateway which has already made a commitment to certifying a piece of hardware with a processor(s) (semi-integrated).
Fully integrated vs. semi-integrated:
A fully integrated approach to EMV is a time consuming a very costly endeavor and the end solution is fully within PCI scope. Historically speaking a fully integrated solution can easily take 8 to 12 months to develop and certify. The cost will be well over $100K all-in considering time, tools, and certification testing. Then rinse and repeat for each processor you want to certify with.
A semi-integrated approach allows you to leverage the commitment of another company to complete your solution in a matter of weeks, and at an enormously reduced cost. In addition to the cost factor a semi-integrated solution also allows you to piggyback on your gateway partner’s PCI-DSS compliance. A semi-integrated approach eliminates your need for full-blown PCI and EMV evaluation. In most cases semi-integrated system architecture will allow for a PCI Self Assessment Questionnaire (SAQ) to obtain your attestation of compliance.
Conclusion:
I hope after reading this you have a better understanding of why just picking a piece of hardware that meets EMV Levels 1 and 2 doesn’t make a EMV capable solution. The Liability Shift is coming in October and we are here to help you prepare. For more answers to your questions, and for information on middleware available to you, please contact Unattended Card Payments Inc. at (702) 802-3504 or by emailing info@ucp-inc.com