Tag Archives: compliance

Where is EMV for Kiosks in 2019? An EMV Update

EMV Update – Unattended

The deadline for merchants to bring payment devices into compliance with EMV standards passed more than three years ago, but there are still non-compliant devices in the marketplace.

otiKiosk provides kiosk system developers with an easy and affordable way to integrate a pre-certified EMV payment acceptance solution
otiKiosk provides kiosk system developers with an easy and affordable way to integrate a pre-certified EMV payment acceptance solution

A year ago, KioskIndustry.org published a piece looking at the state of adoption of Europay, Mastercard and Visa (EMV) requirements among kiosk deployers in 2018. The bottom-line findings were that while kiosk manufacturers were stressing the need for EMV-compliant solutions for new projects, many deployers planned to keep current non-compliant solutions in the field until the end of their lifespan.

Now that a year has passed since that analysis, has anything changed? Where do things stand now?

EMV Compliance continues to expand

To recap, EMV is defined as “a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.” EMV “smart cards” store their data on integrated circuits in addition to the traditional magnetic stripes. According to financial services firm FirstData, EMV chip cards transmit a variable algorithm that changes with each transaction, making the data more secure than what’s found on magnetic stripe cards.

Under EMV standards, merchants had until Oct. 1, 2015, to make their payment processing equipment EMV-complaint. If a fraudulent transaction occurred at a merchant who had not upgraded their equipment, the merchant would eat the cost of that transaction along with any fines or fees that might be assessed.

And while EMV standards were relatively clear for in-person transactions, such as those at an attended checkout register at a grocery store, they were a bit murkier when it came to transactions at an unattended device, such as a self-service kiosk.

Although payment card issuer Visa doesn’t break out kiosk-specific statistics, it does track overall EMV adoption. By most measures, the process seems to be rolling along.

As of December 2018, more than 3.1 million merchants now accept chip cards, according to Visa statistics, compared with just 392,000 merchants as of September 2015. There are now 511 million chip cards in circulation compared with 159 million three years ago. Ninety-eight percent of payments accomplished at the end of 2018 were done using chip cards.

In addition, counterfeit fraud dollars dropped 48 percent over the 39-month period, according to Visa statistics, while that figure was closer to 80 percent for merchants who have completed the upgrade.

Still, that doesn’t mean credit-card fraud is going to disappear. According to research by intelligence firm Gemini Advisory, as of November 2018 chip-enabled cards represent 93 percent of the more than 60 million payment cards stolen in the past 12 months, thanks to the lack of U.S. merchant compliance with the EMV implementation.

Other Gemini findings include:

  • 45.8 million or 75 percent are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
  • 90% of the CP compromised U.S. payment cards were EMV enabled.
  • The United States leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
  • Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.

In addition, a new type of card fraud is gaining in popularity. Unlike the skimmers fraudsters attached to gas pumps and other devices to capture credit card information (one of the types of fraud EMV was designed to eliminate) a “shimmer,” according to Krebs on Security, fits in the card slot between the chip on the card and the chip reader — recording the data on the chip as it is read by the underlying machine. The fact that the device fits in the slot itself instead of fitting over the card reader, it’s difficult to spot.

Here’s how Krebs described shimming in 2017:

“Data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains additional security components not found on a magnetic stripe.

“One of those is a component known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.” The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.”

The weakness a shimmer exploits lies with the card issuer as opposed to the payment device.

“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,” ATM giant NCR Corp. wrote in a 2016 alert to customers. “All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”

(If I needed any persuasion that payment card fraud was still a problem, I recently received a call from my bank alerting me that my debit card had been compromised. Someone had used what was obviously a cloned card to withdraw $300 at an ATM 30 miles away from where I live. The bank blocked the card when the fraudster attempted to make a withdrawal at another ATM. A few days later, my son’s debit card was compromised as well. In both cases, the money was refunded to our accounts and the dispute was closed in less than a week. When I posted a comment to the neighborhood Nextdoor social media site about the incident, dozens of people in my area said they had also been victims of payment card fraud. The speculation was that the issue occurred at a nearby convenience store, although nothing was proven.)

The current state of EMV affairs

By all appearances, EMV adoption among kiosk deployers essentially stands where it did a year ago. Deployers seem to be carrying on with existing equipment until the end of its lifespan, with any new deployments.

Part of the reason is likely, as mentioned in last year’s analysis, that the relatively low transaction averaged for many kiosks translates to less overall chargeback risk, which in turn means less incentive to upgrade. Given that risk, it doesn’t make much sense to invest in an upgrade it of the deployer plans to swap it out in a year or two.

“For kiosks we have seen very little in the way of EMV retrofits of fielded kiosks running in mag stripe even though there are surface mount devices well suited to field retrofits available,” said Rob Chilcoat, president, North American Operations with UCP Inc., a provider of EMV-compliant chip-and-pin hardware and payment gateway solutions for attended and unattended card payment terminals in North America.

In addition, some of the concerns about whether a kiosk would be considered attended, “semi-attended” or unattended under EMV requirements may have been overblown.

The Path to EMV
What are some other risks in deploying non-EMV kiosks? Comments from the experts:

  • There are current deployers with standard ecommerce websites using a third-party shopping cart on their kiosks that have no clue about EMV. Kiosk software like KioWare can intercept the shopping cart MSR checkout and perform the EMV transaction; however, they still need the third-party shopping cart to know the transaction has succeeded; ie, we need an API to call. This API is often lacking as most don’t care about kiosks and EMV integration, although it is slowly changing. This is definitely affecting existing kiosks going EMV, but it is also affecting new kiosk projects that had hoped to use their existing third-party shopping cart.
  • If a card data breach is tracked back to a kiosk, the merchant associated with that kiosk would be in hot water. This is why data in the clear between a card reader and a web hosted payment page (the old way of doing things) is such a PCI no-no.
  • Ultimately PCI compliance comes down to the merchant themselves, ISVs want to enable the merchants to use a PCI-DSS pre-certified solution, but that doesn’t completely relieve the merchant themselves from final PCI compliance. Implementing EMV pretty much removes mag stripe data from the environment except in cases where a card has no chip, or the chip is damaged. In the case of a card not having a chip, the issuer of the card would be the least compliant (culpable) party if the merchant is EMV capable. In the event of a damaged chip, this is why it is also important to implement end-to-end encryption, to render malware sniffing attacks unfruitful.

“’Semi-attended’ doesn’t exist as far as the PCI Security Council and EMVCo are concerned; a device is either a Cardholder Activated Terminal (CAT) or it isn’t in their eyes,” Chilcoat said.

“This ‘semi-attended’ term was coined by processors to justify using less costly attended devices at self-checkout and other indoor self-service scenarios where the kiosks are being tended to by an employee of the store,” he said. “This PCI gray area still exists and we do see people ordering attended devices from us for this purpose. We advise against it, but we can’t stop them from doing what they want with a terminal. It really comes down to what the merchant’s processor will allow.”

Still, deployers shouldn’t be lulled into a false sense of security by thinking a low transaction amount means they’re insulated from major losses. Yes, if a fraudulent card is used on a small transaction at the kiosk, it can just be considered a cost of doing business. On the other hand, if someone is able to collect cardholder data at the kiosk and then sell it on the dark web causing massive fraudulent transactions elsewhere, and that gets tracked back to a non-EMV compliant kiosk, it won’t be trivial to a kiosk deployer.

But for new projects, EMV is definitely the norm.

“In terms of kiosks, the biggest thing that’s changed is the move from EMV being an optional form of payment to a requirement for our customers,” said Bruce Rasmussen, director of sales with payment technology provider Ingenico Group.

“Currently we do not have any customers in the pre-deployment stage that are not already planning to support EMV now or in the next phase of their project,” Rasmussen said. “Additionally, merchants are continuing to redefine their customer interface to capture a new segment of the market, and payments continues to play a large role in this transformation.”

In particular, he said, there is a growing emphasis on supporting mobile wallets in payment solutions, which in turn drives demand for EMV contactless. With the majority of legacy cashless options only supporting magstripe transactions, merchants are putting updating their payment solutions to accept contactless at the top of their requirements.

“We see growth in contactless card payments and payments via smart phones driving growth in NFC adoption at the kiosk,” Rasmussen said. “The mandate from the card brands to support EMV contactless payments as of October 2019 is driving adoption for EMV since managing a contact and contactless certification may be the most economical and efficient use of resources to achieve a certification.”

Ultimately, although the process continues to be a gradual one, it’s only a matter of time before the vast majority of self-service kiosks in the marketplace are EMV-compliant.

“In terms of new kiosks, we have not shipped anything mag stripe only for a long time,” Chilcoat said. “I think overall EMV migration has hit a tipping point where chip card payments is the expected user experience and kiosk companies are seeing that and including it in their RFP requirements.”

EMV Update Credits and Members:
EMV References and Article

Question For Day – Are kiosks installed prior to 2010 ADA regulations subject to 2010 regulations?

Question of the day – ADA Kiosk Compliance

ADA Kiosk ComplianceAre kiosks installed prior to 2010 ADA regulations subject to 2010 regulations?

Ok, I’ll take a shot at this. My name is Craig Keefner and I work for Olea Kiosks which is a highly skillled kiosk manufacturer and designer in ADA. Note that this is my personal opinion. The engineering design team never agrees with me 100%, usually for the better 🙂

“It depends…”.

What an answer eh…

The reason for that is that while there is no grandfather clause there is a “Safe Harbor” but it comes with conditions.

From the ADA National Network

The ADA does not have a provision to “grandfather” a facility but it does have a provision called “safe harbor” in the revised ADA regulations for businesses and state and local governments. A “safe harbor” means that you do not have to make modifications to elements in an existing building that comply with the 1991 Standards, even if the new 2010 Standards have different requirements for them. This provision is applied on an element-by-element basis.  However, if you choose to alter elements that were in compliance with the 1991 Standards, the safe harbor no longer applies so the altered elements must comply with the 2010 ADA Standards.

A “safe harbor” does not apply to elements that were NOT addressed in the original 1991 Standards but ARE addressed in the 2010 ADA Standards. These elements include recreation facilities such as swimming pools, play areas, exercise machines, miniature golf facilities, and bowling alleys. On or after March 15, 2012, public accommodations must remove architectural barriers to these elements listed above are subject to the new requirements in the 2010 Standards when it is readily achievable to do so.

Here is another take on it from Chain Store Age

Losing “Grandfather” Status: Between 2007 and 2014, the amount of ADA charges doubled from $54.5 million to $109.17 million, with 3,190 suits filed in 2007 compared to 5,347 suits in 2014. But some retailers may assume – incorrectly – they are already covered due to “grandfathering” rules.

Any development or remodeling completed using the previous 1991 ADA standards before the new changes became effective March 15, 2012 will be grandfathered as compliant with the ADA. However, if any element that meets the 1991 requirements is altered, it must then meet the newer standards, and the “safe harbor” no longer applies.

Complicating things here can be local and state laws (Unruh in California for example).

That’s why I will say, “it depends..”.

TO BE SURE — having said all that doesn’t mean people are not going to necessarily sue.  Some lawyers are more concerned with how much they can negotiate from you than whether it is right or wrong.

And if the units do not meet 2010 requirements, is it also “the better thing to do” to bring the units up to code, or at least mitigate in some way.  That could forestall  a frivolous suit which will cost thousands no matter what.

For more “opinion” like this on all types of subjects be sure and visit The Lab website which is run by Olea.  I’ll be doing a writeup on the kiosk market size and get into what exactly is a kiosk when we talk market size and units. Are ATMs a kiosk? Or POS checkouts?  Or are they there own singular purposed market which just so happens to incorporate some characteristics of a typical kiosk. If anything, I can gurantee you that am opinionated..

COMMENTS

On the article, the Safe harbor or even the ABA architectural barriers act according to the DOJ no building is supposed to  have to comply if built prior to the enactment of implementation 1992. However, lawsuit judgements have been altering that course even though the DOJ claims  Old construction vs. new construction. So grandfathering in is only a delay phase.
When Capitol Hill had to change things up.. Old building right. 🙂
I would add in  the ABA in your article. It mainly pertains to the Government buildings, but it slings over to the Accessibly through barriers in the ADA with no mention of safe harbor.
Steve Taylor with Taylor Stands and working head of ADA for ETA.
Resources
Credits
Steve Taylor with Taylor Stands
Mike James with iPadKiosks

More ADA News