Tag Archives: Unattended

Where is EMV for Kiosks in 2019? An EMV Update

EMV Update – Unattended

The deadline for merchants to bring payment devices into compliance with EMV standards passed more than three years ago, but there are still non-compliant devices in the marketplace.

otiKiosk provides kiosk system developers with an easy and affordable way to integrate a pre-certified EMV payment acceptance solution
otiKiosk provides kiosk system developers with an easy and affordable way to integrate a pre-certified EMV payment acceptance solution

A year ago, KioskIndustry.org published a piece looking at the state of adoption of Europay, Mastercard and Visa (EMV) requirements among kiosk deployers in 2018. The bottom-line findings were that while kiosk manufacturers were stressing the need for EMV-compliant solutions for new projects, many deployers planned to keep current non-compliant solutions in the field until the end of their lifespan.

Now that a year has passed since that analysis, has anything changed? Where do things stand now?

EMV Compliance continues to expand

To recap, EMV is defined as “a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them.” EMV “smart cards” store their data on integrated circuits in addition to the traditional magnetic stripes. According to financial services firm FirstData, EMV chip cards transmit a variable algorithm that changes with each transaction, making the data more secure than what’s found on magnetic stripe cards.

Under EMV standards, merchants had until Oct. 1, 2015, to make their payment processing equipment EMV-complaint. If a fraudulent transaction occurred at a merchant who had not upgraded their equipment, the merchant would eat the cost of that transaction along with any fines or fees that might be assessed.

And while EMV standards were relatively clear for in-person transactions, such as those at an attended checkout register at a grocery store, they were a bit murkier when it came to transactions at an unattended device, such as a self-service kiosk.

Although payment card issuer Visa doesn’t break out kiosk-specific statistics, it does track overall EMV adoption. By most measures, the process seems to be rolling along.

As of December 2018, more than 3.1 million merchants now accept chip cards, according to Visa statistics, compared with just 392,000 merchants as of September 2015. There are now 511 million chip cards in circulation compared with 159 million three years ago. Ninety-eight percent of payments accomplished at the end of 2018 were done using chip cards.

In addition, counterfeit fraud dollars dropped 48 percent over the 39-month period, according to Visa statistics, while that figure was closer to 80 percent for merchants who have completed the upgrade.

Still, that doesn’t mean credit-card fraud is going to disappear. According to research by intelligence firm Gemini Advisory, as of November 2018 chip-enabled cards represent 93 percent of the more than 60 million payment cards stolen in the past 12 months, thanks to the lack of U.S. merchant compliance with the EMV implementation.

Other Gemini findings include:

  • 45.8 million or 75 percent are Card-Present (CP) records and were stolen at the point-of-sale devices, while only 25% were compromised in online breaches.
  • 90% of the CP compromised U.S. payment cards were EMV enabled.
  • The United States leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records.
  • Financially motivated threat groups are still exploiting the lack of merchant EMV compliance.

In addition, a new type of card fraud is gaining in popularity. Unlike the skimmers fraudsters attached to gas pumps and other devices to capture credit card information (one of the types of fraud EMV was designed to eliminate) a “shimmer,” according to Krebs on Security, fits in the card slot between the chip on the card and the chip reader — recording the data on the chip as it is read by the underlying machine. The fact that the device fits in the slot itself instead of fitting over the card reader, it’s difficult to spot.

Here’s how Krebs described shimming in 2017:

“Data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains additional security components not found on a magnetic stripe.

“One of those is a component known as an integrated circuit card verification value or “iCVV” for short — also known as a “dynamic CVV.” The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards.”

The weakness a shimmer exploits lies with the card issuer as opposed to the payment device.

“The only way for this attack to be successful is if a [bank card] issuer neglects to check the CVV when authorizing a transaction,” ATM giant NCR Corp. wrote in a 2016 alert to customers. “All issuers MUST make these basic checks to prevent this category of fraud. Card Shimming is not a vulnerability with a chip card, nor with an ATM, and therefore it is not necessary to add protection mechanisms against this form of attack to the ATM.”

(If I needed any persuasion that payment card fraud was still a problem, I recently received a call from my bank alerting me that my debit card had been compromised. Someone had used what was obviously a cloned card to withdraw $300 at an ATM 30 miles away from where I live. The bank blocked the card when the fraudster attempted to make a withdrawal at another ATM. A few days later, my son’s debit card was compromised as well. In both cases, the money was refunded to our accounts and the dispute was closed in less than a week. When I posted a comment to the neighborhood Nextdoor social media site about the incident, dozens of people in my area said they had also been victims of payment card fraud. The speculation was that the issue occurred at a nearby convenience store, although nothing was proven.)

The current state of EMV affairs

By all appearances, EMV adoption among kiosk deployers essentially stands where it did a year ago. Deployers seem to be carrying on with existing equipment until the end of its lifespan, with any new deployments.

Part of the reason is likely, as mentioned in last year’s analysis, that the relatively low transaction averaged for many kiosks translates to less overall chargeback risk, which in turn means less incentive to upgrade. Given that risk, it doesn’t make much sense to invest in an upgrade it of the deployer plans to swap it out in a year or two.

“For kiosks we have seen very little in the way of EMV retrofits of fielded kiosks running in mag stripe even though there are surface mount devices well suited to field retrofits available,” said Rob Chilcoat, president, North American Operations with UCP Inc., a provider of EMV-compliant chip-and-pin hardware and payment gateway solutions for attended and unattended card payment terminals in North America.

In addition, some of the concerns about whether a kiosk would be considered attended, “semi-attended” or unattended under EMV requirements may have been overblown.

The Path to EMV
What are some other risks in deploying non-EMV kiosks? Comments from the experts:

  • There are current deployers with standard ecommerce websites using a third-party shopping cart on their kiosks that have no clue about EMV. Kiosk software like KioWare can intercept the shopping cart MSR checkout and perform the EMV transaction; however, they still need the third-party shopping cart to know the transaction has succeeded; ie, we need an API to call. This API is often lacking as most don’t care about kiosks and EMV integration, although it is slowly changing. This is definitely affecting existing kiosks going EMV, but it is also affecting new kiosk projects that had hoped to use their existing third-party shopping cart.
  • If a card data breach is tracked back to a kiosk, the merchant associated with that kiosk would be in hot water. This is why data in the clear between a card reader and a web hosted payment page (the old way of doing things) is such a PCI no-no.
  • Ultimately PCI compliance comes down to the merchant themselves, ISVs want to enable the merchants to use a PCI-DSS pre-certified solution, but that doesn’t completely relieve the merchant themselves from final PCI compliance. Implementing EMV pretty much removes mag stripe data from the environment except in cases where a card has no chip, or the chip is damaged. In the case of a card not having a chip, the issuer of the card would be the least compliant (culpable) party if the merchant is EMV capable. In the event of a damaged chip, this is why it is also important to implement end-to-end encryption, to render malware sniffing attacks unfruitful.

“’Semi-attended’ doesn’t exist as far as the PCI Security Council and EMVCo are concerned; a device is either a Cardholder Activated Terminal (CAT) or it isn’t in their eyes,” Chilcoat said.

“This ‘semi-attended’ term was coined by processors to justify using less costly attended devices at self-checkout and other indoor self-service scenarios where the kiosks are being tended to by an employee of the store,” he said. “This PCI gray area still exists and we do see people ordering attended devices from us for this purpose. We advise against it, but we can’t stop them from doing what they want with a terminal. It really comes down to what the merchant’s processor will allow.”

Still, deployers shouldn’t be lulled into a false sense of security by thinking a low transaction amount means they’re insulated from major losses. Yes, if a fraudulent card is used on a small transaction at the kiosk, it can just be considered a cost of doing business. On the other hand, if someone is able to collect cardholder data at the kiosk and then sell it on the dark web causing massive fraudulent transactions elsewhere, and that gets tracked back to a non-EMV compliant kiosk, it won’t be trivial to a kiosk deployer.

But for new projects, EMV is definitely the norm.

“In terms of kiosks, the biggest thing that’s changed is the move from EMV being an optional form of payment to a requirement for our customers,” said Bruce Rasmussen, director of sales with payment technology provider Ingenico Group.

“Currently we do not have any customers in the pre-deployment stage that are not already planning to support EMV now or in the next phase of their project,” Rasmussen said. “Additionally, merchants are continuing to redefine their customer interface to capture a new segment of the market, and payments continues to play a large role in this transformation.”

In particular, he said, there is a growing emphasis on supporting mobile wallets in payment solutions, which in turn drives demand for EMV contactless. With the majority of legacy cashless options only supporting magstripe transactions, merchants are putting updating their payment solutions to accept contactless at the top of their requirements.

“We see growth in contactless card payments and payments via smart phones driving growth in NFC adoption at the kiosk,” Rasmussen said. “The mandate from the card brands to support EMV contactless payments as of October 2019 is driving adoption for EMV since managing a contact and contactless certification may be the most economical and efficient use of resources to achieve a certification.”

Ultimately, although the process continues to be a gradual one, it’s only a matter of time before the vast majority of self-service kiosks in the marketplace are EMV-compliant.

“In terms of new kiosks, we have not shipped anything mag stripe only for a long time,” Chilcoat said. “I think overall EMV migration has hit a tipping point where chip card payments is the expected user experience and kiosk companies are seeing that and including it in their RFP requirements.”

EMV Update Credits and Members:
EMV References and Article

Ingenico EMV Q&A – EMV adoption in the self-service industry: What’s taking so long?

ingenico kiosk

EMV adoption in the self-service industry – Q&A With John Menzel of Ingenico

Editor’s NoteThis article originally appeared in ATM Marketplace and just recently in Kiosk Marketplace . Thanks! For more information on EMV options we suggest you visit the Ingenico Unattended Self Service website.

Industry observers agree the unattended sector has lagged attended retail in adopting EMV. Payment equipment manufacturers have introduced a number of EMV-compliant devices, but many terminals have yet to implement them.

John Menzel, senior self service solutions manager at Ingenico Group, a leading payment equipment manufacturer, recently offered his insights on progress in the self service sector toward EMV compliance.

Following are Menzel’s answers to questions posed by Kiosk Marketplace.

Q: What is the current state of EMV adoption in self-service?

A: EMV adoption in the self-service industry is still in the beginning stages of adoption. However, there are steps being taken from both a hardware and software perspective to increase the security of the payment devices deployed in self-service.

This includes PCI-certified devices running in a point-to-point-encrypted environment with secure read encrypted device capability, known as SRED. In this manner, all card data is encrypted at the time of the transaction to ensure security. This is an interim step before full EMV compliance.

Q: How do EMV compliance regulations affect kiosk operators?

A: Gaining EMV compliance is a process which needs to be completed any time a new combination of payment device, software and gateway/processor is created. The steps taken include utilizing PCI-certified devices, working with qualified security assessor auditors, working with certified payment gateway providers and changing the flow of the software applications to support EMV tags, etc.

So it is a step-by-step process that is a different motion and requires different partners than operating in a nonsecure world. Couple this with the fact that many operators don’t feel the need to upgrade, since they are not currently liable for fraudulent transactions under $20.

Q: What are the benefits of EMV technology?A: There are many benefits of utilizing a PCI-certified EMV solution, including insuring not only end-to-end security of the payment transaction, but insuring rogue devices and skimmers can’t be inserted or card readers removed without anti-tamper switches going off.From a consumer perspective, it gives them confidence to utilize their payment cards when making a purchase at an EMV-enabled self-service kiosk, which provides a similar experience to that which they are used to at a brick-and-mortar retailer.

From an operator perspective, it gives them the future protection of being EMV compliant, especially as higher ticket items are being offered from unattended solutions, like Best Buy’s kiosks.

Q: How does EMV acceptance improve the customer experience?

A: The more the self-service industry can emulate the brick-and-mortar experience, the better. Consumers are now used to inserting their chip cards into EMV readers at supermarkets, retail stores, quick-serve restaurants and more. Consumers understand EMV use — dipping their chip card into a reader — is supposed to be more secure. Implementing EMV at self-service gives them that security and confidence.

Q: How can kiosk operators seamlessly make the switch to EMV?

A: I wouldn’t call it a seamless experience to upgrade from non-PCI compliant, non-EMV solutions. It is more an evolution with incremental steps being taken.

This includes utilizing PCI-certified payment devices, upgrading the software applications to be EMV compliant, utilizing payment gateways that can operate in P2PE manner and undergoing quality security assessor audits of the end-to-end solution.

The future state of self-service is turning the kiosk into a stand-alone store, and secure payment is one of the services that needs to be offered and integrated into the solution for it to be effective.

 


Elliot Maras
 is the editor of KioskMarketplace.com and FoodTruckOperator.com.