EMV is getting real in the US as consumers are now getting chip cards in the mail. But if it’s going to take many years before all merchants are able to accept chip cards and all consumers carry them, why not skip straight EMV and go straight to mobile, since that’s where we’re headed anyway? PYMNTS CEO Karen Webster posed that question to Gemalto SVP Jack Jania and his response may surprise you.
KW: You’ve been around the chip business for quite some time, and here we are in the U.S., ready to implement EMV. Why is EMV so important to the U.S.?
JJ: The U.S. has maintained the magstripe infrastructure for over 30 years and has fallen behind the rest of the world in regards to security methodology for credit card payment. This has caused financial institutions problems with some of their best customers over their years, as these customers started experiencing card declines when they went to other regions of the world. So, it kind of brought EMV to the forefront for a select few people in the U.S. about 2-3 years ago, and now what you’re seeing is banks, in alignment with global payment brands, bringing out this higher security technology to the rest of the consumers in the U.S.
KW: We spoke earlier about how EMV is an opportunity to take the next step on the rung to increasing the security level and mitigating fraud associated with cards, and that skipping a few steps on the rung wouldn’t necessarily be advantageous given the interoperability issues that you just pointed out. What’s the argument against skipping a rung if it’s going to take years for EMV to be fully deployed, and years for us to move to a mobile solution, which is where we will likely end up?
JJ: I believe, from a timing perspective, it would leave consumers more vulnerable during the shift. Everyone sees the Holy Grail of mobile payment, but in reality, if you look at the numbers, many people will not have access to mobile payment, and it won’t be as ubiquitous as the plastic form factor. Moving the plastic form factor to EMV will make it more accessible to a larger distribution of people in the U.S. because mobile devices will require upgrading terminals to support EMV and NFC, and making sure all terminals are configured from a back office perspective to support NFC and mobile payment.
The real question is: Do we really want to leave the mass population of consumers vulnerable to payment fraud when EMV is available today? And also, you cannot underestimate the global interoperability benefits that EMV brings, and you don’t want to put merchants and financial institutions at a disadvantage in a global payment ecosystem.
KW: So EMV is real. I actually just got my new Bank of America credit card with a chip on it. But I didn’t get a PIN with it, the chip isn’t contactless, and my expiry is 2017. Bank of America is one of the biggest card issuers in the U.S., and you just mentioned NFC supporting mobile payments and contactless cards. But why do you believe, given the expiry cycle of my card and others, that EMV is in fact the pathway to contactless payments by card or phone?
JJ: EMV is driving the upgrade of the point of sale infrastructure. It’s been reported by many of the POS manufacturers that the new terminals coming out to support the EMV migration underway in the U.S. are coming hardware enabled with NFC functionality. However, many of them are being installed “dark,” meaning that the hardware is there but from a back office perspective, they have not been enabled. So I look at EMV contact payment facilitating the POS infrastructure upgrade. Once the POS systems are all supporting EMV, it’s just a small step to bring them to support contactless payment, whether it is a dual interface card or mobile device.
KW: I just read a story about a report in the New York Times that talked about one of the biggest security breaches facing retailers, which involves the fraudsters hacking into networks that employees use to access their networks remotely, and using that to access POS systems and steal card credentials and more. My card that I just got still has a magstripe on it, and doesn’t require a PIN to use it. How is EMV helping to protect fraud in that scenario?
JJ: I didn’t see that particular article, but what I can speak to are the security features that a chip and signature card provides consumers, and the data on the magstripe itself is different than just a magstripe-only card. For example, if you try to use a chip and signature card in an EMV-enabled terminal as a magstripe card, the additional data on the magstripe will force you to process that transaction and insert your card and conduct it as an EMV transaction. That adds an additional level of security over a standard magstripe card.
KW: Let me ask you about fraud and moving online. As in-store payments move digital, and as consumers have apps they are downloading and registering cards to, does EMV have a role to play in protecting cardholders, retailers and issuers in that scenario?
JJ: Yes, EMV does have a role to play on the mobile side. We can actually store credentials through trusted service management into either embedded or UICC secure elements in mobile devices.
In regards to online payment, the payment brands are developing and finalizing specifications and methodologies. There are several different ways to deal with card-not-present online transactions through tokenization. However, moving forward, I think we will see mobile devices also turn into mobile POS terminals to be used to conduct our own personal transactions. There will be a blurring of what is an online transaction from a desktop PC versus one on a mobile device.
KW: I just interviewed an entrepreneur in the mobile payment space who is based in Europe and therefore had to build his platform to accommodate EMV at the start. We were chatting about the experiences that he had at the time, when he was trying to get the card networks to understand that chip and signature was as effective as chip and PIN. He said the magic is in the chip, and not the PIN. Do you agree?
JJ: Well, there are security elements in the chip. But when you look at the security methodology, we always like to have something that we like to call two-factor authentication – something you physically have and something you know. That is the key strength of EMV. Chip is always that secure something you have, that token to conduct the transaction. My understanding of the issue of chip and signature versus chip and PIN really comes from the merchant space of having to make sure they have all the records to support the signature portion of the transaction.
KW: Bring us up to date on things that are happening now. It’s August, and we are getting close to the one-year mark for the time that merchants and issuers have to get ready for the liability shift. What kind of activity are you seeing taking place now and how do you expect it to change or accelerate?
JJ: What I can say is there is a higher amount of activities from financial institutions in launching their EMV portfolios. The amount of activity in the first half this year is substantial, and the marketplace will easily have over 100 million EMV cards delivered to customers before the end of 2014. And that can easily be 2 or 3 times that by the time of the liability shift. Financial issuers are well underway to deploying these products to mainstream consumers in all of their portfolios. That’s a substantial change from 24 months ago. There’s no real feedback on the merchant side, but from the issuing side of the market, the activity is very strong.