Irony is in the cards. Literally.
A year ago I attended both the PSCU and CSCU annual meetings and "EMV" were these three little letters that were preceded by phrases such as "start thinking about" and "you need to get ready for." EMV, which stands for Europay, MasterCard, Visa and is a global security standard for chip-based plastic cards aimed at reducing fraud, was still sufficiently unknown that I recall one person even raising their hand at one of the meetings (mind you, after a one-hour discussion) to ask what, exactly, is EMV?
All that changed with the late 2013 data breach at Target that dramatically spiked interest among consumers and issuers about the risks of mag-stripe cards. The irony, however, remains that EMV would have done nothing to stop the Target breach.
Despite that small detail, six months later it hasn't stopped all the publicity. Now, no one is asking what EMV stands for, instead card portfolio managers want to know what to do to get in compliance with new security standards and the so-called chip cards. That was obvious at CSCU's meeting last week in St. Petersburg when the CUSO's CEO, Bob Hackney, acknowledged that "it's hard not to talk about EMV."
Get Ready To 'Dip'
"We have 2,400 member credit unions that range in sophistication. We have had to take a few by the hand to help them through EMV," he said. "There is a certification process and a lot of education involved, not just for employees but for members."
Part of that change for members will be in how chip cards are used, as it will involve a transition at POS that Hackney described as moving from "swiping to dipping. For many consumers it's going to be a big change after using the mag stripe for 20 years."
That big change isn't just limited to members, it applies to credit unions and their reissuance strategies, too. That's because those three letters, EMV, come with three others, ROI. Chip-based cards are much more expensive to issue than mag stripes, to the tune of several dollars per card.
"Credit unions are going to have to come to grips with it," acknowledged Hackney. "It's hard to quantify all the dollars when you have a breach. You have to look at how much internal fraud you've had, and how much time you are spending on this, especially when members overwhelm the call center."
EMV isn't the panacea it has sometimes been pitched as. It does render compromised data useless, but only at POS, not for card-not-present transactions. In fact, one analyst at the CSCU meeting even said the advent of EMV in the U.S. could increase fraud, which has been the case in Brazil since EMV was introduced. The analyst described the scenario as "squeezing the balloon."
"EMV will help reduce counterfeit fraud, so the fraudsters will go to [card not present], and if they can get a PIN, to the ATM," said Hackney.
If anything, as Hackney and other analysts made all too clear last week, EMV could stand for "expect more violations," as scammers are going to be doing anything but calling it a day.
The march toward EMV in plastic cards is now on, with Hackney saying CSCU is "very happy" with the work its CUs are doing. "There is huge progress from a year ago," he said.
Visa and MasterCard have set an October 2015 date for a shift in fraud liability from payments networks to merchants, and while many merchants have yet to spend the money on EMV-enabled terminals, they know they'll have to. CUs will be spending, too, on not just the new cards but member education.
As one analyst emphasized at the CSCU meeting, "There is a change coming and I want you to be ready. Understand that there are some strategy decisions that need to be made, or you will end up being 12 X's followed by four digits in someone else's strategy."
If you're just getting up to speed on EMV, keep pedaling, because there are five more syllables for every credit union to learn: tokenization (and this has nothing to do with what's going on in Colorado and Washington). Instead, this is the process of replacing card numbers with a separate, unique set of numbers that have no bearing on the original data, so even if a breach occurs the info is useless. The card associations are already moving on tokenization, with Visa.net setting a June 2014 deadline for its endpoints to handle tokenized data.
The good news for credit unions: they don't have to do anything.
The Rewards From Rewards
Beyond EMV, Hackney also urged greater attention to rewards programs, which as anyone who owns a TV knows, have gotten very competitive as major players have re-entered the market. I mean is it even possible to see a photo of Samuel L. Jackson and not think, "What's in your wallet?" (For credit unions, the answer is "Capital One's hand," and there's a reason, which I'll cover in a future column).
"Rewards will drive models of incremental improvement. That is part of the process," said Hackney. "You have to find ways to create loyalty with members, and not just with cards, but with other products, too."
Frank J. Diekmann can be reached at
