It's safe to assume the EMV adoption will be successful, but it is still going to take some time and might never achieve 100% ubiquity in the U.S.
Several things are holding the migration back, with one of the major factors being a lack of awareness of the standard.
Lack of Awareness. Its interesting to look to the United Kingdom, where EMV technology first gained traction in 2004. By 2006, the U.K. was close to full migration, with more than 99% of transactions verified via chip-and-PIN cards.
However, this didnt happen by accident. For nearly two years prior, the public was on the receiving end of a major PR campaign on the value of EMV technology. As EMV was rolled out, everyone understood the importance of the transition and was generally on board with the change.
In the U.S., there hasnt been a similar push from anyone to explain to the public what EMV is and why its necessary. In fact, many smaller merchants don't even know what EMV is.
Both card issuers and the banks need to do a better job of talking about EMV. One would think that at least the big card issuers and retailers would use this to a marketing advantage, using EMV compliance as proof that they care about their consumers best interests.
Migrating to EMV technology means implementing an EMV-compliant card reader. Even though EMV terminals have become quite economical, theyre not free, and merchants are still understandably not excited about having to buy new hardware.
True, come October the liability shift will put merchants on the hook for preventable card-based fraud. But many have made the analysis and just dont feel its worth it. Its a carrot-and-stick scenario that isnt quite big enough to work: Neither the carrot (the easing of PCI requirements) nor the stick (the liability shift) seem to be enough to warrant widespread changes. One would think that these things, plus the ability for EMV terminals to support NFC technologies such as Apple Pay, would help to justify the transition. But given current market realities, smaller merchants are still likely to be slow to adopt.
Eventually, as terminals break or the merchant has some other reason for buying new equipment, the upgrades will happen. But until then, the costs of EMV adoption will make ubiquity an uphill battle.
EMV is also being touted as the answer to credit card fraud. However, what EMV solves for represents only a small portion of the overall risk. Even with EMV, consumer data is still potentially exposed and exploitable. A more comprehensive solution would be a three-pronged approach: EMV + point-to-point encryption (P2PE) + tokenization. Heres why:
EMV protects against card counterfeiting. EMV cards store cardholder data in a smart chip, which makes it far more difficult to create forgery copies of the cards than those with magnetic stripes.
P2PE protects the data while its in the merchants system. With P2PE, the credit card terminal encrypts the card data the entire time the data exists within the merchants system. If a hacker is able to compromise a merchants system, they will encounter an encrypted block of data that is monumentally more difficult to decrypt and use.
Tokenization protects data stored in the merchants system for future or recurring payments. With tokenization, the card data is sent to the processor to become tokenized. The merchant system then stores this token not the actual data to use for future transactions. Tokens are unique to the merchant and the processor, making them completely unusable by anyone else should a breach happen.
Other security options are also emerging. For example, Apple Pay has caught the eye of many in the business.
One big advantage Apple Pay has over EMV is security. Unlike either EMV or P2PE, with Apple Pay, the merchants system never receives the card holders actual card number. Instead, Apple Pay provides a surrogate card number, in a manner very similar to tokenization solutions that have been used effectively for many years now. If the surrogate card data becomes compromised, a new surrogate token can be provided, without the need to completely re-issue the actual physical card. While this is not quite as effective as P2PE at preventing the compromise of exploitable data, it does help ease the potential pain should a compromise occur.
Is it possible that Apple Pay could leapfrog EMV adoption because it solves for more?
Of course, Apple Pay is currently only a solution for those consumers with the iPhone 6. But whos to say what might happen if Apple Pay takes off? What other new and broader-use applications might emerge?
Some merchants may adopt a wait-and-see attitude. However, we recommend they make the investment now in EMV + NFC terminals. This will allow merchants to strategically position themselves to accept whichever technology takes off. My prediction is that both technologies will ultimately be adopted, so the smart merchant will solve for both upfront with one nominal purchase.
Jeff Thorness is CEO of Forte.
