Contactless EMV – What is the Value to Retailers?

Retailers often ask, “What new POS equipment should I buy?” My answer has been the same for almost 4 years: “Nothing, yet.” My logic is this: The upcoming liability shift occurs in October 2015 for merchants that have not deployed EMV. So, any retailer that wants to accept Visa, MasterCard and/or Discover after October 2015 needs to buy and deploy EMV equipment before then, if they have not already.

But EMV is predominately a contact sport -meaning that two computers need to plug into each other physically for it to function, which is why a contact EMV card needs to be inserted (or “dipped”) into the physical slot in the terminal until the transaction is over.

So, how do you ‘dip’ a Smartphone into a slot? There are two ways:

1) Everyone carries around a wire with an attachment on one end for their Smartphone, and a card-shaped dongle on the other end to insert into a POS machine. This scenario is so inconvenient that I would be amazed if a single transaction is ever completed this way.

2) Much more likely is a contactless connection between the Smartphone and the POS. But how?

VeriFone Systems, Inc. (NYSE: PAY) announced that Vantiv, Inc. (NYSE: VNTV) has certified VeriFone’s EMV/NFC-enabled payment processing solution. And, the solution is not only PCI compliant, it is complying with the new PCI PTS 3.0 standards, which essentially covers all known PCI requirements between now and 2017, including the liability shift in October 2015. This product, and products like it that will soon come, are the most logical next step in mobile commerce. Vantiv’s share of the US Merchant Acquirer market is approximately 13%.

What is the key insight in to this announcement? The bar is set: EMV systems in the US will be NFC enabled, too.

EMV IS BETTER

There are only 2 remaining predominant technologies that allow a credit card to divulge its sensitive information electronically to a POS: magnetic stripe, and EMV.

For those of you who are wondering, the jury is back. EMV is better, not just by a little but by a very wide margin. According to the Financial Fraud Action UK, face–to–face card fraud has declined by 69% since EMV was implemented in 2004. Case closed. EMV is better than magnetic stripe.

PROGRESS TOWARD NFC-EMV

Many products on the market have both technologies included: NFC chips and EMV capabilities. But getting both systems to work together, and then getting a processor to accept the whole process, are remarkably different matters.

Any item capable of physically connecting to any one of the hundreds of thousands of EMV terminals around the world needed to be the size and shape of a credit card to properly make contact. So, unless your smart phone is the size and shape of a credit card, using a smart phone with EMV would be either impossible or prohibitively cumbersome.

Although a Smartphone can easily have the computing power to handle an EMV transaction, and the smartphone is certainly capable of connecting to a variety of wireless, (or contactless) systems, few examples exist of systems that can process an EMV transaction through NFC using all of the ‘chip & PIN’ functionality and protocols that are responsible for the great reduction in face-to-face fraud.

Gemalto offers a dual chip which can perform cont or contactless transaction on EMV. According to the Gemalto website:

Dual interface: for EMV markets including one chip with both contact and contactless interface This card range is fully certified by the major payment associations and conforms with the Visa payWave, MasterCard PayPass , American Express ExpressPay and JCB J/Speedy specifications.

Visa is in the game, too, but only for their plastic card products so far. Their Visa Mobile Smartphone product will be released this fall. Also, according to Visa’s Canadian web site:

Visa payWave uses EMV chip technology, which provides enhanced security and protection from fraud. Visa payWave transactions are processed through the same secure and reliable network used for all Visa transactions.

ANY SMARTPHONE WILL DO

Originally, there were some concern that PCI compliance would extend to the smart phone equipment itself, meaning that some smart phones would be allowed to perform these transactions, and others would not. But, PCI SSC is working on mobile payment requirements, so that part of the equation remains to be seen. In a statement from Verifone via e-mail yesterday, they said, “The consumer’s device does not effect the PCI PTS 3.0 approval. There is currently no certification program between a device and a handset. Each side goes through an independent approval process.”

LET US NOT FORGET PCI

This year, 63% of every dollar spent at every retailer in the United States will be on a payment card, and every retailer that accepts Visa, MasterCard, Discover, or a combination of these cards, needs to be PCI compliant. Some believe that PCI audits are critical to the payment process, while others bristle at the requirements.

Whatever camp you are in, PCI remains a fact of life for all merchants that want to accept credit cards for the foreseeable future. So, while new and innovative payment methods and payment systems are interesting, it seems illogical for a retailer to risk losing their ability to accept Visa, MasterCard, and Discover payments by failing a PCI audit due to unsanctioned technology.

MUCH REMAINS TO DO

It is the journey over? Can we declare winners? Certainly not. The announcement last week is like what happened when Delaware became the first “state” to ratify the U.S. Constitution in 1787. The system (of government) was approved; all that remained was the small matter of building a nation. I don’t pretend that mobile commerce will evolve along the same lines as nation–building, the point is that there is significant work lies ahead.

For example, Vantiv is only the first processor to certify an NFC/EMV system, but there are a few more processors in the marketplace. Whether or not they follow suit over time remains to be seen, but the predicate case has been established.

Also, the products that run in this new system are also far from certain. While Google wallet and Isis appear to have taken a lead position in the US, and both companies already use both NFC and smart phone technology, it appears that the announcement yesterday will only strengthen the position of each respective company. But, Apple has not played its cards yet, Amazon is clearly growing something, PayPal successfully launched a national effort, and new startups appear daily. So, the winners and losers of the new ecosystem remain to be seen.

And let us not forget retailer adoption and consumer interest–universally acknowledged as being the real decision-makers in this emerging industry.

The system to create unprecedented convenience for new products and services now exists. How these will be used will be a closely watched issue over the next 2 to 3 years because the answer to that question whatever the flow of about $13 trillion every year.

(Thanks to @Cisco_Mobile for referring me to some data that I used in this article.)

© 2012 by David W. Schropfer

Published by

David W. Schropfer

David W. Schropfer is the CEO of SAFE (Smartphone Authentication For Everyone), a cybersecurity company in New York (www.theSafe.io).  Every day, he and his team of professionals keep the people who use The SAFE Button protected from some of the most common traps, hacks and attacks that target computer systems of all sizes. David is the author of the bestselling cybersecurity book, Digital Habits: 5 Simple Tips to Help Keep You and Your Information Safe Online. His previous books, including The Smartphone Wallet and industry whitepapers, predicted some of the biggest trends in the payments, mobile, and security industries.  Since graduating Boston College, David earned an Executive MBA from the University of Miami.