I’m in the US this week discussing EMV migration with a number of major institutions – for those of you that don’t know (where have you been?!) the liability shift has been announced by both MasterCard and Visa for this region with a number of other deadlines thrown in for good measure.
The first of these is in April 2013, when MasterCard, Visa, American Express, and Discover will require that acquirers, service providers, and sub-processors have the capability to process any EMV point of sale (POS) transaction, both contact and contactless. No mean feat to accomplish – 0 to EMV in less than 12 months when it took Europe well over 12 years to reach this milestone. Further to this are a few more important dates – primarily October 2015, when the liability shift kicks in. This essentially means that any non-EMV compliant party in the transaction will bear the cost of counterfeit or lost & stolen fraud.
It’s likely that most US issuers will opt for the same CVMs that they use today when deploying EMV – i.e. at POS they’ll use Chip & Signature for Credit and then either Signature or PIN for debit. What’s not clear though is how many of the US debit brands will move towards EMV in a reasonable time frame meaning that the complete migration will probably take as long as Europe, if not longer.
One of the biggest benefits to the US going (just about) last is the lessons learned from other migrations. The down side will be that they have a very unique payments infrastructure with additional parties not prevalent in payment models elsewhere – networks, processors, VARs, ISOs, credit unions and more – plus a scale that dwarfs players in most other markets.
The biggest change that comes with EMV however is the need to ensure that every component of the payments infrastructure is fully certified and remains so – as well as ensuring that any changes or updates don’t have an impact on the end to end integrity. Selecting certified products has been made pretty easy by EMVCo and the brands – there are hundreds of EMV-certified terminals and kernels on the official lists. However, application development and subsequent certification of the packaged end product (terminal, application, implementation) will be a challenge for the diverse middle-men in the US market where competition is hot and margins tight. It also presents new challenges for estate management – any changes lead to at least 4 new certifications with the main brands – and deployment of application updates across such a broad landscape can also be problematic.
So my advice to those entering the migration – test long, certify short – make sure that you’re going to pass any certifications easily to avoid getting bogged down in the inevitable certification queues and have to bear costly delays or iterative expenses. Although they’re ramping up services at the card brands, a processor with hundreds or even thousands of new card profiles to certify could find that just getting this job done before the liability shift is a major challenge. The only way to hope to achieve this is to test, test, test – and then when you’ve done that, test some more so that certification is a formality and not a bottleneck. Testing is all to often an after thought in the payments world (and other IT sectors come to think of it) but as you sit down to plan your EMV migration, start with the test plan.