What the current Volkswagen certification scandal has shown us is that even the most reputable of companies are willing to tweak things ‘just to get through the certification’. It reveals a side of industry that few consider – and perhaps in inherited from our school days.
I remember all those years back when I was at school, I used to cram revision into the short period just before an exam – the aim was to get through the exam rather than worry about why I needed to know the stuff. In recent times this behaviour has worsened as schools compete in league tables and pressure on students increases – cramming courses and exam strategy are all important. And I suspect that this behaviour is reflected in adherence to certification in industry as well. Actually, I don’t just suspect it, I’ve seen it first hand when working for a (now defunct) terminal manufacturer. Back then, I believed that it was all part of product management – delivering a device that came with the right certifications was the most important thing. But that isn’t what it’s all about – it’s really about delivering a device that once in market will do the job that it’s specified to do – protect the integrity of the industry that we all work in.
So when a manufacturer (be it of cars, widgets or payment terminals) focusses on getting the certification rather than building a product that can be relied upon to do the job asked of it, it puts a whole sector at risk. In the US, this happens to be the diesel-powered car sector today – which was finally taking off after decades of public mistrust. Also today in the US, the public are being asked to put their faith into EMV terminals and cards that can equally be performance tuned to meet the needs of certification – and then behave quite differently once they’re in market. From our industry’s perspective, this means that kernels with switches may possibly be differently configured in the field or even updated without the certification body being notified. Contactless readers that have their voltage changed so that they pass distance certification – streamlined terminals built purely to pass the certification tests (sound familiar?). In reality devices in the field never get retested unless a problem occurs – and to be honest why would they? Why would you look under the bonnet if the car is running smoothly?
The issue in our industry actually reflects the politics and funding of the certification body. We are technically self-policing – EMVCo is owned by the payment brands and is designed to protect the integrity of its owners’ networks. This in itself is a smart piece of logic. However, it only holds as long as the overriding concern of the owners is to protect the integrity of their networks – remember, sometimes the headline cost of integrity can be more than the headline cost of breaches or faults. And if those breaches or faults can be paid for by someone else then even better. This doesn’t mean that everything is broken – quite the contrary – but what it does mean is that there are loopholes to be exploited by companies willing to do so that could be closed with investment in post-implementation testing, live sample devices or by more widespread use of end-to-end demonstration-like testing. If the ultimate aim is for an issuer only ever to decline a transaction due to insufficient funds then we’ve got to put more into ensuring the certification of the infrastructure is not only robust, but managed throughout the life cycle of deployed components.
Does this mean that our industry needs to look at additional cycles of testing on deployed scenarios (ETED) or even taking a ‘mystery shopper’ approach? Or does it mean that certification of our global card payment network needs to be taken out of the hands of a body that can be influenced and moved to an independent global standards body such as ISO? Better still, perhaps the certification body needs to become even more independent – more of a regulator and watchdog than a gatekeeper. I have my suspicions, but I would welcome suggestions from you all!