Our Blog

EMV v Apple Pay and the October 2015 mandate

Staying one step ahead of the hackers – that’s the noble aim of the 2015 EMV mandate for US merchants.

EMV

The mandate – a fraud liability shift – has been introduced due to a rapid escalation in POS fraud in the US. A recent LexisNexis report found that in 2013 US merchants lost, on average, 0.68% of revenue — up a whopping 33% from 2012. In addition to these fraud losses, merchants also incurred more costs, with each dollar of fraud costing them $3.08, compared to $2.79 in 2012. The recent high-profile data breaches at major US retailers – such as Target, Home Depot, and Kmart – has increased awareness but there’s still a lot of work to do.

The EMV mandate is the brainchild of the card schemes. They want all stakeholders involved in the payment processing chain to upgrade their systems in an effort to reduce POS/card-present fraud. The compliance deadline for all involved is October 2015. After this date any stakeholder in the payment processing chain – issuer, PSP, merchant, etc – with a non-EMV-compliant system will be liable for any fraud that occurs. However, it is estimated that just half of US merchants will be compliant come October 2015. The race is on to become compliant but merchants still need to know what they can realistically achieve in the coming months.

Merchants can be forgiven for being confused about what is happening right now in the US payments space. First there was the EMV mandate, then Apple Pay arrived on the scene. Apple Pay is a very attractive proposition but will it solve the merchant-side problem of what type of payments should they choose to accept?

Will Apple Pay render EMV unnecessary?

Apple Pay is the first implementation of the EMVCo’s new tokenization specifications, first revealed back in March 2014. It – as Tim Cook stated during its launch – is a secure, quick and easy method of payment.

The security aspect of Apple Pay is attractive to merchants as acceptance will instantly reduce the scope of their PCI compliance. When accepting a payment via Apple Pay no PAN will be stored on a merchant’s servers. Thus eliminating one of the key PCI requirements, i.e. do not store the PAN unencrypted. This is what merchants want to hear. Any reduction in PCI scope will be welcomed and with Apple Pay there’s no exposure to that all-important card PAN and therefore less exposure.

Each Apple Pay transaction – according to the Cupertino giant’s own press release – is authorised with a one-time unique number using a Device Account Number and instead of using the security code from the back of your card, Apple Pay creates a dynamic security code to securely validate each transaction.

Apple Pay in bricks and mortar stores will function as follows. An iPhone or Apple Watch user will hold their Apple device to a NFC-enabled terminal. The iPhone payment is authenticated by TouchID, while via an Apple Watch it is done so by a double click of a button on the side of the watch. It is simple and quick. Remember also that Apple will not charge merchants to use Apple Pay.

How EMV renders Apple Pay unnecessary

‘Apple Pay will change the way you pay’.

That’s a grandiose statement from Apple. Maybe so, but it won’t do it any time soon. Merchants need certainty, they exist to make money, not for lab testing. The security attractiveness of Apple Pay is somewhat negated by the fact that Apple Pay will not achieve widespread use. This is based on simple potential user numbers. According to comScore figures, Android was ranked as the top US smartphone platform in July 2014 with 51.5 percent market share, followed by Apple with 42.4 percent. More than half of potential smartphone consumers will not have an Apple device. That’s not factoring in all those consumers who do not have smartphones, those who will still rely on plastic and cash.

All this means that merchants will still need to have EMV card readers in their stores. To use Apple Pay a potential customer must be part of the Apple ecosystem, which means that customer must be signed up to iTunes and have provided their payment card details. Not every merchant will want to operate a terminal with both EMV card reader and NFC functionality. If comes down to cost, and it inevitably will, the merchant will obviously have to side with the EMV card reader.

When launched, Apple Pay will work in 220,000 retail outlets in the US. Of the 18 merchants announced at launch to be on board with Apple Pay, only one (Walgreens) is in the top ten retailers in the US. Indeed, two of the largest US retailers – Walmart (the number 1 retailer in the US) and Best Buy – have already been emphatic in their rejection of Apple Pay. Why? It’s the bottom line: cost. Both retail giants are adamant that implementing NFC scanners in their stores would not be prudent. A Best Buy spokesperson recently told the Wall Street Journal that the retailer previously ditched NFC scanners because they simply cost too much to maintain.

With profit margins being squeezed on an annual basis retailers will take the most prudent economic decision. That will mean upgrading their terminals to be EMV-compliant but perhaps not NFC-enabled. It is unlikely that Apple will install Apple Pay-enabled (NFC) terminals any time soon.

Why move to EMV-compliant terminals?

The fraud liability for card transactions shifts from card schemes to non-EMV-compliant stakeholders in October 2015. As part of this revamp of the payments system in the US, merchants are being ‘encouraged’ to upgrade their terminals to accept EMV chip-based cards. The major card schemes of Visa, MasterCard, American Express, Discover, UnionPay, and JCB together form the EMVCo group. It is this group that has mandated the EMV fraud liability switch.

In less than 12 months liability for card fraud will shift to those merchants who are not EMV-compliant, but many organizations are not going to make the deadline. If you lag behind it could end up costing your organization a lot of money. Simultaneously, merchants are contemplating upgrades due to a series of high-profile data breaches across the US. Either way fraud prevention is the catalyst.

The mag-stripe cards in the US have existed since the 1970s – it is time for a change. In Europe, where EMV has operated since 1994, the shift has been a success with fraud at the POS rapidly reducing. EMV is a proven fraud deterrent for card-present transactions.

The US did not embrace EMV when first released because fraud at the POS was not a huge issue back then – this is obviously no longer the case due to the recent Target, Home Depot, Kmart, and many other data breaches. This is why US merchants should now embrace this EMV shift. It will create a more secure payments system thus reducing fraud at the POS. Let’s also not forget that EMV is the underlying technology upon which ApplePay’s NFC payment protocol is based on.

Tell me ‘how’ to be EMV compliant, not ‘why’

The problem – as always – is not in the ‘why’ but the ‘how’. It is almost certain that some US merchants will not meet the October 2015 deadline for EMV compliance.

This should not be the case and this is where Aviso’s EMV Wrapper solution comes in.

Focussed on processors and larger retailers who run their own payment switching systems, the EMV Wrapper achieves EMV migration without wholesale change to a customer’s infrastructure. Crucially, it is cost-effective, quick and simple.

Our EMV Wrapper surrounds the existing payment system and handles the complexity of EMV.

This great product provides EMV compliance without changes to existing applications, significantly reducing our customers’ migration risk. It can sit anywhere in the payment stream to manage EMV compliance for our customers be they merchants, issuers and/or acquirers.

Aviso EMV migration webinar

Whether or not your company is big enough to run your own payments system, arm yourself with the facts about EMV by attending our free webinar and get a step ahead of your competition.

Our webinar will feature David Cole, an independent EMV expert with global experience of EMV migration projects. David will provide an update on the current status of EMV and provide insight on the process and pitfalls of EMV migration. He will also outline the steps involved and review different EMV migration approaches.

This is your opportunity to find out how EMV will affect your world and what shortcuts you can take to achieve migration within the mandated timescales.

This one-hour webinar will be held on Thursday, October 23, at 1pm EST (10am PST).

You can register for the event online and add the event to your calendar.

Contact us

For more information on our products and services contact us at info@aviso.io, or follow us on Twitter and LinkedIn.

Related posts

You can access all of Aviso’s previous blog posts on EMV here.