An EMV Pioneer Offers Lessons LearnedHow Chip and PIN Transactions Have Reduced Fraud
Recent breaches at retailers, including Target Corp. and Nieman Marcus, have spurred discussions about the migration to chips cards that use the EMV standard.
But Merrill Halpern of the United Nations Federal Credit Union, a pioneer in the use of chip credit cards, says debit portfolio migration will be an ongoing challenge for U.S. banks and credit unions.
Among the challenges that banking institutions face when it comes to debit and EMV is how to pay for the migration.
"Obviously, fees are paid to help run the system, and if fees are going to be reduced, if savings [are] going to be passed on to consumers, it has to come out of somebody's pocket," he says in an interview with Information Security Media Group (transcript below). "It is usually going to be the financial institutions or the card processing associations," Halpern says. "I think to a large extent, the current practice that many very large financial institutions have of negotiating custom deals is going to continue."
In working on moving its debit portfolio to EMV, Halpern says his credit union is facing some challenges related to regulatory oversight and network routing.
During this interview, which also includes Philippe Benitez of EMV technology provider Gemalto, Halpern discusses:
- EMV lessons UNFCU has learned over the last four years;
- How chip and PIN transactions have reduced fraud; and
- How institutions are working to outline plans for EMV rollouts and investments between now and 2015.
Halpern oversees the card services department at UNFCU, a financial cooperative that serves the active and retired staff of the United Nations, U.N. specialized agencies and their families in 212 countries and territories. Halpern has more than 20 years' experience in the global payments industry. Before joining UNFCU in 2005, he worked in the product development and operational areas of Citibank N.A., NYCE Payments Network LLC and MasterCard International.
Benitez is North American vice president of business development for secure transactions for Gemalto. A 15-year veteran of the global telecommunications and payments industries, Benitez leads the company's regional development efforts to increase card revenue for financial institutions through mobile payments, EMV and other value-added services.
TRACY KITTEN: How has UNFCU's EMV migration evolved, expanded and changed in the last four years?
MERRILL HALPERN: The program has evolved very well and we've had a tremendous expansion and demand for EMV cards. I'm very happy to say that during the past four years, when we have been issuing these cards, we have never had any fraud from an EMV transaction. We have only had fraud reported to us on transactions that were made with the mag-stripe, on the same card, and of course those transactions were beginning primarily in the U.S.
KITTEN: What made your position unique, from an EMV rollout perspective?
HALPERN: Obviously, as a U.S. issuer where we had card holders throughout the world, we were keenly aware of the fact that our card holders were hindered in not being able to transact overseas. But along with that, we realized that we were exposed to a tremendous amount of fraud when our cards could be accepted anywhere with a mag-stripe authorization. This played out to the industry's awareness in recent months because the fraud rate has really spiked in the U.S. with so much non-EMV authorized fraud transactions migrating back towards [us]. It all came to a head recently in everybody's eyes with the recent major merchant debacles.
KITTEN: Initially, your decision to migrate to EMV was more about customer convenience than security. Has that perspective changed in recent years?
HALPERN: Of course it is convenience, but again, as any financial institution would have to be, [we are] concerned about profitability and the risk of profitability from losses. We're recognizing that the EMV solution, as I mentioned before, virtually prevents fraud on credit card transactions when the card is present, and that is a very important consideration for any financial institution. When fraud occurs, it not only reflects losses to the institution, it also has a negative impact on the relationship between the card holder or consumer and their financial institution. No consumer wants to feel like they are at risk by using a product that is being provided by whom they think is their trusted financial provider, who has all their security information within their operating systems.
EMV Compliant Debit Cards
KITTEN: Do you currently have any plans to rollout EMV debit cards?
HALPERN: Yes, we do. That is on the calendar for us, and frankly, like all U.S. financial institutions we are at a standstill on that for the moment. There is this regulatory judgment that we're waiting to hear from the courts about routing priorities, and until that is resolved, unfortunately that is going to stand in the way of all U.S. financial institutions from moving ahead with new vetted EMV programs. Frankly, I was a little concerned that the deadline for EMV compliance in fall of 2015 was perhaps going to move a bit because of this, but I believe that most industry players are going to stick pretty toughly with their original timelines for liability shifts [with] the recent Target event. It was a horrible thing that happened, but for the industry it raised everyone's awareness of how exposed the average U.S. consumer is, and financial institutions have to protect that relationship between their customers and the marketplace.
KITTEN: Can you talk a bit about how fraud has been reduced because of your EMV rollout?
HALPERN: It is very simple, we're doing chip and PIN authorizations, and a PIN cannot be compromised. It can be perhaps stolen, but it cannot be compromised; when it is entered securely at an EMV terminal that is authorized against the information on the chips, [they] cannot be copied.
Integrating EMV with Technology
KITTEN: Do you think EMV is a data technology that needs to be integrated with mobile or another type of near-field communication technology, in order to be a viable solution?
PHILIPPE BENITEZ: I think that EMV is definitely a mature technology. It's not a new technology, as we all know, because it has been in use for at least a decade in the rest of the world to secure credit and debit card transactions. Even though it has been around for a while, it is a constantly evolving technology which is being developed and deployed in other form factors. So for example, whereas the original deployments of EMV technology were on contact chip cards, phase two of those deployments are now on dual-interface contactless EMV cards. At the same time, mobile EMV on NFC has been standardized and is being deployed on mobile phones in different parts of the world, including the U.S. When we talk about EMV, we should think of it more as an underlying technology that supports all kinds of payments across many acceptance channels, including contactless EMV cards, credit and debit cards, and mobile EMV on NFC.
HALPERN: I would just add to that, basically EMV is providing the foundation for moving ahead to more secure transactions, no matter what the technology is. As pointed evidence of that, I'll site the fact that the EMV code the world's standards body for the EMV technology in the operating standards has recently announced a move towards tokenization, and this is something that I also heard emphasized by Visa. In time, the encrypted information that is on an EMV chip can be included with other particular information having to do with an individual consumer and their card. That secure token is a means then of migrating other types of non-card payments.
Overhauling the Infrastructure
KITTEN: What could overhauling the entire payments infrastructure mean for EMV and payments compatibility with the rest of the world?
HALPERN: I would say that EMV, as I mentioned before with tokenization, definitely lays the ground work as a migration path to any other new technologies that present themselves along the way. The reason I believe that is because it's here now and works, is flexible and an evolving standard. It gets better over time. From my experience, I found that the regulators are primarily thinking about things from an economic standpoint. I don't think that they necessarily [have] a deep understanding of the constraints of the card-payment system and how transactions are authorized and settled. With a truer knowledge of that, I think it is advent that EMV is definitely not only a means of securing transactions in a better fashion today, but also providing a path towards newer technologies that build upon it.
BENITEZ: I agree entirely with Merrill's point. On top of that, what the regulators refer to when they say that the entire payments infrastructure needs to be upgraded is card-not-present transactions. So E-Commerce and M-Commerce transactions are typically card-not-present, so there is no card present and therefore makes securing those transactions much more complicated. Whereas face-to-face transactions are usually card present, and with an EMV card we've seen how those are infinitely more secure than what has been done with magnetic stripe in the past. With EMV as the underlying foundational technology to enable payments across all of these channels with the use of tokenization or secure elements in mobile EMV forms within an NFC phone, we will see how EMV can be used to perform card present transactions in any one of these channels - whether we're talking about mobile commerce, E-commerce, or face-to-face obviously.
KITTEN: Do either of you see more card issuers accelerating their issuance of EMV-compliant cards in the wake of recent breaches?
HALPERN: I would definitely expect that, for the simple reason that not only is the liability shift coming. But I also believe that financial institutions are recognizing that they have to invest in their customer and their customer's sense of satisfaction and security. I think this is going to become a reoccurring theme. When it all boils down at the end of the day, financial products are essentially similar from one institution to another. A large part of the preference that a consumer is going to have for one institution versus another is going to be how they are treated. It's not just how they are treated on a direct face-to-face or written basis, but also how they and their account is handled, and the safety and security that is applied to the handling of their account. I think as I mentioned before, this is especially going to become a very sensitive issue with debit.
KITTEN: Do you think that challenges on the debit side are issues that banking institutions are considering, or are they just moving ahead?
HALPERN: I think it depends upon the individual institution and the contractual relationships that they have with their payments service providers or networks. Obviously, the fees that are paid helping to run the system, and if fees are going to be reduced, if savings [are] going to be passed on to consumers, it has to come out of somebody's pocket. It is usually going to be the financial institutions or the card processing associations. Frankly, I think that is a subject of negotiation. I don't think it's necessarily going to be decided in the short term, and I think to a large extent, the current practice that many very large financial institutions have of negotiating custom deals is going to continue.
BENITEZ: Challenges on the debit side are more business challenges, because once again the technology itself, the EMV technology supports cards and mobile for credit and debit cards, all form factors and all types of payment methods.
KITTEN: What challenges has UNFCU faced related to EMV?
HALPERN: One of the biggest challenges is the fact that we send cards all over the world. For security reasons we were sending our PIN mailers a short time afterwards, but definitely not at the same time to prevent intervention by a fraudster who is trying to steal both at the same time in the mail. Overall, this was adding to the length of time that it was taking for all pieces of the transactional puzzle to come to the consumer. We started to leverage the global capability of Gemalto because they had global processing sensors that can generate EMV cards. They can get a card to our cardholder that is in some place in Europe or North Africa from a processing center that they have in France a lot faster than they can normally get a card there from North America. That definitely cuts time out of the equation when people [are] waiting for cards. At the same time, it closes the window of time and gives us a little more wiggle room when we have to get PINs out, because we're cutting down the amount of time it takes for the plastic to get there.
KITTEN: What do you see coming down the pike in the U.S. over the course of the next six to 12 months, relative to the payments landscape and EMV rollouts?
HALPERN: I would say that, unfortunately, I think there is going to be more compromises. I think it is going to contribute to consumer hysteria in the U.S., and I think those institutions that are on the road to either doing EMV now or planning on it seriously in the near future, will at least have a means of recovery. I think those that haven't begun to do it yet are going to have a lot of work ahead, and a lot of potentially unhappy consumers. The fact that criminals are becoming increasingly sophisticated to the point where a whiz kid programmer [can work] in an unsupervised environment [and] easily put together a variety of schemes. ... I think this is something that became evident in Target and is very easy for thieves that want to take it into operating systems ... to put this software out there and compromise what consumers believe is being handled [securely]. I anticipate a rough couple of months ahead and I think that we haven't heard the end of the saga of Target. I think that the bad news has been coming out in small doses and that there is more ahead.
BENITEZ: I see the acceleration of the migration as we approach the liability shift dates next year with a higher penetration of mobile EMV on NFC; as more EMV capable contactless point-of-sale terminals are installed at merchants, and as more NFC capable phones become available at the major mobile operators.