Chip Card Confusion Could Challenge Chains' POS Plans

Tools

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Visa recently issued a bulletin with recommendations for implementing chip cards in the U.S. market. Don't ignore this document. You may not know all you think you do about Visa's plans and what you, dear retailer, need to do. Most important, merchants must be sure their POS devices accept both EMV contact chip cards and traditional magnetic stripe cards. Make a mistake, and you might have to buy the stuff all over again.

Unfortunately, one recent experience related by a client indicates that not all acquirers are necessarily getting the right message out to their merchants. In this case, the acquirer representative told the merchant there was no need to upgrade its devices to read chip cards. Instead, the acquirer advised simply upgrading to another single-interface magnetic-stripe-reading terminal that could not read EMV chips.

Hopefully, this was an isolated incident. But it got me thinking. The most important thing for all retailers and merchants to realize is that to qualify for Visa's Technology Innovation Program (TIP), they must authorize at least 75 percent of their transactions on "chip-enabled, dual-interface terminals." That means you need to have the right POS terminals. In Visa's parlance, "dual-interface" means magnetic stripes and contact EMV chips, not just magnetic stripes plus contactless EMV.

Notice there is no requirement that 75 percent of the actual transactions be on chip cards. That means if you upgrade your devices, you should qualify for TIP. Merchants just need to use devices capable of processing the chip transaction, should a customer present a chip card.

Visa's guidance includes some other items of interest to merchants beyond the imperative to upgrade to dual-interface terminals. Merchants will need to send the full chip data to their acquirer. Acquirers need to test that transaction flow using a device validation toolkit (provided by Visa or using the equivalent from a third-party vendor). This testing will take time and will also require test cards with EMV chips, so merchants should plan accordingly. Acquirers need to complete their own (not their merchant) testing by April 2013.

Visa also advises retailers, especially large ones, to prioritize deployment of their new dual-interface terminals. It suggests starting with locations where merchants expect high chip usage (e.g., lots of non-U.S. cardholders, who already have chip cards) or where there is higher than usual counterfeit or fraud transactions. It makes sense to deploy the new devices where they will do the most good from the very start, although these will be the same locations where testing could be most disruptive and any service interruption will be most costly.Chip transactions are processed differently in different parts of the world. For example, in Europe most transactions are offline, relying on the combination of the chip and the cardholder's PIN. In the U.S. all transactions are processed online, positively authorized by the issuer, and then finalized when the cardholder signs a receipt.

Visa sees no change in the U.S. model, so it tells its acquirers to "configure EMV chip terminals to support online options only." It is tough to argue with Visa's logic: What issuer—or merchant—would not want to know if the cardholder had funds available? In situations where a merchant loses communications and cannot be online, the merchant is to batch transactions and submit them to the acquirer once the connection is back online. PIN verification remains optional, with no change to the requirement that if a merchant processes PIN-based transactions, it must use a PIN entry device that is PCI PIN Transaction Security (PCI PTS) compliant.

If there is a downside in Visa's bulletin it is its recommendations to issuers. Specifically, Visa recommends that U.S. chip cards be issued to "support online authorization only" and not to support offline Chip-and-PIN. On a personal note, I understand Visa's justification, i.e., providing issuers with better fraud detection and risk management. However the result is that U.S. cardholders like me still won't be any better off when traveling outside the U.S.

For example, without offline Chip-and-PIN I will have a shiny new chip card, but I'm not sure it will be any more useful than my archaic magstripe card when I try and buy a train ticket in Germany, rent a bicycle in Paris or pay a toll on the Autostrada. (Note: I have the personal experience of failing at each of these, to the chagrin of those waiting—and in the last case, honking their horns—behind me.) Visa reports more positively in its blog on one executive's experience of using a U.S.-issued chip card in London:

"Making purchases was quick and simple. The main difference was that instead of swiping my card, I inserted it in the terminal. Then I simply signed for my purchase, just as I normally would in the U.S."

So I guess this means even my U.S. chip card will continue to require manual procedures on both the merchant's part and my part when I travel outside of my home market.

What do you think? Are you ready for the U.S. move to chip cards? I'd like to hear your thoughts. Either leave a comment or E-mail me.