EMV Migration in the US, Not an Easy Task, yet a Mandatory Step for Merchants and Service Providers
United States continues its shift away from traditional mag stripe toward EMV standard based transactions using chip and PIN although not as fast as expected. While large merchants like Walmart and Target have completed their migration process, many other merchants have just started to put this item in their priority list on their agenda. Many American cardholders have EMV-enabled cards provided by their issuer banks in their wallet however the question often pops up regarding why EMV chips in these cards cannot be used in some merchants. People no longer feel safe to carry out a payment transaction by swiping the mag stripe of the card and then signing. Even worse, some merchants take the card from cardholder and swipe it in a payment terminal, sometimes a PC, which is open to malware and fraudulent transactions. It has become a well-known fact that it is not so difficult to copy mag stripe band at the back of the card. While customer expectation remains a driving factor to push merchants to take action for EMV support, another significant factor is financial risk for them. Merchants without EMV-enabled payment device take all the liability risk of fraud cases which might result in significant financial loss for them.
Being EMV ready has been a priority agenda item not only for merchants but also other service providers like gas stations, self-service vendors and transit operators. In today’s fast developing environment, use cases for EMV cards have tremendously increased. In London, riders just tap their EMV contactless card to the fare box to get in the metro station; no paper ticket, no private label card. Bike sharing systems are on the grow in North American cities. EMV brings a significant security advantage and convenience for these types of use cases. You can simply tap your EMV card to the payment reader in the Station Kiosks to get a bike to ride.
Although use cases are compelling and convenient from customers’ perspective, there are a number of challenges to implement such a system from the perspective of the merchant, service provider or supplier. If not properly handled, this process might result in a disaster costing lots of time and money.
Let’s look at bike sharing scenario more closely to get a better understanding of potential impacts of a typical EMV migration process.
Main steps for EMV Migration for Service Providers
A transaction initiated at the bike rental Station Kiosk goes through different paths until getting authorization from the issuer bank. Every path requires an integration and certification process. The transaction is firstly processed in the payment device in the Station Kiosk and then it is routed to the payment gateway. Payment gateway handles certain processes and then routes it to processor or acquirer. Processor handles its own part and then routes the transaction to the acquirer bank. The transaction then goes to payment schemes and finally issuer bank for authorization.
For a smooth EMV migration process for bike sharing system, there are 4 main steps which needs to be implemented.
1. Migration of EMV payment device
In the bike sharing scenario, the first step is the software and/or card reader enablement in the Station Kiosk with EMV. There are two different options to achieve this. The first option is to talk to the Payment Device vendor to replace all readers in the Kiosk with EMV-enabled ones. The second option is to buy EMV Level 2 kernel software and port it in your Station Kiosk terminals which needs to go through type approval process from EMV or card schemes like MasterCard and Visa. EMV Level 2 (“L2”) Kernel software is a firmware application in the payment device to securely carry out EMV transaction flow. There are software vendors in the market who provides EMV L2 kernel software and associated testing and certification services.
On top of EMV L2 Kernel Library, there is another application (Level 3 Payment App) which handles communication with Payment Gateway and Terminal Backend system. L3 Payment application is expected to be first-handler of transaction whereby it recognizes the type of the card i.e. EMV or closed loop card and routes the transaction to the relevant module for further transaction processing. If the card is an EMV card, L3 payment application gives the control to EMV Level 2 Kernel application to perform an EMV transaction. L3 payment and L2 Kernel needs to be integrated and to have a good design to handle every type of transaction in a proper way.
2. Integration to Acquirers/Processors
The second step is the integration to acquirers and processors. The main challenge at this point is having numerous acquirers and processors worldwide and every integration requiring certain amount of effort. In the United States, there are at least five major processors to get connected to majority of acquirers. If you want to offer the same bike sharing service in other markets, you have to integrate to processors and acquirers in every market.
If you want to go with a few processors in one market, it is considerably easier process, however if you want to go global, then processor and acquirer integration and certification process becomes a major challenge. To handle this process smoothly, it would be good idea to get a service from “Payment Gateway” service providers, who are already integrated to processors/acquirers.
3. Integration to Service Provider Backend
Bike sharing backend system manages bike sharing business logic, decides the final transaction amount based on the profile of customer and manages invoices, perform refunds and tracks the payment process. Transaction business logic is managed in the backend such as pre-authorization amount, split or refund transaction at the end of the day. The payment gateway needs to be integrated to this backend system in order to perform a payment transaction and get certain transaction data and then give feedback about transaction back.
Following diagram shows basic modules of the system where orange boxes are additional modules for EMV-enabled solution.
There are two main certification categories during the process for EMV enablement.
4.1 Payment Device Certification
This is the certification for the payment device to securely process an EMV transaction. This certification is done only once for all terminals that you have. There are two options to achieve this task. The first option is to ask from your payment device vendor to replace existing payment devices in the Station Kiosk with EMV certified ones. The second option is to buy EMV Level 2 Kernel software from a vendor. Your decision may change depending on the cost and timeline. If you have large number of devices in the field, it may be costly to change all payment devices so it might be more advantageous to buy EMV Level 2 Kernel library rather than changing all payment devices. However, EMV Level 2 Kernel certification might be a time-consuming process and you need to ensure that the software vendor gives you assurance of completing the process in a timely manner.
4.2 Processor/Acquirer Certification
This is the certification process that should be done for every acquirer/processor integration. Payment schemes define how to carry out the process and provide a number of tests for EMV cards. Every card is tested against pre-defined scenarios to check if EMV transaction meets the expected test passing criteria. The test scenarios also check if online EMV data goes correctly throughout the paths from terminal to gateway to processor and to acquirer.
EMV Enablement for any merchant or service providers is a mandatory task for merchants and service providers, yet it is not easy. It is important to have good motivation and ambition in your team to achieve such a strategic task. There are a number of options to choose from depending on your strategy, business case, budget and time plan. Main success factors include proper planning, sufficient resource allocation, risk management and right vendor selection to help you throughout the process.