In this issue:
What's happening with EMV and tokenization?
What's going on with EMV?
The migration to EMV in the U.S. is moving forward. The next milestone date is October
1, 2015 when the national branded card networks will institute a liability shift.
Beginning on that date, the party to a transaction (e.g., card issuer vs. merchant
acquirer; or card issuer vs. ATM owner) that is not EMV compliant will be liable
in the event of a fraudulent transaction. You can learn more about the fundamentals
of EMV at CU24
So where are we?
Your EFT processor must certify with your networks in order to properly process
EMV compliant transactions on your behalf. CU24
has issued specifications to all of the processors in the network and is prepared
to certify processors for EMV readiness. Most of the major card processors have
scheduled certification slots on the CU24
calendar for the first or second quarter in 2015 – well ahead of the liability shift
date. CU24 has advised all processors
that they must be certified by June 30 to ensure credit union readiness for the
liability shift on October 1. Credit unions should check with their processors to
determine where they are on the CU24
(As of this writing, only one processor has requested a waiver of the certification
date, and we are awaiting their proposed dates for certification.)
Just like CU24, the other regional networks
will also be certifying processors during the first and second quarters of the year.
In terms of industry status and card issuance, most EMV issuers are starting with
credit cards only, with plans to issue EMV compliant debit cards sometime in the
future. At a recent industry conference, the three largest bank debit card issuers
discussed the status of their EMV card portfolios, indicating that they are only
beginning to consider debit issuance. Note that when you read or hear about industry
developments regarding EMV card issuance, it largely refers to credit. Debit chip
issuance is only about to begin, and is extremely minimal thus far.
What about the merchants?
Of course with any payment instrument, acceptance is key. So what is happening with
regard to EMV on the merchant side?
The big box merchants are well on their way to rolling out EMV compliant POS terminals;
however, just as with card issuers, the focus has been primarily on handling credit
card transactions. The merchants are continuing their efforts to be able to handle
debit transactions under debit routing regulations. There remain some important
technical challenges such as support for contactless cards and PIN bypass as well.
It is likely that many merchants will begin EMV acceptance with only basic features
instead of expanded functionality to handle some of the more complex payment modes.
Typical industry forecasts are that merchant compliance by the end of 2015 will
be no higher than 50%. Nevertheless, those merchants that make up the highest sales
and transaction volumes are moving toward EMV implementation.
Is CU24 ready for EMV?
Yes. CU24 is moving along with the rest
of the industry to enable network participants to process EMV transactions in accordance
with the national network liability shift deadlines. In addition, CU24
has entered into EMV software licensing agreements with both MasterCard and Visa
to ensure that
CU24 network participants'
debit cards will be handled over the CU24
network, regardless of which national brand your credit union offers.
What about tokenization?
Tokenization is a secure method of transaction processing that utilizes a substitute
number - a "token" - that replaces the PAN when the transaction is processed and
authorized at a merchant terminal. The PAN is not stored at the merchant and, therefore,
if the merchant's POS system is ever compromised, the fraudsters do not have access
to an actual PAN – only a meaningless "token" number that cannot access any account
with value or lead to other identifying information.
In its simplest form, a tokenized transaction follows the traditional route – from
the merchant to the acquirer to the network to the issuer and back. At the last
step, when the acquirer is about to send the approval to the merchant, the acquirer
"tokenizes" the PAN (turns it into a single use, different value using an algorithm).
The merchant completes the transaction, stores the token and destroys the PAN. The
PAN is only stored with the acquirer, so if there is a merchant breach, the PAN
is not accessible.
Why are we hearing so much about tokenization now?
Tokenization is not new. A number of industry merchant processors have been supporting
tokenization of PANs as a defense against breaches for several years. These tokenization
approaches are virtually all based on different specifications and therefore lack
uniformity, hindering the ability to spread across the industry for open use.
There has been much discussion of tokenization recently because it is utilized by
ApplePay – the newly introduced mobile payment service from Apple, and it is the
first application to utilize the new tokenization services supported by MasterCard
What does tokenization have to do with EMV?
Well, they're really not the same thing at all, and are very much separate and distinct.
Tokenization and EMV are often thought of together because they both address transaction
security, but the technologies and approaches are completely distinct. The thing
that they have in common is that the specifications were both developed by EMVCo,
a joint venture of the card companies. The only relationship between the two is
that the same group wrote the specifications for both, and MasterCard and Visa both
chose to adopt them.
It is helpful to understand, however, that the technologies may be used together
to create an even more secure transaction processing environment. For example, EMV
chips create a cryptogram to interact with issuers' systems to secure a transaction
routed from a merchant's EMV compliant terminal – this same process is used under
ApplePay where the token is sent along with a cryptogram.
Will tokenization become a payment standard?
Time will tell. While merchants like the idea of tokenization, and getting out of
the PAN storage business, a number of technical issues must be resolved for tokenization
to become more generally used. Both the merchant and network communities are somewhat
wary of allowing the process to be controlled and governed by MasterCard and Visa,
and there are several industry initiatives underway to encourage the adoption of
a more open approach to development and control of the standards. These issues will
all evolve, just as other issues regarding standards and control across the payments
industry. The spread of tokenization may also be influenced by the rate of adoption
and use of ApplePay as well as expected competitors.
For more information or clarification on these and other payment related issues,
talk to your CU24
Relationship Manager. We'll do our best to get you the most current, non-biased