Beginning this October, retailers who process most of their Visa card transactions from payment terminals capable of handling EMV chip-based cards will be able to avoid having a PCI data-security audit on an annual basis — and eventually pay lower interchange fees as well.
EMV (Europay, MasterCard and Visa) is a global standard for chip cards that has been adopted in Europe and other industrialized countries, but is just beginning to be used in the U.S. EMV cards, which support both PIN and signature forms of verification, are designed to be more secure than the traditional magnetic-stripe cards.
The adoption of EMV cards in the U.S. is likely to result in a drop in interchange transaction fees, which are tied to card security, according to a white paper by Bell ID, a Dutch smart-card system vendor with U.S. offices in Boston.
In an effort to spur adoption of EMV cards and EMV-capable terminals in the U.S., Visa last year launched the Technology Innovation Program (TIP) that will eliminate the requirement that merchants annually validate their compliance with the PCI (payment card industry) DSS (data security standard) for any year in which at least 75% of their Visa transactions originate from dual-interface EMV chip-enabled payment terminals.
To qualify, terminals must be enabled to support EMV (both contact and contactless) chip acceptance, including mobile contactless payments based on NFC technology, along with mag-stripe cards. Retailers would still be required to have an initially PCI audit.
“This is an incentive for merchants to replace their payment terminals in order to save on the cost of PCI [audits],” said Randy Vanderhoof, executive director, Smart Card Alliance, Princeton Junction, N.J., an association promoting the adoption of smart card technology. The new terminals can cost 10% to 30% more than standard ones, according to a recent report in the New York Times.
In January, MasterCard announced a “roadmap” for migration from magnetic stripe to EMV card technology, beginning with an effort to ensure infrastructure readiness at acquiring banks by April 2013.
While EMV technology will improve protection of card data, it won’t do away with PCI security audits entirely, said Vanderhoof, because retailers will still want to secure other consumer data such as name and address.
In 2015, the card associations will begin to shift liability for card fraud to further motivate compliance of EMV-capable terminals, noted Vanderhoof. For example, liability will be assumed by the card-issuing bank if the card used does not have an EMV chip but the merchant’s payment terminal is EMV-capable. Conversely, merchants will be liable if the card does contain a chip but the terminal is not able to process it.
More EMV cards are coming to the U.S. market. “We’re expecting to see more EMV in 2013, with a big ramp-up in 2014 in advance of the liability shift in 2015,” said Vanderhoof. About 1 million EMV cards were issued last year, primarily for international travelers who had difficulty using mag-stripe cards abroad.
At the same time, payment via NFC-enabled mobile phones is beginning to emerge in the U.S. with tests by Google and Isis, a cooperative venture consisting of AT&T, Verizon and T-Mobile. Most new terminals able to process EMV cards can also accommodate NFC mobile payments.