February, 2015

In this issue:
What's happening with EMV and tokenization?

What's going on with EMV?

The migration to EMV in the U.S. is moving forward. The next milestone date is October 1, 2015 when the national branded card networks will institute a liability shift. Beginning on that date, the party to a transaction (e.g., card issuer vs. merchant acquirer; or card issuer vs. ATM owner) that is not EMV compliant will be liable in the event of a fraudulent transaction. You can learn more about the fundamentals of EMV at here, here and here.

So where are we?

Your EFT processor must certify with your networks in order to properly process EMV compliant transactions on your behalf. CU24 has issued specifications to all of the processors in the network and is prepared to certify processors for EMV readiness. Most of the major card processors have scheduled certification slots on the CU24 calendar for the first or second quarter in 2015 – well ahead of the liability shift date. CU24 has advised all processors that they must be certified by June 30 to ensure credit union readiness for the liability shift on October 1. Credit unions should check with their processors to determine where they are on the CU24 certification schedule.

(As of this writing, only one processor has requested a waiver of the certification date, and we are awaiting their proposed dates for certification.)

Just like CU24, the other regional networks will also be certifying processors during the first and second quarters of the year.

In terms of industry status and card issuance, most EMV issuers are starting with credit cards only, with plans to issue EMV compliant debit cards sometime in the future. At a recent industry conference, the three largest bank debit card issuers discussed the status of their EMV card portfolios, indicating that they are only beginning to consider debit issuance. Note that when you read or hear about industry developments regarding EMV card issuance, it largely refers to credit. Debit chip issuance is only about to begin, and is extremely minimal thus far.

What about the merchants?

Of course with any payment instrument, acceptance is key. So what is happening with regard to EMV on the merchant side?

The big box merchants are well on their way to rolling out EMV compliant POS terminals; however, just as with card issuers, the focus has been primarily on handling credit card transactions. The merchants are continuing their efforts to be able to handle debit transactions under debit routing regulations. There remain some important technical challenges such as support for contactless cards and PIN bypass as well. It is likely that many merchants will begin EMV acceptance with only basic features instead of expanded functionality to handle some of the more complex payment modes. Typical industry forecasts are that merchant compliance by the end of 2015 will be no higher than 50%. Nevertheless, those merchants that make up the highest sales and transaction volumes are moving toward EMV implementation.

Is CU24 ready for EMV?

Yes. CU24 is moving along with the rest of the industry to enable network participants to process EMV transactions in accordance with the national network liability shift deadlines. In addition, CU24 has entered into EMV software licensing agreements with both MasterCard and Visa to ensure that CU24 network participants' debit cards will be handled over the CU24 network, regardless of which national brand your credit union offers.

What about tokenization?

Tokenization is a secure method of transaction processing that utilizes a substitute number - a "token" - that replaces the PAN when the transaction is processed and authorized at a merchant terminal. The PAN is not stored at the merchant and, therefore, if the merchant's POS system is ever compromised, the fraudsters do not have access to an actual PAN – only a meaningless "token" number that cannot access any account with value or lead to other identifying information.

In its simplest form, a tokenized transaction follows the traditional route – from the merchant to the acquirer to the network to the issuer and back. At the last step, when the acquirer is about to send the approval to the merchant, the acquirer "tokenizes" the PAN (turns it into a single use, different value using an algorithm). The merchant completes the transaction, stores the token and destroys the PAN. The PAN is only stored with the acquirer, so if there is a merchant breach, the PAN is not accessible.

Why are we hearing so much about tokenization now?

Tokenization is not new. A number of industry merchant processors have been supporting tokenization of PANs as a defense against breaches for several years. These tokenization approaches are virtually all based on different specifications and therefore lack uniformity, hindering the ability to spread across the industry for open use.

There has been much discussion of tokenization recently because it is utilized by ApplePay – the newly introduced mobile payment service from Apple, and it is the first application to utilize the new tokenization services supported by MasterCard and Visa.

What does tokenization have to do with EMV?

Well, they're really not the same thing at all, and are very much separate and distinct.

Tokenization and EMV are often thought of together because they both address transaction security, but the technologies and approaches are completely distinct. The thing that they have in common is that the specifications were both developed by EMVCo, a joint venture of the card companies. The only relationship between the two is that the same group wrote the specifications for both, and MasterCard and Visa both chose to adopt them.

It is helpful to understand, however, that the technologies may be used together to create an even more secure transaction processing environment. For example, EMV chips create a cryptogram to interact with issuers' systems to secure a transaction routed from a merchant's EMV compliant terminal – this same process is used under ApplePay where the token is sent along with a cryptogram.

Will tokenization become a payment standard?

Time will tell. While merchants like the idea of tokenization, and getting out of the PAN storage business, a number of technical issues must be resolved for tokenization to become more generally used. Both the merchant and network communities are somewhat wary of allowing the process to be controlled and governed by MasterCard and Visa, and there are several industry initiatives underway to encourage the adoption of a more open approach to development and control of the standards. These issues will all evolve, just as other issues regarding standards and control across the payments industry. The spread of tokenization may also be influenced by the rate of adoption and use of ApplePay as well as expected competitors.

For more information or clarification on these and other payment related issues, talk to your CU24 Relationship Manager. We'll do our best to get you the most current, non-biased information available.