Managing EMV compliance - journey continues
EMV standards were introduced by EuroPay, MasterCard and Visa (hence EMV) some years ago, mainly to reduce the risk of fraud in credit cards. Widely known as chip cards, they effectively provide a computer-processing platform with significantly improved card transaction security, even though they have not yet delivered on all the multi-application uses initially expected.
While the US grapples with EMV migration, South Africa's banks and retailers have more or less completed their migration but it is not the end of their journey. EMV compliance and certification is an on-going issue, mostly due to the constant evolution of the technology, but also due to changes institutions make on their platforms.
Without compliance, retailers, banks and the transaction chain may find themselves liable for any fraud committed using an EMV card. However, certifying the systems used for EMV transactions is generally a complex and lengthy process and any core changes in the payment systems would typically require re-certification.
The minute a company changes pertinent parts of its infrastructure (eg changing a POS vendor, or moving from one payments system to another), it must re-certify. This happens infrequently in most big organisations, but it happens.
In addition, certification and compliance are not the end-game - EMV provides a foundation for fighting fraud, allowing issuers to take charge of transactions at point-of-sale. Using these tools to effectively combat fraud requires a deeper understanding of the EMV standard and of the systems within the transaction chain. Many companies do not have the resources to ensure complete control of the value chain.
Taking charge of the re-certification will fall under the responsibilities of an enterprise's compliance officer, who therefore needs to be kept informed of all relevant IT infrastructure changes. Certification can be a lengthy process that may take as long as 9-12 months to complete, although the typical period is around 3 months. Because of the perceived complexity and cost of the process, enterprises often find it preferable to use a consultancy.
Many companies, although members of the payment associations, do not have meaningful relationships with MasterCard or Visa, or they do not know what questions to ask. Consultants can also contribute by facilitating this process for them.
There is a growing interest in EMV migration from banks and smaller institutions across Africa, where the adoption rate of EMV and even rollout of chip cards has been substantially lower than in Southern Africa. There is also interest from numerous other businesses, who are considering the use of EMV cards for a range of products, including loyalty cards and contactless prepaid debit for low-value applications such as mass transit.
However, as EMV certification comes at a high price, it may not always be the only, or even the most suitable solution for securitising transactions. In some cases, new technologies such as interactive transaction authentication tools may be viable replacements.
However EMV remains the current global trend until such time as these replacement technologies come of age.
About the author
Shaun Baker is the technical director and Liam McDermott the operations director at Stanchion.