Journal of Payments Strategy & Systems Volume 2 Number 4

Assessing the impact of EMV migration:

A pragmatic delivery approach

Ian C. Povey
Received (in revised form): 24th June, 2008
CardsConsult Pty Ltd, PO Box 4069, Croydon Hills Victoria 3136, Australia.
Tel: ⫹61 407 042 885; e-mail: [email protected]

Ian Povey is the Managing Director of ABSTRACT

CardsConsult, a specialist international business This paper assesses the impact of the global
adviser focusing on innovation of cards and migration of card-based payments to move
payments programmes. Ian has directed cards away from magnetic-stripe-based transactions to
and payments initiatives for more than 12 years EMV (Europay, MasterCard, Visa) or chip-
in senior positions at PwC Consulting, at EDS, based transactions. It is imperative that all
as the Director of Cards Strategy for the EMEA aspects of the card payments model are
region, as Senior Vice President at MBNA considered when assessing the impacts of
Europe Bank as Head of Product Development changes to technology, business processes and
and, recently, as an Executive Manager at ANZ the end customer experience. The key driver for
Bank in Australia, heading up Emerging chip-based card payments over 12 years of
Payments. Ian’s EMV experience dates back to standardisation and deployments globally has
1996 working in Asia and culminated in directing centred on fraud. Market migrations range from
the ten million card portfolio conversion to chip nationally coordinated efforts through to in-
and PIN (EMV) for the European operations of dividual organisational programmes. Today,
MBNA in 2002–2004. At CardsConsult, Ian and markets grapple with business cases, market or
his associates currently support card issuers and industry mandates, regulatory intervention and
retailers in Canada, Australia and New Zealand identifying marketing opportunities. The grow-
drawing on the lessons of earlier implementa- ing strength of the retail sector to challenge the
tions. The development of coherent strategies banking industry as the traditional custodians
for chip best to leverage the investment remains of the international payment schemes (Visa and
a core focus. Beyond EMV, Ian was appointed MasterCard in particular) has required the
Program Director at the National Registration engagement model between stakeholders to
Department for the Malaysian National ID, become more inclusive. Strong engagement
provided expertise in the development of the between the retail and financial services sectors
Bonus Card in Turkey with YKM, who initiated is a critical aspect of a successful migration to
the programme and its award to Garanti Bank, EMV. The payments schemes (including
and Ian was seconded as the Smart Cards American Express and JCB) play an increas-
Policy Adviser to the UK Government at the ing role in supporting all stakeholders in the
Office of the e-Envoy. Today, Ian continues to payments model. This paper provides insight
provide strategic business and technical into the impacts of an EMV migration and
advisory services internationally on chip and best practices to manage market migration
PIN, de-coupled debit, remote mobile payments effectively. Journal of Payments Strategy
& Systems
and government payment services, looking for Vol. 2 No. 4, 2008, pp. 000-000,
䉷 Henry Stewart Publications,
both disruptive and innovative approaches. Keywords: EMV, chip and PIN, 1750-1806

Page 1
Assessing the impact of EMV migration

card issuing, card acquiring, payment Market maturity of EMV migrations

processing Three mature Chip and PIN markets
worth noting are France, the UK and
Malaysia. During the 1990s, France and
INTRODUCTION the UK, in particular, started to deploy
A glance at a payment card shows that chip-based cards. France developed a
there has been relatively little change in domestic specification known as ‘B Zero
its design and utility. In fact, the com- Prime’, to be deployed nationally as chip
bination of security features has con- and PIN, while the UK developed the
tinued to grow without the removal of UK Implementation Specification (UKIS)
older features. Most payment cards con- in line with developments on the EMV
tinue to have raised embossing details to specification at that time, but as chip and
denote card number, expiry and name. signature. In the six years from 1992 to
The signature panel, hologram and mag- 1997, the French industry experienced a
netic stripe also continue to reign, to- 4.5-fold decline in fraud from 0.087 per
gether with the EMV chip. cent to 0.019 per cent,2 resulting from
their migration to chip and PIN. The UK
What is EMV and why chip? at the time, struggled to move forward, as
Smart cards or chip cards have a long many aspects of the migration had not
history, patented initially in 1968. They been resolved — in particular, the method
are only now coming of age across a to verify the cardholder.
plethora of industry sectors and technol- There is now a growing body of
ogy platforms. Mobile telecoms, National evidence to suggest that markets without
ID programmes, banking, mass transit sys- EMV merchant terminals are being tar-
tems and defence facilities are just some of geted for cross-border counterfeit fraud. A
the user groups of smart cards today. Visa presentation3 notes that fraud on UK
A smart card chip is most often cards in Canada grew 250 per cent
embedded into a credit or debit card-style between 2006 and 2007. Additionally, the
plastic card body. The SIM card used in evident migration of fraud activity be-
GSM network mobile phones is ‘popped’ tween Malaysia and Thailand is telling
out of a card with similar qualities. The with the Visa data shown in Table 1.4 Visa
chip has greater durability and is a more further records that EMV cards have been
secure alternative to magnetic stripe. issued in more than 92 countries across all
Additionally, the chip card supports en- global regions as of March 2007.5
hanced data storage capabilities and new
user interfaces such as contactless or radio
frequency. WHY MIGRATE TO EMV?
In 1994, the payments industry delivered With progress for smart cards in payments
the first version of a chip-based payment during the 1990s, it became apparent that
specification and, in 1999, a governing a number of business issues could be
body EMVCo LLC1 was established to overcome. Today, many of these benefits
oversee the ongoing development, main- are overshadowed by tensions between
tenance of and compliance with the the banking and retail sectors over the
EMV Specifications. The primary role of cost and impacts to upgrade to chip versus
EMVCo remains to ensure ongoing inter- the savings to be achieved from such a
operability and acceptance of chip-based migration. The evidence of cross-border
payments globally. fraud and fraud migration should not

Page 2
 Povey

Table 1: Visa fraud statistics Table 2: Liability shift chargeback

overview
Malaysia fraud Thailand fraud
Year figures (US$m) figures (US$m) Card (issuer) POS (merchant acquirer)

2003 5.9 0.25 Magnetic stripe Magnetic stripe

2005 0.3 3.40 Chip Magnetic stripe
Magnetic stripe Chip
Chip Chip
be ignored, however, when deciding to
migrate to EMV.
Yet, a lack of business case has now fied region. As an example, an EU chip
emerged as a prominent point for debate. card used in an Australian non-chip POS
Arguably, it is not this black and white. would not fall under the liability shift
While markets do grapple with business arrangements, as this is an inter-regional
cases, market mandates and regulatory transaction. A Malaysian issued chip card
intervention, many payments stakeholders used in an Australian non-chip POS,
choose to adopt EMV, despite others however, would qualify.
deferring their migration activity. Even Most liability shift dates are now
today, acceptance of chip and PIN in the historical. Some countries within a
UK has not reached 100 per cent. region agreed domestic variants, whereby
Fundamentally, the integrity of the pay- domestic transactions were exempt from
ments systems must be protected. Migrat- the liability shift until a future agreed date.
ing to chip supports this objective and The European liability shift started on 1st
can provide a foundation on which to January, 2005, which included domestic
build additional enhancements for card- and regional cross-border transactions.
not-present fraud. The current drivers to Spain, for example, sought to delay its
migrate to EMV do ultimately fall back to domestic transactions falling under the
either fraud or marketing-related drivers. liability shift until 2008.
Both Visa and MasterCard have com-
municated regional dates for EMV com-
pliance. These were communicated via ASSESSING THE IMPACT OF AN
a strategy known as a ‘liability shift’ EMV MIGRATION?
in relation to disputed transactions or It is important to consider EMV migra-
chargebacks. The traditional chargeback tion as a significant and complex change
processing rights have been modified to project. It is definitely not a standalone
reward the party who has adopted chip as technology project; it incorporates busi-
their preferred method of payment. Table ness re-engineering and places a high
2 indicates that the merchant acquirer burden on training and communications.
would be accountable for certain categories Figure 1 reflects each of the stakeholders
of fraud where a regionally issued chip card in the standard ‘four party’ Visa and
was used at a non-chip-enabled point of MasterCard payments model.
sale (POS) within that region. This paper pragmatically discusses the
The regional nature of the liability shift impacts of the migration on each of
means that issuers and acquirers are only the stakeholder groups, and highlights
exposed to transactions that originate be- points of focus to deliver a successful
tween a card and POS within the speci- programme.

Page 3
Assessing the impact of EMV migration

Figure 1 Standard
four-party payment
model

Chip payment cards change issuer. Transaction behaviours remain an

processes ongoing discussion point in the industry,
The change management effort relating to particularly where a transaction is declined
the customer and merchant experience at offline between the card and the device.
the POS with an EMV card should not Under the Scheme requirements, there
be underestimated. There are a number are no formal requirements for an issuer to
of chip-based actions that can deliver be advised as to the reason for this type of
different procedural outcomes compared decline. An exception is an offline decline
with magnetic stripe transactions. that follows an online approval by the
Explicitly, chip-based transactions re- issuer. This would be notified in the
quire the card to be ‘docked’ in the reversal transaction and may have resulted
device for the duration of the transaction. from an issuer authentication failure.
This apparently simple process change Many of the transactional impacts will
requires issuers and merchant acquirers to be derived from the configuration of the
consider a number of policy, training chip risk profile set by the issuer and
and procedural impacts. Examples include signed off by the payment scheme. It is
POS service offerings such as pre-swipe in generally advisable not to deviate too far
multi-lane supermarkets, tipping and the from recommended payment scheme risk
management of cardholder verification — profile templates.
PIN or signature. The impact on brand reputation can be
positive for an early adopter; an issuer
Stakeholder impacts may be perceived by the consumer to be
Each stakeholder aims to obtain a tangible innovative and providing for their future
benefit from their investment in EMV; to security. This may result in increased
what extent benefits are delivered comes acquisition activity where first mover ad-
down to market adoption, commitment vantage is available. On the negative side,
and an agreement to engage at an in- an issuer who is seen to be at the tail end
dustry level to manage issues and solve of delivering chip may see a decline in
for common approaches at the point of acquisition rates and even net attrition.
transaction. Alongside the explicit impacts Positive impacts are also derived from
outlined in this paper, stakeholders are cardholders who are frequent travellers to
exposed to impacts both within and out- markets with mature chip environments
side their control. in place. While a magnetic stripe card is
a valid payment token, they have been
Issuers known to be rejected by some retailers in
The impact at the moment of payment mature chip markets.
for the cardholder is the greatest risk to an Yet, while an issuer’s risk profile settings

Page 4
 Povey

on the chip are important, it is equally with a suitable issuing partner for rewards,
important for an issuer to understand the contactless or other related propositions.
impacts of risk settings on the payment Acquirers are the conduit between the
terminal. A number of suitable test tools retail POS and the payment schemes. It is
are available to simulate transaction out- important that acquirers are actively
comes with different terminal and card engaging and supporting major merchant
configurations. The relevant EMV settings groups, in particular those who own
on the chip and terminal that should be their POS devices. This dialogue is
reviewed include Issuer and Terminal Ac- also important in managing timing and
tion Codes (IACs and TACs). resource expectations for testing and
Issuers should pay careful consideration certification dependences through to the
in providing permissions to the chip card payment schemes.
to transact offline to the issuer host. The
outcome of transactions that are unable to Merchants
go online from the merchant may be It is arguable that this stakeholder group
configured to support offline approvals or has the greatest impact, as they are the
to indicate that the issuer supports voice frontline of card-present transactions with
authorisations. cardholders. Here, they will either create
Issuers continue to have system or receive card acceptance issues, there
development options (Early or Full Data) will be challenges with cardholder com-
that can support a faster issuance of cards, munications, and there are significant
with minimal host impacts. While this is overheads in retail staff training and
an initial benefit, the longer-term impact conformance.
of an Early Data implementation needs to As in the issuer community, it is critical
be addressed if support of card risk that merchants understand the impact at
management is to be a requirement in a the POS of the combined issuer risk and
mature market. terminal risk settings (IACs and TACs). As
the chip card and terminal undertake a
Acquirers number of interactions leading to a deci-
While acquirers and their merchants have sion, these together with other chip-
the greatest technical impact (they must related parameters (floor limits, velocity
implement a Full Data host environment), counters, etc.) can lead to outcomes that
they are also affected operationally. require additional processing or unhappy
While some markets provide for customers. It is recommended that mer-
domestic transaction interchange benefits, chants simulate transactions with a variety
many markets see this as a ‘penalty’ model of different card profiles.
to encourage migration to EMV. With an While some merchant communities
increasing degree of cross-border card- have succeeded in obtaining significant
present fraud, acquirers who move to chip interchange discounts for compliance to
are better positioned to address and chip and other payment system require-
mitigate their exposure to chargebacks ments, this stakeholder group is often
under the various regional liability shift cited for not always seeing the benefit of
arrangements. moving to chip alone. Merchant groups
Acquirers who are part of a single such as Tesco have positively supported
organisation with an issuing business are chip and PIN because of the savings
well placed to deploy new initiatives attributable to stationery, transaction times
leveraging chip or alternatively to partner and merchant fee discounts predominantly

Page 5
Assessing the impact of EMV migration

delivered by the introduction of PIN and customers and managing call centre loads.
POS in the UK and Ireland. Nick Consequently, clear and concise cus-
Mourant, Group Treasurer of Tesco, notes tomer messages and cooperative industry
a payback in less than 12 months.6 engagement on common practices for the
POS will provide for a smoother transi-
Cardholders tion and one that supports a more rapid
What is in this for me? Aside from the adoption of any new procedures by both
chip on the front of the card, I see no customers and merchants.
real benefit. In fact, I now have to
leave the card in the device and I don’t Payment schemes
get the benefit of pre-swiping in the It is arguable that, without payment
supermarket queue as I have done schemes, EMV would not exist. Yet, in
before. Why am I more protected undertaking an EMV migration, it is very
now? I wasn’t at risk if the transactions important to remain actively engaged
were fraudulent before! with the payment schemes as an issuer,
acquirer and as a major merchant group.
In reality, few customers actually seek Their early support throughout testing
answers to these questions. If they see a and certification will benefit the initiative
transaction work, that is often sufficient. and provide insight into other market
Yet the issuer and merchant community developments.
should consider these questions and the At the same time, it is important to
responses that they will make. validate requirements and to engage
Unknown to the consumer, a magnetic broadly with the vendor community to
stripe card with online PIN may have ensure that one is delivering what is right
been blocked overnight owing to failed for the organisation and that it is not
PIN entries, but now the chip card is over-engineered.
blocked until he/she can get to an ATM, Some existing market practices may be
if the card has offline PIN in place. outside the standard recommendations of
How does one communicate the dif- the payment schemes. In situations where
ference between online and offline PIN to PIN bypass is available on all transactions
a cardholder? One does not. or the ability to link cards to multiple
The deployment strategy of issuers can bank accounts is supported, some of the
be a major impact on cardholders. Many risk settings on both card and terminal
are not expecting their card in a forced may need to be altered to avoid negative
re-issue model, and some issuers may have impacts at the POS. Stakeholders should
changed the PIN in parallel with the chip be always willing to challenge each other
card issuance, further inconveniencing the in ensuring the best solution is delivered
cardholder. that supports international interoperability,
Best practice remains with keeping cus- yet can address domestic requirements.
tomers well informed and, above all, not
creating actions that they were not ex- A consideration for offline
pecting. Success relies on looking after processing
the customer. The customer experience is In a number of markets and for
where the media will focus. The UK stakeholder groups, the idea of allowing
witnessed several misinformed journalists offline decisions between the chip card
going to print — resulting in the industry and the POS device is foreign and
having to pick up the pieces with confused certainly concerning. Yet, offline transac-

Page 6
 Povey

tion authorisations are a benefit of EMV. comes at a cost to the issuer and the
The full benefit is not achieved unless all consumer.
aspects of the transaction that can be If offline PIN is offered, it must al-
undertaken offline. Three fundamental ways remain synchronised with the host-
aspects of a chip card interaction with the based online PIN used at automatic teller
payment terminal include machines (ATMs) or, potentially, where
offline PIN is not available at the POS. If
• card authentication method or CAM the cardholder is able to change the PIN,
• cardholder verification method or this must occur at a secure, card-present
CVM device, namely an ATM or in-branch ter-
• payment authorisation. minal. In both cases, this is a major in-
vestment for the issuer, where they have
Each of these three aspects of card to control of either or both of these channels.
terminal interaction could require an on- For mono-line card issuers, it is often more
line connection. Herein lies a point of problematic unless there is a market-wide
challenge for issuers. While EMV posi- PIN reciprocity agreement in place. This
tions the issuer as the dominant party in would allow any cardholder to use any
what should happen at the POS, they are nominated device for PIN maintenance.
still not able to dictate that a transaction This was delivered in the UK.
should stay offline. The Terminal Risk The last impact of offline PIN relates to
Parameters set by the merchant acquirer exceeded PIN tries at the POS. Of-
will also come into action. Further, the ten with online PINs, the card will be
ability to support an offline CVM requires blocked for up to 24 hours and, so long
either signature or an offline PIN stored as the cardholder is able to recall their
on the chip card. PIN, would be available for use from that
moment. In the case of offline PIN, once
Practical offline PIN the chip is blocked, external intervention
There is a lot of market debate about is required using an EMV script and
offline PIN and the impact on cardholders PIN maintenance services at an ATM or
who do not have offline PIN on their branch or the alternative card re-issue.
card when travelling overseas. Much of Offline EMV transactions provide for
this emerged from the migration in the significant operational and financial
UK, where PIN was not used at the POS benefits; however, they require thorough
prior to the migration to chip. The intro- consideration by an issuer before
duction of offline PIN only at UK POS executing this type of payment authorisa-
allowed the industry to introduce PIN to tion strategy.
its cardholders for POS transactions with-
out the need for investment in the passing
of PIN blocks in online authorisation RECOGNISING THE IMPACTS:
messages. ESTABLISHING MIGRATION
Offline PIN also receives media atten- While each market may have a different
tion around security which is dependent driver for migrating to EMV, the impacts
on the chip capability selected by the and benefits to each stakeholder are simi-
issuer. At issue is the manner in which the lar. Payment card fraud is a global issue,
PIN is stored on the card chip, ie plain and recognising the cross-border nature of
text or encrypted. Fundamentally, offline this in both card-present and card-not-
PIN is a great attribute for EMV, but it present transactions is essential.

Page 7
Assessing the impact of EMV migration

Obtaining project approvals in some migrations. These opportunities

Fraud migration is real, and engagement should be considered, if only at the early
with scheme risk management will high- planning and strategic direction phase of
light the trends in this area on targeted the initiative. The incremental cost to
retailers who continue to make floor implement all or parts of a value-adding
limits available for magnetic stripe transac- proposition at the same time as EMV may
tions. While the magnetic stripe of a chip provide the point of differentiation and
card can be counterfeited, its abuse is return a business is seeking. As an ex-
restricted to markets that potentially ig- ample, securing a positive business case
nore certain Track 2 data elements (Ex- and approval for a standalone contactless
tended Service Codes) and who may EMV project may be difficult, so it may
process transactions offline. be more effective to integrate develop-
Reputation impacts tend to be towards ment into the overall EMV programme.
the end of a market migration. The New While a strong business case for EMV
Zealand market witnessed some activity in is not always evident, measurable benefits
the press prior to Christmas 2007, and are available. EMV does not have to
it is anticipated that this may resurface be viewed as a compliance project
during late 2008. The UK Chip and PIN — especially as it falls outside the
Programme had provided for the naming scheme compliance release schedules.
and shaming of organisations that were With the current pressures on the pay-
failing in their support for EMV — in- ments systems, including declining inter-
cluding vendors — yet this has not been change fees, Payment Card Industry Data
a widely adopted strategy. Security Standards (PCI DSS), increasing
Markets that have ignored the payment cross-border and card-not-present fraud
scheme liability shift trigger provide levels; the industry seeks tangible benefits
a challenge and an opportunity to from new technology and processes.
stakeholders who have chosen to absorb While many markets do not have fraud
the risk associated with these liability levels like those witnessed in the UK, this
shifts. The US remains extremely visible should not be the sole reason for deferring
in its view against EMV adoption, yet is a migration to EMV. Fraud mitiga-
positioned between two emerging EMV tion is a fundamental aspect of any
markets in Canada and Central and South EMV business case. National statistics for
America. many countries are readily available.
If incentives are available, they are valu- For international scheme-based payments
able if there are limited active chip par- (Visa/MasterCard), the introduction of
ticipants at play in a market and the chip has also seen a shift to PIN as the
companyy holds strong market share. This preferred cardholder verification method
may be worth pursuing; it is worth inves- at the POS, adding lost and stolen fraud
tigating any scheme’s expiry plans for their benefits to a business case.
incentive programmes. It is often the early Calculation of the fraud benefit should
adopters who gain most from the inter- account for domestic and cross-border
change-based incentives, as the value is fraud for both card issuers and merchant
dependent on low EMV adoption by the acquirers. While there are recognisable
opposing stakeholder group; that is, issuer fraud benefits, however, other types of
versus acquirer. fraud may increase as a result, namely
Using EMV as a foundation for in- card-not-present, card-not-received fraud
novation in payments has been evident and even other payment products, in-

Page 8
 Povey

cluding cheques on credit card accounts. customer communications are important

The latter two were evident during the throughout for all parties.
mass market migration in the UK over Like fraud benefits, additional chip
2004 and 2005, in particular where issuer functionality may drive incremental
strategies for card activation may have revenue towards an organisation. It is
addressed some of this fraud volume. recommended than an individual assess-
Where there is an appetite to combine ment of cost/benefit for each proposition
additional functionality into the core is carried out accounting for deployment
EMV migration project, considera- within the EMV migration or at a future
tion of MasterCard’s Chip Authentica- time.
tion Programme (CAP) or Visa’s In making this decision, organisations
Dynamic Passcode Authentication pro- should be cognisant of the numerous
gramme (DPA) to target card-not-present failed initiatives that detracted from a core
fraud may be a timely option. deliverable or could not agree a suitable
The success of card-not-present fraud commercial framework for engaging with
propositions is now very much dependent third parties. Past examples include chip-
on the adoption of mobile phone-based based rewards, stored value, authentica-
alternatives that disintermediate the card- tion services and ticketing. The demand
based models for two-factor authentica- for chip-based loyalty is low, yet it is
tion of online and Mail Order Telephone ideally suited to markets with poor
Order (MOTO) transactions. or expensive telecommunications and
With a focus on timing, infrastructure deserves a strategic review under these
investment cycles and the appetite for conditions.
risk, an organisation may be able to ad-
dress a number of strategic imperatives Delivery considerations
on the back of the EMV infrastructure EMV migrations are, by their nature,
development. In seeking to benefit from a significant investment on technology
EMV, stakeholders who have seen an and resources. Card issuing projects have
opportunity to invest incrementally have timelines stretching from as short as four
recognised the effort to migrate and seek months to longer than a year, while
to minimise future development efforts. merchant acquiring initiatives are often
While adding risk to the core project, a longer owing to their complexity and
considered and timely chip marketing need to support many variants of card on
strategy may pay dividends in the fu- issue.
ture through market differentiation and an In markets where the business case is
ability to respond to market dynamics seen as difficult to achieve, issuers will
rapidly. often follow a phased and light investment
Revenue opportunities may arise for strategy in an effort to issue chip cards
early adopters in particular. Some first-to- as a minimum. To this end, both Visa
market stakeholders have used chip as a and MasterCard continue to support is-
strong marketing tool for enhanced ac- suers with an ‘Early Data’ host develop-
quisition rates of cardholders or mer- ment option that minimises project cost,
chants. As the market matures in its timelines and development impacts, while
adoption of EMV, the laggards have in the still delivering chip cards to market.
past been targeted by the media and Acquirers, however, must now imple-
consumer groups, leading to a poten- ment ‘Full Data’ support for EMV
tial impact on market reputation. Clear transactions which places the burden of

Page 9
Assessing the impact of EMV migration

investment on this side of the payments Chip cards

model. Early or Full Data refers to the The card is often the critical path for
ability to manage partial or all incremental an issuer. While the finished product
chip data in a transaction message includ- looks innocent enough, the impacts to the
ing cryptogram validations. issuer when changing to chip are far
Careful planning, strategic thinking and more complex. One task that often brings
sourcing strategy can substantially change an initiative unstuck is the card design.
the look of a business case and the success Many incumbent designs require a change
of EMV migration. There is a strong case to become chip compliant. This may
for inclusion of subject matter experts in mean moving a company logo or modify-
an initiative, to avoid the pitfalls of earlier ing an image that would otherwise be
deployments and to ensure that the agreed covered by the chip. Issuers with third-
strategy fits with an organisation’s techni- party card agreements will be largely
cal and operational framework. affected by this area. In each case, the
The business of issuing a chip card has project timeline and cost base is affected
operational impacts that could ‘blow’ the as each card design is submitted to the
budget if implemented in an uninformed payment schemes for approval and old
way. Equally, merchant acquiring initia- stock is written down as obsolete.
tives could have grave impacts on cus- A subtle yet relevant consideration is
tomer transactions if exception handling the colour of the chip contact plate to suit
has not been considered. the card design. Issuers are not limited to
The opportunity to over-engineer the gold coloured chips alone. Palladium is
solution based on available products and often better suited to card artwork outside
solutions is high. A major factor is an gold cards. Vendors may seek additional
uninformed stakeholder who has not been charges for palladium over gold contact
advised of the alternatives available for plates.
compliance to EMV. It is often difficult to The card plastic will also need to be
see through the interests of vendors and altered in thickness to support the process
the payment schemes as they seek to of milling a hole in the front to embed
protect their margins and continue to seek the chip. The international standards or-
market share and visibility. Remember, ganisation specifies these requirements un-
EMV is no longer new. der ISO 7810 as 760 ⫾ 80 microns. For
There are four key delivery areas for an chip cards, it is advisable to ensure that
EMV migration: cards, host systems, pay- the base plastic card is in the upper
ment terminals and the deployment it- regions of this specification.
self. Each area requires consideration of a Inevitably, it is the chip that will drive
number of factors as a company plans its the cost of the card, and this is from three
migration to EMV. attributes: memory, security and operating
The interdependences of one decision system. Much like buying a laptop com-
on another are complex and can mean puter, there are several options and con-
the difference between a future proof figurations available to select from.
deployment and one that requires rein- Figure 2 provides a simplified view
vestment. The objective in looking at cost of the issues a project is faced with
considerations pragmatically is to mini- when selecting a chip solution. The in-
mise the exposure to an over-engineered dustry referenced EEPROM (Electroni-
deployment and to recognise the status of cally Erasable Programmable Read-only
competitors and the market as a whole. Memory also known as ‘E- squared’) will

Page 10
 Povey

Figure 2 Simple
EEPROM view of a chip

ROM
Operating system

drive the cost of the chip. A smaller operational and financial burden for dual
EEPROM memory should be the goal. card scheme issuers.
Unless a bank card issuer is seeking to add Other applications are also available
significant value added services to their alongside payment, including rewards,
card, it is unlikely that there would be a data storage or authentication. This
need for anything greater than a four equates to a static multiple application
kilobyte memory. product, which provides for a wide
Higher memory chips have been used choice of chip solutions compared with
in banking. In some cases, these have dynamic multiple application referenced
not been driven by any additional above that could support post-issuance
functionality for the cardholder, only to downloads of applications (add/delete).
accommodate the minimum capabilities Security debates surround Static Data
of the operating system, such as Java card, Authentication (SDA) versus Dynamic
or the minimum security domain to be Data Authentication (DDA) capable chips.
supported by the issuer or the domestic The distinction is the additional process-
industry. ing capability of a DDA chip owing to the
While some issuers selected highly inclusion of a ‘crypto-coprocessor’. While
specified chips to support adding or DDA is more secure, it comes at a higher
deleting services from the chip while in cost and higher memory requirement
the customer’s hand, the infrastructure to compared with SDA chips. Both SDA and
support this often prohibits such a strategy DDA support multiple applications, but
becoming reality outside a very few only DDA allows for the dynamic
exceptions in banking. add/delete of applications in a post-
It is now a choice of operating system issuance environment. The objective of
which fall into two categories — Open this paper circumvents the ability to
(Java card and MultOS) or Proprietary provide more detail on this area, other
operating systems from independent card than to inform the reader that this can be
vendors. The choice of operating system a significant area for over-investment.
at this time is arguably a reasonably moot An issuer is not likely to derive addi-
point for most traditionally conservative tional benefit by issuing a DDA chip card
bank card issuers. Off the shelf solutions during their first issuance cycle if the
generally include pre-loaded applications payment terminal rollout remains low.
for Visa or MasterCard payments and The value of DDA is apparent where a
often with both in the memory. This mature chip POS environment exists. The
allows an issuer to source a single chip reality during a migration is an initially
that may be embedded into either Visa or low volume of chip-on-chip transactions,
MasterCard plastic, further reducing the resulting in the ongoing experience of

Page 11
Assessing the impact of EMV migration

magnetic stripe transactions, making the integrated POS solutions. With a focus on
DDA investment expensive at this stage. speed and the introduction of PIN for
To add complexity to the mix, a new Visa and MasterCard transactions, sourc-
Common Payment Application (CPA) has ing of new hardware solutions may also
been specified by EMVCo to support dual need to factor in portability of devices,
scheme issuers. This latter offering is in for example in restaurant environments
line with a new initiative sponsored by where patrons will also include tips as part
EMVCo called Common Core Definition. of the transaction.
The vendor community has responded Incremental cost decisions on POS
with a single chip solution with both solutions will include the capability for
VSDC and M/Chip as noted earlier, con- contactless transactions now or in the
tinuing to disintermediate the deployment future. With a number of plug and play
of CPA-based chip cards at this time. contactless reader solutions available and
In concluding with the laptop analogy, new fully integrated devices, one strategy
the chip can be preloaded with applica- is to ensure that the software upgrade for
tions to support the requirements for any legacy terminal infrastructure and
payment or other functions. The best message formats includes requirements for
solution is to ensure that these are stored contactless payments.
in the ROM area of the chip (Figure In deploying the payment terminal in-
2), again reducing the need for a large frastructure for chip, the degree of testing
EEPROM memory. The standard applica- required ahead of payment scheme cer-
tions are VSDC for Visa or M/Chip for tification should not be underestimated.
MasterCard. Equally, a sound understanding of the
TAC settings and their impact on transac-
Payment terminals tion behaviour is critical in identifying
Retailers and acquirers must be able to where exceptions are likely to be derived
support most combinations of cards on and how to respond to them, particularly
issue. To this end, the development effort, when the device is unable to go online
testing and certification of their solution is when requested.
a significant exercise. Some hardware For completeness, the ATM should not
solutions are not suitable for compliance be immediately ignored from scope. This
to EMV owing to the lack of a chip channel can be an important part of any
reader, their slow processing capabilities PIN management strategy for chip card
(less then 32 bit, which is a significant issuers where they decide to issue offline
issue when processing DDA-based EMV PIN. Importantly, ATMs do remain a
cards) or lack of memory or security target for counterfeit fraud rings globally,
requirements. Where a full hardware and chip compliance may need to be a
upgrade is triggered by EMV, it will consideration. The owners of ATM net-
significantly affect the business case unless work should also consider the revenue
the normal business operations of amor- opportunity in offering PIN maintenance
tisation and hardware upgrades can be services in a reciprocal environment rather
used to disburse this cost. than using this as an exclusionary tactic to
In either case, the software impact is support related card issuing business.
similar. POS devices sourced from the key
industry suppliers will have off-the-shelf Host systems
solutions for EMV. The challenge comes This is an area that distinguishes the
for multi-lane retail environments and impacts on the issuers versus the acquirers.

Page 12
 Povey

In most regions (there remain some ex- geted for the issuer and will remove
ceptions), both Visa and MasterCard ask the additional chip information and pass
that acquirers and merchants who self- through a magnetic stripe looking re-
acquire implement for full EMV data on quest.
their hosts and network links. This is The impact of this model at the mo-
known as Full Data mode or Full Option ment of transaction will be dependent on
mode acquiring. the chip settings and ensuring that ap-
With no real options available to this provals are accepted from the issuer even
side of the payments model, it is essential though expected chip data is not returned
that they are able to align their develop- to the card.
ments when supporting multiple card A further consideration for Early data
schemes. Can a project support upgrades issuers is the inability effectively to send
for Visa, MasterCard, American Express, ‘scripts’ to the chip during an authorisa-
JCB and any dependent domestic debit tion to change risk parameter settings or
scheme arrangements in one initiative? to block the chip.
Unfortunately, in some markets, such as It is important to note that the card
Australia, there will be a need to revisit itself is agnostic of the host’s capability.
development to support future chip Hence, an issuer could choose to upgrade
rollouts for payment schemes outside Visa their host fully for EMV in the future
and MasterCard. without affecting existing cards on issue.
Acquirers should also consider data Third-party solutions are also available
storage for future disputed transactions for issuers to consider, which in essence
and the need to respond to advice leaves an issuer’s legacy magnetic stripe
requests from issuers. Acquirers are addi- authorisation platforms untouched. This
tionally required to support ‘scripts’ sent model also alleviates the requirement to
from compliant issuers to their cards that engage the schemes to provide on-behalf-
may change the risk settings on the chip of services to remove incremental chip
in a retail terminal. The reporting and data.
customer servicing needs of the business Ultimately, an organisation derives most
should be given priority, as they will value in a mature chip environment from
underpin the success of the initiative at full EMV data. While issuers may be able
deployment. to defer major effort on authorisation and
Issuers , however, continue to have the risk systems, the card management system
ability to implement only Partial or Early generating embossing files to the card
Data mode on their host systems and, vendor cannot.
consequently, rely on arrangements with It is recommended that the decisions
Visa or MasterCard to provide services for the scope of host system changes
that convert a chip transaction to almost are set against a concise marketing and
magnetic stripe-like data formats. risk management strategy that identifies
For an issuing organisation keen to have areas that would be affected as a result
cards issued, the partial option is very of limiting the upfront investment on
attractive. It provides a low-cost speed to EMV.
market, but with some areas of com-
promise. The deployment
In this model, by arrangement with the The UK witnessed a ‘big bang’ approach
appropriate payment scheme, the scheme to deployment, with millions of cards and
will see the transaction authorisation tar- PIN mailers in the post on a monthly

Page 13
Assessing the impact of EMV migration

basis. While, on the one hand, it ac- proach for media and communications is
celerated the maturity of the market for strongly recommended to the extent that
chip-on-chip transactions, it significantly consumers are able to establish consistency
exposed the consumer to card intercept at the transaction moment. Linked to this
fraud and account takeover. is the ability to move all market par-
Operationally, the forced re-issue of a ticipants to EMV over an agreed, yet
card portfolio can be difficult to coor- relatively short period. Failure to do so
dinate where the card vendor has limited will only retain inconsistent POS ex-
capacity together with the overhead of periences for cardholders and retail staff
card expiry levelling to smooth out re- and delay the full benefits of EMV.
issue bubbles in the future. While there
may be financial benefits achievable with
a higher chip card volume on issue, the CONCLUSION
impact on the customer must be foremost. Delivering an EMV migration with posi-
Are they expecting a new card and PIN? tive impacts on customers and retail staff
Has the company changed their PIN? If should be an essential pillar of a project’s
yes, will they be able to conveniently objectives. Notwithstanding this goal, the
change it if they wish to? migration to EMV will deliver impacts
The deployment of POS devices and on all stakeholders owing to procedural
upgrades is limited to the availability of changes, the vast array of configurations
resources to install, train and support the for risk parameters on the chip or device
vast array of retailer communities that and the constrained scope of the EMV
exist as the end customer. The timing of specifications at the point of transaction.
this deployment may also be affected Consequently, it is incumbent on all
by vendor challenges where a significant organisations moving to EMV to be
market share is held by one or two aware of the impacts and to address these
suppliers. through industry collaboration, testing
It is important during the deployment and effective communications. As noted
phase that regular and detailed reporting at the start of this paper, EMV is not a
is generated to identify rapidly any ac- standalone technology project; it has
ceptance issues or failures. Look for trends the capacity to be a complete change
in transactions for faulty devices and sig- management exercise.
nificant levels of fallback to magnetic
stripe at chip-enabled devices as only REFERENCES
some examples. (1) www.emvco.com
A recommended strategy prior to and (2) (April 2007) ‘Security A Strategic
during the deployment is to establish a Advantage for CB’, Expertise CB. The
central reporting/help desk email account Newsletter of Groupement des Cartes
(eg SmartLine), which allows customer Bancaires CB, p. 3.
(3) ‘The Migration to Chip & PIN’, Visa
service staff to report customer issues and
Canada, Financial Services Technology
feedback to the project team. During Forum presentation, 24th October, 2007.
these phases, the project team should (4) Ibid.
respond as the subject matter experts and (5) Ibid.
use the data for future testing and training (6) Arnfield, B. (2006) ‘Selling Smart Cards
material development. to Canada’s Merchants’, Card Technology,
Driving towards a common market ap- June.

Page 14