Article
EMV and the ATM industry: Moving the rock uphill
Migration to EMV is a Sisyphian task; Sisyphus would probably rather just push his boulder up a mountain.
April 24, 2014 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications
In Greek mythology, King Sisyphus was punished by the gods for something or other by being forced to push a gigantic boulder up a hill daily — only to have it roll back down at the end of the day.
Some in the ATM industry who are pushing for EMV migration can relate. While progress is being made, it remains an uphill marathon.
It lightened the load a little that in February, a federal appeals court sided with The Fed, striking down the Leon decision. That ruling more or less placed in limbo any progress made toward a debit routing solution using a shared application identifier.
At this point, it's uncertain whether retailers will ask the Supreme Court to intervene, but since the appeals court ruling, the feeling seems to be that the payments industry has gained the upper hand. In recent weeks, several large processors have announced licensing agreements with Visa and MasterCard that will allow them to begin the arduous process of programming the system to incorporate additional brands.
A routing solution — and a timing problem
One of these networks is Shazam. Terry Dooley is an SVP at Shazam, vice chairman of the Debit Network Alliance, and a member of the EMV forum, a cross-industry group collaborating on EMV implementation.
Dooley said that the EMV Forum is working on a common AID solution that would work even if additional routing choices were mandated at some point. "What we're trying to do within the EMF Forum is to implement it in a matter that it's foolproof — or future-proof, so to speak."
But according to Chris Juetten, retail ATM division head at Nautilus Hyosung, an EMV program is the last thing on the minds of most processors; they're still working on a monumental Windows 7 backlog, which is far more pressing now than MasterCard's October 2016 liability shift.
"[E]ven though Windows 7 is a primarily an FI based migration, for whatever reason, all the processors are very myopic on it right now," he said. "As a result they've pushed back all of their EMV certification plans to get through the certification for Windows 7 … Until we get through that, we're at the complete mercy of the processors on the retail side."
He said that one processor, WorldPay, has issued an insurance plan for ISOs that process through them, but "a lot of them don't even have implementation dates or plans."
Kansas is not exactly 'cross-border'
Even if processors were ready to go, operators still might not be. Juetten said it was "startling" to see that about 45 percent of Nautilus Hyosung finished goods ATMs were still going out the door without EMV card readers. And, he said, the same was true at Genmega and Triton, who were shipping about 60 percent of their machines EMV-ready.
Larger IADs such as Cardtronics and PAI are feeling a greater sense of urgency, he said. "But you look at our wholesale business, moms and pops and ISOs that are buying ATMS, we're not seeing a lot of EMV."
Partly, this is an interchange issue. Locations that do only 100 or so transactions a month simply can't justify the cost of a $95 upgrade kit and installation.
Rob Evans, director of product management at Nautilus Hyosung, said he thought a lot of these operators were willing to bet that their small operations wouldn't attract big-city fraud.
"I think the mindset that prevails right now is that if you're a mom-and-pop ISO in rural Kansas, you probably don't have a whole lot to worry about in terms of cross-border fraud."
From Eastern Europe, it's all cross-border
But it's not just cross-border fraud at issue anymore. Evans described a "heat map" of U.S. card fraud he'd seen in a presentation by Leland Englebardt, MasterCard head for global network products. In July 2012, the map's hot spots were, predictably, in major U.S. cities and tourist locations — the rest of the map was white. By July 2013, there was no white left anywhere on the map.
"And the common thread that we're seeing with all these groups is that they're the Eastern Block criminal organizations that have great familiarity with EMV," Evans said. "They've cut their teeth on it and now they're coming to the U.S. These guys are very sophisticated and savvy and they're moving further and further into the interior in the U.S."
They're not outside Kansas anymore.
The issue for issuers
The growing prevalence of card fraud is giving FIs second thoughts about introducing chip cards into a mag-stripe ecosystem, Dooley said.
"One of the questions that I'm being asked quite a bit by issuers is, 'If I issue this card and there's a security breach, similar to the ones that have happened in the past … will I have to reissue cards if I issue EMV?' And the short answer to that is 'Yes, you will.'"
So, first consider that a chip card costs five to 10 times as much as a mag-stripe card. Then consider that, in the wake of the Target breach, U.S. banks (as of February) issued 17.2 million replacement cards. At 25 cents per, that's $4.3 million. At $1.25, it's $21.5 million; at $2.50, it's $43 million.
Dooley said that the threat of card-present fraud drops significantly when about 80 percent of the ATM and POS terminals in a market have been upgraded to EMV; and until then, issuers will weigh the cost of card replacement against the reliability of their risk management measures.
Still, larger FIs — such as Nautilus Hyosung customer Citibank — are making the changeover to chip cards, Evans said.
"I'd be willing to bet that most of our large clients have gone ahead and bit the bullet and said, 'We'll take the EMV readers.' I would guess once you get downstream, most smaller FIs tend to look to either their processors or network for guidance. And to Chris' point, they've come to be preoccupied and absorbed with other things right now. So there's not an urgent compelling reason to run right out and do it in the next 10 minutes."
'Not a simple thing'
Evans, Dooley and Juetten all thought EMV migration would gain momentum within the next year to 18 months, but no one expected the U.S. ATM industry to meet MasterCard's 2016 deadline, which the company has repeatedly said it has no plans to move.
"I don't think the industry is going to be significantly migrated before the liability shift dates occur," Dooley said. "And the main reason for that is this is just not a simple thing to do."
illustration: andrew allingham
About Suzanne Cluckey
Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.
Included In This Story
Hyosung Americas
Hyosung Americas is a global human experience maker that bridges the physical and virtual worlds. We do this by harnessing our unique combination of a manufacturer’s soul with an innovator’s mindset to build a platform of integrated products, services, and ideas that improve life’s day-to-day interactions for everyone.
Triton Systems
Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost
