EMV – Necessary, Insufficient, and our Lasting PR Risk
We are just a month away from the October EMV liability shift and the transition is, to no one’s surprise, mostly incomplete. EMV credit card issuance is expected to be at just 50% by the end of this year. Point of sale hardware upgrades at major retailers may be in place but the long tail of SMB merchants will lag for years.
We expect many of the largest retailers to turn on their EMV hardware by October. But likely not all. EMV is not trivial. And retailer wisdom, gained through long experience, advises against making POS changes when November nears. You don’t want to break your ability to get paid during the year’s busiest shopping season. (I’m going to be doing a lot of test shopping come October.)
The near-perfect EMV perimeter is six years (wild-eyed optimist) to a decade away (grumpy pessimist), leaving us with exposure at non-EMV terminals and, of course, at e-commerce and mobile channels.
The good news is that “we have the technology.” Along with EMV, we also have card number encryption at the POS, security tokens for merchant storage of transaction data, and the new payment tokens promulgated by EMVCo, its card brand owners, and first put into production with Apple Pay.
But tools have to be used to be effective and, like EMV, these tools have big gaps in usage, leaving plenty of opportunity for hackers to breach our ever porous security walls. It’s true that human error often makes those walls easy to scale but the real goal is to ensure there’s nothing worth stealing when they inevitably slip over and around our defenses.
That’s the bright(ish) technical reality but reputational risk remains. We can’t be surprised when, a year or two into this EMV transition and the inevitable breach takes place, consumer and media reaction is sharp and swift. With EMV as the single security step visible at the cardholder level, disappointment and disillusionment is equally inevitable.
It’s time for us – the payments industry – to turn up the volume on what’s being done beyond EMV so that when breaches happen, the public, or at least those who inform the public, will know the industry has a security roadmap that goes farther than chip-based cards. For mobile payments like Apple Pay and PayPal One Touch, banking, and other fintech services to succeed, consumer confidence is a prerequisite.