By J.D. Oder II, CTO and senior vice president of R&D, Shift4 Corporation
October 1, 2015: This date has been burned into the consciousness of the U.S. payments industry. This is the date that signals the liability shift for EMV adoption. It would seem on the surface to be a straightforward concept; migrate to EMV cards or possibly be held liable for fraudulent activity. What makes it complicated is the complexity of the market itself, comprised of merchants, processors and payment terminal manufacturers, independent software vendors, merchant banks, credit and debit card issuers and more.
The shift to EMV is not a particularly smooth one. Although U.S. merchants and issuers have already begun adopting EMV, there are frequent reports that a large number of U.S. merchants are not ready. Industry trade groups are contesting different aspects of the U.S. EMV liability shift, processors need more staff to complete certifications and,as it turns out, EMV won’t solve all of today’s security problems, namely the data breaches that retailers and others have been plagued with in recent years.
Misleading Information About EMV
The marketing of EMV has capitalized on the Target and Home Depot breaches to spur the migration, but that tactic has only added to the confusion surrounding the transition. And, as the EMV liability shift date gets closer — which at this time is not a mandate — the various parties pressuring merchants to immediately adopt EMV are creating a misplaced sense of panic, leading merchants to adopt the quickest EMV solution possible, not necessarily the best solution for their businesses.
As an example, EMV proponents are in some cases recommending the deployment of EMV solutions that don’t incorporate point-to-point encryption (P2PE) or tokenization. These technologies help prevent breaches and simplify PCI compliance. Further, they can help prevent sensitive payment card data from being stolen in the first place, which is the primary source of counterfeit cards. Additionally, the implementation of systems that can’t employ EMV with P2PE and tokenization may in fact put merchants in harm’s way, as it may expose their networks and other POS infrastructures to card data and change their PCI DSS landscape.
It’s gotten to the point that some merchants have been pressured to transition from an integrated payment solution to a standalone solution, simply because an organization they work with has certified for EMV with a standalone payment terminal, but not an integrated payment terminal. This move may get them ready for EMV by the liability shift, but is sacrificing key integrated payment functionalities that save them significant time and money worth it?
Merchants need to step back, take a breath, and consider the benefits compared with the cost.How could an EMV implementation that further exposes their environment to breaches be considered a move forward? Why would they even consider sacrificing the key time- and money-saving accounting and security functionalities of an integrated payment solution that contribute to the success of their business operations? The possibility of moving to an implementation of EMV that does not strategically support an organization’s business operations is especially concerning when all merchants get in return is protection from a very specific segment of fraud, counterfeit fraud,which they may not be liable for anyway.
This brings up a critical fact that is often overlooked or just misunderstood: a merchant’s current contract with their acquiring bank or merchant services provider (MSP) may not even take EMV into account. It is entirely possible that counterfeit fraud was traditionally considered “zero liability” (which is liability that was just part of the issuer doing business) and that a merchant’s agreements do not reflect or even anticipate a shift in counterfeit fraud liability. This means that, based on a merchant’s current contracts, it may not even be possible for the merchant to shoulder the responsibility for that fraud – unless that merchant signs a new contract waiving their protection from it. This is one very important reason why merchants need to be wary of any proposals that require them to re-sign a contract or get into a new contract with their MSP related to updates for EMV; any new or updated contract may also be asking the merchant to sign up for more liability than their current contract allows.
Who Stands to Lose the Most?
Of all those involved in the EMV liability shift, there are three groups that stand to bear the lion’s share of the burden: merchants, small card issuers and small merchant banks. Merchants must invest in EMV-compliant terminals and system solutions at a substantial cost. Small issuers and co-issuers are also burdened with the costly retooling of the cards they issue. EMV cards are much more expensive to produce than traditional magnetic stripe cards. And, if they issue contactless EMV cards, these can cost up to two times more than a typical EMV card. Finally, small merchant banks, independent sales organizations (ISOs) and agents have very little control or say over the makeup of the payments industry and stand to lose the most by this liability shift if they cannot influence change or get their merchant customers prepared for EMV.
Three EMV Implementation Strategies
It’s taken a long time for EMV to reach the U.S. This technology was created more than 20 years ago and doesn’t account for the proficiency with which hackers, some of whom are now working in large groups and are backed by nation-states, are compromising payment systems today.This means that a well-constructed EMV solution requires the use of layered security to protect sensitive cardholder data. Here are three crucial elements to implement during your EMV migration:
- EMV: Even though some in the industry have used questionable tactics to promote EMV,that doesn’t mean that EMV lacks merit for authenticating card-present transactions. Implement EMV in a strategic fashion with the layered security you need.
- P2PE: It is important to encrypt all transactional material—regardless of payment type—from the time it is keyed, swiped, inserted or tapped. Merchants should use a device that encrypts at the point a payment terminal interacts with a card so that no transactional information is ever in the clear and at risk of being stolen by hackers. This shrinks the merchant’s cardholder data environment to the secure device level, reducing much of the PCI DSS burden—a burden that remains with EMV. Again, EMV would not have stopped the breaches at Target or Home Depot, nor will it alone prevent future breaches.
- Tokenization: Removing all card data from the merchant environment is critical. It places the burden of storing that sensitive data on a vigilant and reliable organization that considers the security of their merchant customers’ transactions its primary job. To do this, merchants must implement a security- or storage-based tokenization solution, which protects the merchant’s environment by replacing sensitive cardholder data with non-decryptable information that is meaningless to hackers. This differs from emerging “payment token” solutions, such as those offered by mobile wallets, by providing security for merchant systems, not just individual consumers.
EMV alone is not a complete payment security solution, but it does have its place in a well-rounded security plan. Because marketing tactics have been misleading at times, it’s critical that merchants get clarity about what the October liability shift date means for them and which solution will work best for them. EMV on its own cannot stop data breaches, so a comprehensive approach will include P2PE and tokenization to remove sensitive payment card data from the merchant environment and render that data useless to hackers.
About the Author: J.D. Oder II serves as Shift4’s Senior Vice President of Research and Development and Chief Technology Officer. J.D. is a Certified Network Engineer with more than 15 years of experience. He leads Shift4’s systems operations and development efforts as well as the security and compliance teams. J.D. is the architect of the DOLLARS ON THE NET®payment gateway solution. He was also an early adopter/member of the PCI Security Standards Council.
UK seeks G7 consensus on digital competition after Facebook blackout
LONDON (Reuters) – Britain is seeking to build a consensus among G7 nations on how to stop large technology companies exploiting their dominance, warning that there can be no repeat of Facebook’s one-week media blackout in Australia.
Facebook’s row with the Australian government over payment for local news, although now resolved, has increased international focus on the power wielded by tech corporations.
“We will hold these companies to account and bridge the gap between what they say they do and what happens in practice,” Britain’s digital minister Oliver Dowden said on Friday.
“We will prevent these firms from exploiting their dominance to the detriment of people and the businesses that rely on them.”
Dowden said recent events had strengthened his view that digital markets did not currently function properly.
He spoke after a meeting with Facebook’s Vice-President for Global Affairs, Nick Clegg, a former British deputy prime minister.
“I put these concerns to Facebook and set out our interest in levelling the playing field to enable proper commercial relationships to be formed. We must avoid such nuclear options being taken again,” Dowden said in a statement.
Facebook said in a statement that the call had been constructive, and that it had already struck commercial deals with most major publishers in Britain.
“Nick strongly agreed with the Secretary of Stateâ€™s (Dowden’s) assertion that the governmentâ€™s general preference is for companies to enter freely into proper commercial relationships with each other,” a Facebook spokesman said.
Britain will host a meeting of G7 leaders in June.
It is seeking to build consensus there for coordinated action toward “promoting competitive, innovative digital markets while protecting the free speech and journalism that underpin our democracy and precious liberties,” Dowden said.
The G7 comprises the United States, Japan, Britain, Germany, France, Italy and Canada, but Australia has also been invited.
Britain is working on a new competition regime aimed at giving consumers more control over their data, and introducing legislation that could regulate social media platforms to prevent the spread of illegal or extremist content and bullying.
(Reporting by William James; Editing by Gareth Jones and John Stonestreet)
Britain to offer fast-track visas to bolster fintechs after Brexit
By Huw Jones
LONDON (Reuters) – Britain said on Friday it would offer a fast-track visa scheme for jobs at high-growth companies after a government-backed review warned that financial technology firms will struggle with Brexit and tougher competition for global talent.
Finance minister Rishi Sunak said that now Britain has left the European Union, it wants to make sure its immigration system helps businesses attract the best hires.
“This new fast-track scale-up stream will make it easier for fintech firms to recruit innovators and job creators, who will help them grow,” Sunak said in a statement.
Over 40% of fintech staff in Britain come from overseas, and the new visa scheme, open to migrants with job offers at high-growth firms that are scaling up, will start in March 2022.
Brexit cut fintechs’ access to the EU single market and made it far harder to employ staff from the bloc, leaving Britain less attractive for the industry.
The review published on Friday and headed by Ron Kalifa, former CEO of payments fintech Worldpay, set out a “strategy and delivery model” that also includes a new 1 billion pound ($1.39 billion) start-up fund.
“It’s about underpinning financial services and our place in the world, and bringing innovation into mainstream banking,” Kalifa told Reuters.
Britain has a 10% share of the global fintech market, generating 11 billion pounds ($15.6 billion) in revenue.
The review said Brexit, heavy investment in fintech by Australia, Canada and Singapore, and the need to be nimbler as COVID-19 accelerates digitalisation of finance, all mean the sector’s future in Britain is not assured.
It also recommends more flexible listing rules for fintechs to catch up with New York.
“We recognise the need to make the UK attractive a more attractive location for IPOs,” said Britain’s financial services minister John Glen, adding that a separate review on listings rules would be published shortly.
“Those findings, along with Ron’s report today, should provide an excellent evidence base for further reform.”
Britain pioneered “sandboxes” to allow fintechs to test products on real consumers under supervision, and the review says regulators should move to the next stage and set up “scale-boxes” to help fintechs navigate red tape to grow.
“It’s a question of knowing who to call when there’s a problem,” said Kay Swinburne, vice chair of financial services at consultants KPMG and a contributor to the review.
A UK fintech wanting to serve EU clients would have to open a hub in the bloc, an expensive undertaking for a start-up.
“Leaving the EU and access to the single market going away is a big deal, so the UK has to do something significant to make fintechs stay here,” Swinburne said.
The review seeks to join the dots on fintech policy across government departments and regulators, and marshal private sector efforts under a new Centre for Finance, Innovation and Technology (CFIT).
“There is no framework but bits of individual policies, and nowhere does it come together,” said Rachel Kent, a lawyer at Hogan Lovells and contributor to the review.
($1 = 0.7064 pounds)
(Reporting by Huw Jones; editing by Jane Merriman and John Stonestreet)
G20 to show united front on support for global economic recovery, cash for IMF
By Michael Nienaber and Andrea Shalal
BERLIN/WASHINGTON/ROME (Reuters) – The world’s financial leaders are expected on Friday to agree to continue supportive measures for the global economy and look to boost the International Monetary Fund’s resources so it can help poorer countries fight off the effects of the pandemic.
Finance ministers and central bank governors of the world’s top 20 economies, called the G20, held a video-conference on Friday. The global response to the economic havoc wreaked by the coronavirus was at top of the agenda.
In the first comments by a participating policymaker, the European Union’s economics commissioner Paolo Gentiloni said the meeting had been “good”, with consensus on the need for a common effort on global COVID vaccinations.
“Avoid premature withdrawal of supportive fiscal policy” and “progress towards agreement on digital and minimal taxation” he said in a Tweet, signalling other areas of apparent accord.
A news conference by Italy, which holds the annual G20 presidency, is scheduled for 17.15 (1615 GMT)
The meeting comes as the United States is readying $1.9 trillion in fiscal stimulus and the European Union has already put together more than 3 trillion euros ($3.63 trillion) to keep its economies going despite COVID-19 lockdowns.
But despite the large sums, problems with the global rollout of vaccines and the emergence of new variants of the coronavirus mean the future of the recovery remains uncertain.
German Finance Minister Olaf Scholz warned earlier on Friday that recovery was taking longer than expected and it was too early to roll back support.
“Contrary to what had been hoped for, we cannot speak of a full recovery yet. For us in the G20 talks, the central task remains to lead our countries through the severe crisis,” Scholz told reporters ahead of the virtual meeting.
“We must not scale back the support programmes too early and too quickly. That’s what I’m also going to campaign for among my G20 colleagues today,” he said.
Hopes for constructive discussions at the meeting are high among G20 countries because it is the first since Joe Biden, who vowed to rebuild cooperation in international bodies, became U.S. president.
While the IMF sees the U.S. economy returning to pre-crisis levels at the end of this year, it may take Europe until the middle of 2022 to reach that point.
The recovery is fragile elsewhere too – factory activity in China grew at the slowest pace in five months in January, hit by a wave of domestic coronavirus infections, and in Japan fourth quarter growth slowed from the previous quarter with new lockdowns clouding the outlook.
“The initially hoped-for V-shaped recovery is now increasingly looking rather more like a long U-shaped recovery. That is why the stabilization measures in almost all G20 states have to be maintained in order to continue supporting the economy,” a G20 official said.
But while the richest economies can afford to stimulate an economic recovery by borrowing more on the market, poorer ones would benefit from being able to tap credit lines from the IMF — the global lender of last resort.
To give itself more firepower, the Fund proposed last year to increase its war chest by $500 billion in the IMF’s own currency called the Special Drawing Rights (SDR), but the idea was blocked by then U.S. President Donald Trump.
Scholz said the change of administration in Washington on Jan. 20 improved the prospects for more IMF resources. He pointed to a letter sent by U.S. Treasury Secretary Janet Yellen to G20 colleagues on Thursday, which he described as a positive sign also for efforts to reform global tax rules.
Civil society groups, religious leaders and some Democratic lawmakers in the U.S. Congress have called for a much larger allocation of IMF resources, of $3 trillion, but sources familiar with the matter said they viewed such a large move as unlikely for now.
The G20 may also agree to extend a suspension of debt servicing for poorest countries by another six months.
($1 = 0.8254 euros)
(Reporting by Michael Nienaber in Berlin, Jan Strupczewski in Brussels and Gavin Jones in Rome; Andrea Shalal and David Lawder in Washington; Editing by Daniel Wallis, Susan Fenton and Crispian Balmer)
UK seeks G7 consensus on digital competition after Facebook blackout
LONDON (Reuters) – Britain is seeking to build a consensus among G7 nations on how to stop large technology companies...
Britain to offer fast-track visas to bolster fintechs after Brexit
By Huw Jones LONDON (Reuters) – Britain said on Friday it would offer a fast-track visa scheme for jobs at...
GameStop rally fizzles; shares still on pace for 130% weekly gain
By Aaron Saldanha and David Randall (Reuters) – An early surge in the shares of GameStop Corp fizzled and left...
Oil drops on dollar strength and OPEC+ supply expectations
By Jessica Resnick-Ault NEW YORK (Reuters) – Oil prices fell on Friday as the U.S. dollar rose while forecasts called...
Stocks try to recover from bond whiplash, dollar gains
By Herbert Lash NEW YORK (Reuters) – Global equity markets swooned on Friday, even as the Nasdaq and S&P 500...