|Title:||Global payment card industry by geographic region with percentage of cards and percentage of point-of-sale systems for 2011|
|Source:||NPN-National Petroleum News|
Start of full article - but without data
Zone % of cards % of POS
Canada, Latin America, & the Caribbean XX.X% XX.X%
Asia Pacific XX.X% XX.X%
Europe Zone X XX.X% XX.X%
Africa & the Middle East XX.X% XX.X%
Europe Zone X XX.X% XX.X%
United States N/A N/A
CHANGE IS CONSTANTLY AFOOT WITHIN THE electronic payment industry. From regulatory compliance issues to innovative technological advancements, these changes consistently keep retailers on their toes--trying to determine how to futureproof their investments in the equipment, software, and fees required within the PCI arena as the regulations continue to change.
As Oren Betzaleli, head of marketing and products at Retalix, explains, with all the innovation and change within the payments industry today, delivering a comprehensive payments program is a growing challenge--especially as more focus is on identity theft and credit card fraud prevention.
"One specific part of a consumer's identity that is often targeted by thieves is credit card data. It is particularly easy to steal information from a 'magnetic stripe' credit card, which is currently the standard format in the U.S.," says Mike Finley, vice president and chief technology officer with NCR Hosted Solutions. "We would never dream of using a XX-year-old X-track tape player in our cars or iPods, but we are effectively still using technology from that era every time we pull out the plastic to make a payment. What's worse--there's no way to automatically validate a consumer's signature at the point of payment, which means signatures can be useful for archival research, but not for stopping fraud as it happens."
According to Betzaleli, the dynamic world of electronic payments has evolved way beyond the integrated credit and debit transaction requirements of the past. "EBT, gift cards and WIC are now the norm," Betzaleli says. "Integration of signature capture devices, advertising on the pin pad, customized and customerfriendly prompts, and Electronic Check Conversion (ECC) are all becoming essential business drivers, and thus, widely implemented. Standard POS payment engines that simply route transactions to a specific host no longer provide the needed solution."
As Finley explains, PCI arose a decade ago as a way to reinin the massive credit card fraud that had by then begun to take place. "Not content to steal one consumer's data at a time, organized fraudsters with deep technical expertise were extracting historical transaction records from merchants in order to commit credit card fraud on a massive scale," Finley says. "PCI was created to limit or stop that possibility."
As Alicia High, marketing communications manager at Wayne, a GE Energy Business explains, PCI is all about protecting payment card data and preventing the theft of that data.
On the hardware side (PCI PTS standard, pin pads, key pads) it has been focused on protecting PIN information for debit transactions. On the POS side (PCI PA-DSS) it has been more broadly focused on protecting data for all forms of electronic payment.
"For a retailer it is about risk and liability," High says. "They need to protect the data to protect themselves from being held liable if there is a breach or information is stolen from their locations." In addition to whatever financial penalties or liability there might be, there is the issue of maintaining consumers' trust as well. "No retailer wants to be in the news for having their customer's credit card information stolen.," High says. "The PCI standards will not guarantee data security, but they go a long way in helping to improve the situation."
According to Michael Tyler, senior director of marketing at VeriFone, electronic payments continue to increasingly replace cash and checks as the preferred choice of consumers. "That also means that electronic payments are more than ever the target of criminals who seek to exploit the weakest links in the payment environment in order to generate the largest gains for the lowest effort," Tyler says. "So retailers need to be on the. alert to a variety of criminal tactics that range from relatively unsophisticated replacement of legitimate card readers with 'bugged' illegitimate readers, to highly sophisticated network hacking efforts."
In recent years, there have been two key dates affecting the PCI industry:
* Beginning in January 2009, all new dispensers sold have included TDES-capable PIN Entry Devices, such as Encrypting Pin Pads (EPP)
* Beginning in July 2010, all installed dispensers accepting PIN-based debit, must have a TDES-capable PIN Entry Devices, or risk increased liability in the event of a breach.
PCI has also periodically released new PCI PED security standards, and subsequent deadlines in which manufacturers can sell new devices. However, as commercialization manager at Gilbarco VeederRoot Marie SkjoldJoergensen explains, it is key to note that retailers who have already invested in PCI PED devices do not have a "sunset date" on how long that device will remain compliant (as explained on page XX of the PCI PIN Transaction Security (PTS) Device Testing and Approval Program):
There is currently no sunset date for devices that were on the approved list at the time of deployment. Deployed devices that have their approvals expire may continue to be used. The expiration timeframe is associated with new purchases/deployments, not existing deployments.
As High explains, from an AFD perspective, the software components are affected by the PCI PTS standard in that the UPT configuration not only addresses security for the keypad EPP, but also the operation of a secure card reader and the payment terminal software controlling the customer display prompts. "Those aspects are important to ensure proper operation of the terminal in an unattended environment such that consumers aren't spoofed into providing their PIN if the display prompts for it while the keypad is set for clear entry, e.g. for zip code entry," High says. "None of the card associations have mandated UPT configurations yet, but if/when they do, it would be an impact to the retailers."
One of the unique value propositions of Wayne's iX Pay secure payment solution is that it addresses retailers concerns for compliance with future requirements with cost-effective modular upgrades to software and components to meet higher security standards.
"There is a move towards separating the POS software into components such that the payment related portions can be isolated to make PCI compliance easier and less costly," High adds. "A good example of this is the Wayne Fusion XXXX, which has a separate electronic payment server (EPS) and outdoor payment control. It isolates the POS form PADSS related payment card data and enables POS vendors to focus more on value add retail functionality versus data security. A purpose built device like this simplifies the retailers PCIDSS compliance as well."
EMV OVERVIEW AND FUTURE POTENTIAL OF EMV
As Finley explains, Europe took a different approach to credit card fraud from the beginning. EMV (for Europay, Mastercard, Visa, which were the original partners that collaborated on this effort) developed a parallel strategy to PCI.
"A new kind of card, they reasoned, could provide a root solution to the problem of credit card theft. First, by placing a microchip on each card (using a modern technology instead of X-track tapes) they could essentially stop a card from being copied," Finley says. "While a modified old-school tape-recorder could copy a magnetic stripe, the chipbased cards would require a super computer to duplicate."
Furthermore, by requiring a PIN number that could be automatically verified, EMV could stop stolen card use in its tracks. If a card can't be stolen and it can't be copied, the resulting "Chip and PIN" (as it is popularly marketed) EMV card would resolve the issue of credit card fraud.
As SkjoldJoergensen explains, personal account information is stored on a chip on the card, which when powered by the reader, transmits the credit card number and a unique CVV or CVN, which is calculated using an algorithm programmed on the chip.
And it's worked. "EMV is quite successful, driving fraud down by XX percent or more and resulting in adoption in Europe as well as Asian economies," Finley says. The big drawback of EMV is that it requires an update to pretty much every POS device and credit card in the economy. This hurdle has meant that the U.S. market could not justify the move, until now."
While PCI protects the "data at rest," EMV focuses on protecting the usability of the card holder data if captured, thanks to the unique card identifier used on each transaction.
"Retailers need to pay attention because MasterCard, Visa and Discover have announced their intentions to adopt EMV in the U.S.," High says. "They have announced plans to shift liability based on EMV card acceptance by retailers in 2015 and 2017."
Today, EMV is already the global payment standard, with migration occurring on every continent around the world. According to SkjoldJoergensen and based on EMV statistics released in 2011, the migration in many of these regions is already well underway:
"Once the EMV specifications are released in the U.S., equipment manufacturers will be able to include software on their EMVcertified' equipment, enabling them to accept EMV transactions," SkjoldJoergensen says.
Visa, MasterCard, and Discover have all made announcements outlining a common EMV migration timeline for the United States:
* October X, 2012: If > XX% of retailer's payment transactions occur on dual interface EMVcapable terminals (i.e. contact and contactless), the card companies remove the requirement for annual PCI-DSS recertification.
* April X, 2013: Payment processors are required to have the ability to accept chip payments
* POS: October X, 2015: liability shift for any instore POS fraudulent transactions on nonEMV compatible terminals
* Forecourt: October X, 2017: liability shift for fraudulent transactions on nonEMV compatible terminals
In fact, Visa recently instituted the TIP program for the USA. As Finley explains, TIP is Visa's project format for moving a market to the EMV credit card standard.
"They have refined it in country after country, implementing EMV as a means to improve their financial performance by eliminating fraud," Finley says. Under TIP, Visa is requiring U.S. merchants to transition to EMV card standards by 2015.
"There are a lot of details behind this the--banks have to adapt first, for example--but the short version of it is that IF a merchant adopts EMV aggressively, Visa will not require them to undergo annual PCI certifications," Finley says. "PCI remains a requirement because it is a good idea to not store credit card data and it is a good idea to keep your network safe. But, under Visa TIP, merchants who adopt EMV aggressively simply don't have to spend the extra money and energy to get themselves audited every year."
However, if a merchant does not adopt EMV by 2015, the consequence is fairly devastating: liability for fraudulent transactions shifts to the merchant that accepted the transaction.
"In other words, if you accepted a Visa card, which was stolen or copied, you will have to eat the cost of whatever the thieves/forgers stole," Finley says. It's clearly a merchant management strategy by Visa: The short-term carrot is relief from PCI audits; long-term stick is exposure to fraud losses.
So what's on the horizon for EMV and its importance in the market? "Considering the liability shift dates outlined by the credit card networks to this point, retailers should strongly consider investing in EMVcertified equipment in their go-for-ward site investments," SkjoldJoergensen says.
According to High, in order to support EMV, most POS systems will need to make several changes.
* The interface to the payment card processor will change. EMV uses different messages and has some different requirements.
* The pinpads will need to change. They will need to support the EMV chip and contactless payment cards. Typically this will require an interface change as well.
* The outdoor payment terminals will need to change to support chip and contactless EMV payments. In Canada this has meant a change to the protocols used by the POS to talk to the payment terminals and we expect this to hold true in the U.S. as well.