EMV, A LOOK AT COMPLIANCE FROM A DIFFERENT PERSPECTIVE
EMV is Coming…Are you developing the best solution for your Institution?
The deadline for the latest in a seemingly endless list of compliance requirements for ATM’s is rapidly approaching. The EMV Liability shift program mandated by MasterCard and VISA begins for the ATM on 1 October 2016. This deadline is for MasterCard and VISA will follow 1 year later on 1 October 2017. The EMV requirement marks the latest in an ongoing trend effecting the ATM since 2000 (Y2K), 2005 (3 DES),2010 (ADA),2013 (WIN7) currently (EMV) soon to follow PCI and WIN10 (Win7 end of Life 1-14-2020). The industry has handled these issues in the same manner, the closer we get to the deadline the increase in fear and panic fueled by manufacturers and solution providers informing FI’s of the urgency to get compliant (or just place orders). The fact of the matter is, yes the best approach is to get your ATM’s EMV compliant but it is not the end of the world. These compliance deadlines have been missed by FI’s large and small for the past 15+ years and it has not marked the end of the world, in fact the initial issue Y2K turned out to be a non-event that never even required the ATM software upgrades.
EMV is about Risk Mitigation
In the case of EMV it must be looked at more as a risk mitigation issue not just a compliance requirement. The EMV mandate is a liability shift which places the liability for any loss due to fraudulent redemption or use of a payment card on the non-complaint party. We cannot blame MasterCard and VISA for issuing this mandate for the losses continue to rise into the $1+ Billion range with the US (the only Non-EMV country) incurring a majority of these losses while MC\VISA foot the bill had to end somehow. If we keep this in mind the 1 October 2016deadline just migrates risk to the FI and the ATM it is not going to end any capability. The deadline for merchants was 1 October 2015 and a large percentage of merchants large and small are still not EMV capable in fact some of the largest FI’s have not even completed issuance of “chip” cards to this date.
The EMV Difference
The migration to EMV has one major difference that any other mandate to date in the fact that effects consumers and the way they use the ATM for every transaction. In the past 10+ years we have migrated the ATM from a full insert type card reader to a simpler dip type device. This does cause a consumer use issue when implementing EMV for the “chip” card has to stay with the device for the entire transaction. We have spent a good amount of time getting consumers accustom to immediately removing their card or immediate presentation, with EMV that all changes.
Facts About EMV
1. Most have not completed the migration– EMV has taken 4-5 years to complete in other countries the US has just started. In the US even with the deadlines for merchants and issuers passing EMV adoption continues to be behind schedule.
2. EMV Upgrades will not prevent Skimming Attacks– “Skimming” is the “acquisition” of card data that is often sold to other criminals to be used redemption activities. EMV will prevent fraudulent “redemption” at the ATM by white carding with most redemption migrating to CNP (Card Not Present) transactions in EMV areas. As long as there is a magnetic stripe on the cards there will be skimming. If ‘skimming” is the issue, then “anti-skimming” technology will be required added to an EMV upgrade.
3. The criminals are not waiting for the liability shift– If you have not experienced a fraudulent “redemption” attack this will likely not change on 1 Oct. Although as EMV adoption becomes more prevalent the risk will increase.
4. Planning will Pay– If you have not completed the required WIN7 upgrade to support EMV or you are looking at new technology (Deposit Automation, Video Banking, etc.). It may be time to look at new technology in place of upgrading the old. A Win7, EMV and Anti skimming upgrade costs almost 75% of a new atm.
Approach to Compliance
If you have not implemented your solution for EMV on your ATM’s don’t fall for the pressure tactics of “you need it now”, “You can pay extra for priority” or “we can squeeze you in for $$$ extra”, take a deep breath and develop a solid long term plan, and do implement it as soon a feasible.
1. Look at your existing fleet of ATM’s -Can they deliver what you need for the next 5 years? Are they getting old and unreliable? In this case every device the FI has is likely different and adding more value to depreciate to an old machine is usually not the best answer.
2. 5 Years is the life expectancy of technology – The trend in compliance requirements and the rapid developments in technology dictates that 5 years is the standard life expectancy and depreciation schedule for the ATM. Any broader schedule will risk investing in an asset that may never be fully depreciated. There are currently FI’s with 10-year-old devices carrying a book value more than the cost of a new machine.
3. Long Terms goals over immediate compliance stop gap measures is usually the best approach to these compliance requirements. Yes, it may be “cheaper” in the short term to make the minimum investment in the latest mandate but this approach is usually not the best long term. Developing a good long term strategy will not only help to gain a good standard investment\budget but keep your transaction delivery technology in line with the changing expectations of consumers. Deposit Automation technology is rapidly migrating from accepted to an expected technology by consumers for example.
4. Find a good Partner– This may be key, find a good partner that can present you with the education and options to make a good long term decision the fits your needs not their sales quota. There are many options to consider from a managed service partner\ownership model to full outsourced transaction delivery.
EMV is just the latest compliance requirement for ATM it is not the end of the world. Take the time to develop a good long term approach and find a good partner to help you along the way.