DES MOINES, Iowa (2/6/14)--More than half (24) of 43 financial institutions surveyed by payments processor The Members Group said they would like to start Europay-MasterCard-Visa (EMV) projects within 12 months.
Eleven of the FIs said they would start EMV projects in 2015, while eight said they were unsure when they would like to begin an EMV conversion.
Notably, responses were gathered between Oct. 25 and Dec. 4--before the Target data security breach. "Overall most of our clients had an EMV plan in place," Brandon Kuehl, TMG product manager and EMV product leader, told
. "What we've seen this year, post-Target breach, is that credit unions want to act faster, and move their plans up, anywhere from one month to four months."
Kuehl said chip and PIN is a more secure transaction environment than chip and signature, but it is quite likely PINs would have been compromised in a situation similar to the Target data in an EMV environment. "The transaction data from the card holder is still in the clear when it goes in the terminal" under EMV, Kuehl said. "So it wouldn't have done anything to prevent the actual credentials from being taken. It just makes harder for the criminal to reproduce the card."
The next step in card security is tokenization, in which card users enter a series of digits other than their card number to make transactions, Kuehl said.
The Credit Union National Association has called on legislators to ensure that consumers know where their information was compromised in the event of a data breach. CUNA has also urged legislators to follow two other basic principles as they consider data security fixes:
- All participants in the payments system should be responsible and be held to comparable levels of data security requirements; and
- Those responsible for the data breach should be responsible for the costs of helping consumers.
In the TMG survey, 27 of the responding FIs said they have a reissuance plan. Of those, 22 said they will send out EMV cards on the natural reissue date. The remaining five issuers reported plans to reissue upon request on a per-cardholder basis.
The majority of both Visa and MasterCard issuers participating in the survey said they plan to issue contact-only, signature-based EMV cards that can only be authorized online.
Six issuers plan to issue dual-interface cards. With this capability, EMV cardholders would be able to take advantage of tap-and-go terminals, which are more prevalent overseas and in some major metropolitan areas of the U.S.
"A dual-interface configuration is considered the Cadillac among EMV cards and will demonstrate a credit union or bank is ahead of the market," said Kuehl. "However, it may require as much as double the budget to issue dual-interface EMV cards as compared to contact-only."
As opposed to PIN-based EMV cards, signature cards are what Kuehl calls a "best practice" for community-financial institution credit card issuers, mainly due to credit card holder familiarity with signature authentication. "Consumers are not used to entering a PIN when swiping their credit cards," he said. "PIN also adds an additional layer of complexity for the issuer. When it comes to EMV issuance, TMG advises clients to start simple and add complexity in the future if necessary. The availability of PIN as an authenticator can always be added at a later date."
None of the survey respondents reported plans to issue EMV cards that authenticate offline. While European EMV cards typically allow for online and offline transactions and authorizations, U.S. cards will benefit from wide connectivity and a healthy telecommunications infrastructure. More terminals in the U.S. will be able to communicate with authenticating parties.
"For issuers without a significant number of international travelers, online-only EMV cards will be sufficient," said Kuehl. "It's also important to understand that offline EMV cards require a significant amount of upkeep."