COVID-19 has had an unparalleled impact on all aspects of life globally, including business and across all industries. Payments is no different. In this Q&A post, Brian Byrne, EMVCo Director of Engagement and Operations, provides insight into how the flexibility of the EMV® Specifications and testing infrastructure are enabling safer and more convenient payments in the midst of the global pandemic, and the importance of industry engagement to this process now and looking ahead.
COVID-19 has had a huge impact on the way we shop and pay in-store. What role are the EMV Specifications playing?
Brian Byrne: Perhaps the most significant trend for face-to-face payments during the pandemic has been the increasing reduction in cash usage. Consumers have shifted from cash to card payments, a method that many retailers prefer during this time. This shift falls in line with guidance from global public health bodies for consumers to use alternatives to cash where possible.
In particular, we are seeing a growing preference for payment methods that limit contact to help remove any physical interaction at the point-of-sale. This includes EMV contactless transactions and QR code-based payments.
At EMVCo, our role is to provide a common and secure foundation for development and deployment of these and other forms of card-based payments. We anticipate the trend towards payments that limit contact to continue beyond COVID-19, and our focus is to evolve the EMV Specifications to support the future requirements of the payments industry.
For example, in response to feedback from our Associates community, we have established a dedicated task force to explore how EMV Specifications can support the use of wireless technology such as Wi-Fi and Wi-Fi direct, Bluetooth Low Energy (BLE) and mobile data. This could enable in-store payments without the payment device (e.g. a smartphone) being in immediate proximity to the payment terminal.
You talk about transactions that limit contact, but what about consumers touching terminals to enter a PIN? Do all EMV Chip transactions require a PIN?
Brian Byrne: No. Although EMV Chip is often associated only with PIN, the specifications support various types of cardholder verification methods (CVMs). These include online and offline PIN, no verification and signature, as well as multiple biometric verification types including fingerprint (via the cardholder’s own device, e.g. mobile phone), iris, voice and facial recognition.
EMV Specifications also support Consumer Device Cardholder Verification Methods (CDCVM), which enable consumers to verify themselves using the authentication capabilities of their own mobile device. For example, the fingerprint reader you use to unlock your phone can also authenticate your payment.
Why do the EMV Specifications support so many CVMs?
Brian Byrne: The simple answer is that every marketplace is different, so the EMV Specifications need to support global, regional and local requirements. In my native Australia, it has been the case for some time that most card-present transactions are contactless with no cardholder verification method (CVM) required.
With COVID-19, we are now seeing this trend reflected across other marketplaces. In the US, there has been a significant uptick in contactless transactions as consumers are understandably cautious about entering their PIN or signing their name. The inherent flexibility of the EMV Specifications supports these changes in consumer behaviour and merchant preference.
There has also been a significant increase in card-not-present (CNP) payments due to COVID-19. Are the EMV Specifications only for face-to-face payments?
Brian Byrne: No. In recent years, the EMV Specifications have evolved beyond EMV chip and now enable industry participants to develop and use secure and convenient payment methods across face-to-face, e-commerce and digital environments.
EMV Specifications for e-commerce and digital payments include EMV 3-D Secure (EMV 3DS), EMV Secure Remote Commerce (EMV SRC) and EMV Payment Tokenisation, all of which are playing an important role in helping consumers and merchants move online quickly and securely in these challenging times.
How can the EMV Specifications support the need for safe and convenient online payments?
Brian Byrne: There has been a significant increase in demand for online commerce, with lockdowns and social distancing regulations changing the way we shop.
The EMV SRC Specifications enable a common consumer e-checkout, described as Click to Pay, and provide the opportunity for all merchants globally, regardless of size, to offer trusted, safe and convenient card-based payments to consumers shopping online. This includes large retailers, but also mom-and-pop stores who are potentially accepting online payments for the first time due to the pandemic.
It is also evident that as e-commerce transaction volumes increase and opportunistic fraudsters target points of weakness, CNP fraud is on the rise. EMV SRC accommodates options for using dynamic data, such as cryptograms or other transaction unique data, to enhance the security of payment transactions on a merchant’s SRC-enabled website, mobile app or other e-commerce platform.
EMV 3DS helps address fraud with technology that enables consumers to authenticate themselves with their card issuer when making CNP purchases. This can help prevent unauthorised transactions while minimising friction. We are committed to evolving the EMV Specifications to meet the requirements of different sectors and industries. For example, we have worked extensively with the travel industry to support their fight against transaction fraud, with the EMV 3DS Travel Industry Message Extension guidelines specifically describing how travel industry merchants can provide additional travel-related data to issuers for use in risk-decisioning.
Finally, EMV Payment Tokenisation enhances the underlying security of digital payments by replacing the primary account number (PAN), information that can be used by criminals to commit fraud, with a unique payment token that is restricted in its usage.
What about testing and certification? Why is it important, and particularly during COVID-19?
Brian Byrne: Ensuring safe, convenient and reliable payments has arguably never been as crucial, and EMVCo testing and certification programmes help to promote this confidence and stability across the industry. For this reason, in response to COVID-19, we moved quickly to ensure that EMVCo accredited laboratories and testing facilities can continue with their evaluation and testing programmes despite lockdown and social distancing restrictions.
Beyond supporting immediate short-term requirements, our various testing and certification programmes initiatives will address evolving payment card acceptance requirements for all industry stakeholders. To name just a few, this includes promoting interoperability for emerging payment form factors like smartphones and wearables, accelerating go-live for new and updated terminals, enabling a good consumer experience when Commercially Available Off the Shelf (COTS) devices like mobile handsets are used as a payment terminal, and promoting security for software-based device payment applications and IoT products.
How is EMVCo engaging with the industry and other technical bodies during this period?
Brian Byrne: EMVCo continues to carry out its work in collaboration with the hundreds of global organisations that represent the payment industry and participate as EMVCo Associates and Subscribers, as well as directly engaging with technical bodies including FIDO Alliance, NFC Forum, GlobalPlatform, PCI Security Standards Council and World Wide Web Consortium (W3C).
And while COVID-19 restrictions have impacted our ability to conduct in-person meetings and events, we have adapted to provide online forums for engagement to ensure we are receiving the industry feedback that is vital to the ongoing development of EMV Specifications.