ATMIA launches US EMV migration committee
Last month I participated via conference call in the inaugural meeting of the ATM Industry Association (ATMIA) US EMV Migration Committee. This was a lively and productive meeting at which a number of important issues were raised. Chief amongst these was the MasterCard EMV liability shift for inter-regional Maestro ATM transactions. It is perhaps not widely recognised that the deadline for this is April 19 2013 – just less than one year away! Just to be clear, the implication is that after this date, if a Maestro EMV card is used fraudulently at a US ATM which has not been upgraded to support EMV, liability for the fraud will pass from the issuer (most likely to be non-US) to the US acquirer which owns the ATM. One of the many important questions raised at the meeting was what would this mean in terms of dollar losses if no upgrades occurred? I don’t know but my guess is a lot, and rising rapidly. According to the European ATM Security Team (EAST) ATM Fraud Analysis Report published in July last year, around 80% of non-EU fraud against EU payment cards was committed in the US.
Not surprisingly, the ATMIA committee felt that the MasterCard deadline was aggressive, if not downright unachievable, and I must say I have sympathy with this view. On the other hand there is nothing like an ambitious mandate for focusing minds and if the result is a more proactive and coordinated approach to EMV migration in the US then I’m all for it!
I’ve pointed out before that a major challenge facing the US EMV project is the lack of any central coordination body in a card payments market which is more complex and fragmented than most (see Bulletin 297). My first reaction was that the ATMIA initiative might be too narrowly focused on ATMs to be the right forum – what about merchants and POS terminals? But on reflection, and encouraged by the committee meeting, I’m beginning to think that this is exactly the right place to start, for several reasons:
- The aggressive MasterCard liability shift deadline, as discussed, will concentrate minds and introduce a note of urgency.
- US ATMs are probably the main locus of EMV-preventable card fraud and are certainly the main problem for non-US issuers.
- Arguably, upgrading ATMs to EMV compliance is relatively straightforward (compared with POS terminals and reissuing cards) not least because PIN verification is already the norm and is always online.
- ATM migration more or less demands a high degree of coordination and collaboration between banks, which is to be encouraged in the US!
A good example of this last point is the question of PIN change and PIN block/unblock transactions carried out at ATMs. If US EMV cards support offline PIN verification (of course this is another major issue which needs to be resolved – see Bulletin 297) then these transactions require secure coordination between host-based and card-based PIN systems, which in turn implies a common approach adopted by all banks. This can be quite challenging, and there are important lessons to be learned from other countries which have completed the migration process.
For all these reasons I believe the launching of the ATMIA US EMV Migration Committee is an important and encouraging milestone. It deserves the support not just of the US card payments community, but also of their colleagues in the rest of the world who have a lot to offer in terms of lessons learned and best practice.
Banking Automation Bulletin Article, May 2012, by Nick Collin