Banks that adopt a structured approach to EMV migration planning and implementation will reap the benefits for many years to come, says Aconite senior consultant Nigel Beatty.
EMV fever is now taking hold in most areas of the world. Mandates for migration are fast approaching – 2005 no longer seems years away and minds are being concentrated in bank boardrooms across the globe. However, a headlong rush into EMV migration is likely to end in tears; potential benefits will not be realised and trouble will be stored up for the future. Although your deadline may now be visible on the horizon, a structured approach to EMV migration remains essential.
Let's first get the mindset right. EMV is not about technology. EMV is not about backroom boffins doing curious things with smart cards. EMV is about opportunity. EMV is about harnessing a tried and tested technology to deliver your business objectives, now and in the future. A common attitude is that EMV migration is a necessary but expensive evil forced upon us by the card schemes to counter increasing fraud. That misses the point. EMV is as much about implementing an infrastructure that opens up a panorama of new opportunities, and a structured approach now will pay dividends in the future.
Strategy is key. EMV provides the perfect opportunity for new strategic thinking about where you want your cards business to be in say five or eight years time. As part of that thinking you will need to consider both the direct impact of EMV and the longer-term opportunities.
Direct impacts of EMV will allow you to redesign your product portfolio, to further segment your existing product set, to address new and expanded populations of cardholders and merchants and to set new objectives for market share and revenue, driven from increased card and transaction volumes. These benefits stem from the security and risk management built into EMV and within card scheme guidelines, they are a toolkit; select and use the features you need. For example:
- Risk management and usage parameters determine the card's behaviour – control where and how individual cards can be used.
- Target higher-risk cardholders for more frequent online authorisation.
- Card payment in many new or previously fraud-prone scenarios such as unattended petrol stations and other vending outlets is enabled by secure off-line card and cardholder authentication; more terminals, more transactions, more revenue.
In the longer term, the EMV/smart card platform opens up many new opportunities, both within and outside the payments field. Prime examples are multi-application cards, remote authentication and secure transactions over new channels such as Internet and GPRS. But the foundations for these services must be laid firmly now, and laid in a way that builds in future-proofing. Among the areas where future benefit will be seen are:
- Value-add applications which may or may not co-reside with payment; the examples are familiar: loyalty, healthcare, ticketing, mass transit etc.
- Secure authenticated access to services such as e-banking, and secure card and cardholder verification for remote transactions in virtual (e-/m-commerce) and physical (mail and telephone order) channels.
- Application synergy to create the 'can't live without it' card; there may not be a single killer application, but the right combinations can create some very powerful propositions.
However, neither strategic thought nor any other migration activities will be possible unless the potential and the capabilities of the infrastructure are understood. Therefore education becomes an important pre-requisite; the impacts of EMV will be felt across the organisation from senior executive to call-centre operator, with major IT impact in between. It is essential to acquire the necessary knowledge, but beware; the world may be full of self-proclaimed EMV experts but real track record is thin on the ground.
With a strategy in place, business justification and definition of requirements can proceed. It is a truism to state that the business case for EMV is hard; it may be possible to justify migration on fraud reduction alone or to write off the cost as necessary for staying in business, but that ignores the benefits that taking the longer view will reveal. By their nature, infrastructure projects do not provide quick returns, but the bottom line will look healthier over a five to eight year timeline. Again, with expert help both the future benefits and the perceived costs can be validated and quantified to contribute to a robust and defensible business case.
Translation of strategy into tactical plans first requires the definition of business requirements, remembering that EMV migration is business-led. The broad scope of the business impacts means that a comprehensive set of requirements, addressing multiple areas, will most likely have to be assembled, and therefore consistency and cohesion will require careful checking. The far-reaching impacts mean that analysis, identification and quantification of change in all areas of the business must precede planning; this Impact Analysis is one of the critical activities of the migration, not only to confirm elements of the cost base used in the business case but to flush out the requirements for the development phase.
Not only will signed-off business requirements enable internal planning and technical/functional specification, external requirements for third-party vendors can be developed. Depending on your organisation’s procurement policy – buy or build – these could encompass card personalisation, card management, devices, authorisation processing, risk management, EMV script management etc. Recognise that lead times are multiplied in the smart card world and ensure that you have the expertise available to validate vendors’ claims. Certification of cards and devices, for example, is often given on a conditional basis. EMV support in authorisation systems may be specific to one card/application implementation or may be based on a single customer’s requirements; such a system could be EMV compliant, but would it provide the features you need? To be avoided at all costs is a requirement that deviates from the de facto standards, particularly for EMV payment applications developed by the major card schemes. All vendors have standard product that is compliant with VIS, the Visa Implementation Specification and/or M/Chip, the MasterCard equivalent at off-the-shelf, mass market prices; a customised application will be an expensive and time consuming exercise and the benefits of going that route had better be substantial for the business case to stand up.
Vendor commitment to delivery is just one aspect of project planning. Experience in the field of EMV implementation will be required to allow accurate estimation of tasks and activities that are either new and unique to a smart card/EMV implementation or radically different in scope to their magnetic-stripe equivalents. The plan needs also to identify and take account of lead times for new development and testing resources such as test card and tools. For example, test cards go from being a €0.30 throwaway item in the magnetic stripe world, to maybe a €10+ expensive resource in the smart card world with a six-week lead time and the complex bit-strings that make up most EMV data need specialised tools for their creation and interpretation.
Careful monitoring during the development phase will help to avoid an unpleasant smart card fact of life: mistakes cost more to rectify. The complexity of the components – cards, devices and systems – means that backing out of a wrong turn will be expensive and probably involve throwing away irretrievable work. If a batch of cards is delivered with incorrect settings, this is a potential disaster, both in cost and reputational terms. Hence the need for comprehensive and rigorous testing; another area where there is a significant increase in scope when compared to a magnetic stripe implementation. Estimates have put the increase in test conditions at between four and eight-fold. That would be bad enough, but a recurring theme is that without the expertise and the specialised resources available, you cannot begin to specify those test conditions, let alone to plan or execute the tests. Another trap to avoid is the certification blind-spot. Just because a card or device has scheme or EMVCo Level 2 certification does not mean it will work in your environment – there is no guarantee that functions outside the scope of these certifications, such as message protocols, have been implemented correctly.
With testing signed-off, card scheme certification comes next. While the procedures for the major schemes have not changed significantly, i.e. run scripts against the scheme simulators, submit the logs, perform on-line tests against the scheme test system, exchange clearing files then move into a live proving exercise, the procedures for many smaller, possibly national schemes have yet to be defined. In the UK, for example, the LINK national ATM network has been at the forefront of developing certification plans and processes; other national schemes may not be as advanced.
Finally we come to implementation and roll out. Again, careful planning is required – many pieces must come together to make implementation successful. Worth particular mention is the security and key management set up between a card issuer and their personalisation bureau, entailing generation of live keys, submission of keys to the card scheme Certification Authority and storage of certificates. An error at this stage will totally undermine the card issuance programme and prove costly to correct.
Even though a huge effort and great expense will have gone into your EMV migration, do not be tempted to invite the television cameras to watch the CEO perform the first EMV transaction… that’s really asking for trouble. Instead, keep the initial roll-out low key and in a controlled environment, and only blow the trumpet when things have had a chance to bed down.
In summary, EMV migration is a complex process. There are many new and unfamiliar areas to be managed, and without expert help, there are many pitfalls awaiting the unwary and the inexperienced. Good Luck!Nigel Beatty is an experienced business consultant with a broad and extensive knowledge of the payments industry. He has worked with clients providing consultancy at senior levels within some of the UK's leading financial institutions and has particular expertise in the area of EMV smart cards. Nigel works with clients to develop strategies, define business cases and deliver solutions throughout the electronic payments industry.
Download the document now 87Kb