A Touchy Subject

The ducks are lining up for U.S. contactless payments with dual-interface cards, but they’re not all in a row yet. Outdated POS terminals and certification issues still stand in the way.

Forget the swipe, and even the dip. Tapping plastic cards is the wave of the future, in the eyes of some payment prognosticators.

Last month, Visa Inc. said 11 of its top 25 card issuers are now rolling out contactless cards, and the network predicts 100 million such cards will be circulating by year’s end. Committed issuers include such giants as JPMorgan Chase & Co., the nation’s largest credit card issuer, and Wells Fargo & Co., among others. American Express Co. already is in the game, too.

Plus, 80 of the top 100 merchants by transaction volume allow customers to tap to pay at checkout, according to Visa. With countries such as Canada and the United Kingdom far ahead, it finally looks like the U.S. is connecting with contactless.

“After 15 years of industry stakeholder debates, trials, and pilots to determine when contactless payments would finally take off in the U.S., all the components are finally in place to make it happen,” says an April report from the Federal Reserve Bank of Boston.

But wait. That report came out just before struggling department-store chain J. C. Penney Co. Inc. stunned the retailing and payments industries by turning off contactless acceptance. It turns out that a conflict between contactless payments based on the EMV chip card standard and an older standard known as magnetic-stripe data (MSD) was the source of the problem—and JCPenney might not be the only retailer affected.

In this article, Digital Transactions examines how merchant technology, thorny standards, and certification issues could slow down the spread of EMV contactless transactions in the U.S., despite the speed and security advantages of tap-and-go payments.

Penney Pulls the Plug

MSD technology essentially converts mag-stripe track data into a format usable with the first generation of contactless cards. JCPenney’s contactless turnoff was a reminder for many about the difficulties of retrofitting the U.S. for a new type of payment.

U.S. merchants began replacing their mag-stripe-based point-of-sale terminals with new devices that could process chip cards as a result of the card networks’ October 2015 EMV liability shifts. But some merchants eschewed the option of EMV-based contactless payments and chose  terminals that could read only EMV contact chip cards in which the card is inserted, or dipped, into the device.

In contrast, most new EMV POS terminals are capable of accepting not only dipped payments, but also contactless EMV transactions using near-field communication technology, though it’s up to the merchant or acquirer to activate NFC.

Going with lower-function contact-only terminals made sense for some merchants not only because of cost but also because the vast majority of the first-generation EMV cards were of the contact-only variety.

Such cards at the time cost issuers only about half as much as so-called dual-interface cards that support both contact and contactless EMV payments, the latter of which use NFC.

Plus, many of the contact-only EMV terminals, including those at JCPenney, had the ability to support mobile contactless payments through the Apple Pay, Google Pay, and Samsung Pay smart-phone wallets, even though they didn’t draw on the NFC capabilities those wallets support.

If a smart phone with one of the major mobile wallets detects the terminal can’t process an EMV contactless payment, the wallet can “step down” from EMV and still process a transaction using MSD, according to Randy Vanderhoof, executive director of the Secure Technology Alliance, a Princeton Junction, N.J.-based trade group that researches chip card payments. (Vanderhoof also is director of an SCA affiliate, the U.S. Payments Forum.)

But no such stepdown is available for dual-interface EMV cards when tapped on contact-EMV/MSD terminals. That potentially means longer lines, or even lost sales, at checkout as a customer takes a bit of extra time to dip the card.

Vanderhoof notes that MSD was the standard used in the pre-EMV generation of contactless cards dating back more than a decade, the best known of which was Chase’s blink card issued from 2005 to 2014. Consumers, however, didn’t embrace these early contactless cards, in part because merchants didn’t, either. Even so, MSD capability was built into many contact-only EMV terminals later on.

Visa in October 2017 set an April 13, 2019, deadline for terminals to support the newer EMV contactless standard and retire MSD. EMV is more secure because it uses one-time cryptograms in transactions whereas MSD doesn’t. Plus, EMV is the contactless standard in many countries, while MSD was developed mainly for the U.S. market, though it briefly was used in Canada.

The initial JCPenney news said nothing about dual-interface cards. Instead, it focused on the retailer dropping Apple Pay, the most popular of the mobile wallets. The Plano, Texas-based retailer confirmed to Digital Transactions later that it also accepted Google Pay and Samsung Pay.

It surprised many observers to see JCPenney pull the plug on the mobile wallets because, after years of trying, the payments apps finally seemed to be attracting more merchant acceptors and consumer users.

“The payment brands want to get MSD out of the market and move everyone to the contactless EMV front,” Vanderhoof says. “That is how it is impacting on Apple Pay, because in the case of JCPenney they had enabled for EMV contact [transactions] but not EMV contactless.”

While everyone seems to want MSD out, Mastercard Inc., American Express, and Discover Financial Services have yet to join Visa in explicitly trying to banish the old standard.

In a statement that didn’t mention Visa by name, JCPenney implied that contactless payments, presumably of the EMV variety, will return to its stores some day.

“Given the resources and lead time associated with meeting the new mandate, JCPenney chose to suspend all contactless payment options until a later date,” the company said. “Customers still have the ability to complete their transactions manually by inserting or swiping their physical credit cards at our point-of-sale terminals in stores, an option employed by the vast majority of JCPenney shoppers.”

The move by JCPenney, which has struggled with weak sales in recent years, raises the question of who else is still relying on contact-only EMV/MSD terminals.

“I would agree that there are other retailers that are in the same situation as JCPenney,” says Vanderhoof, though he wouldn’t name any. Some merchants, because of “other priorities,” decided not to make EMV contactless upgrades, he says.

Marianne Crowe, vice president of the payment strategies group at the Boston Fed and a co-author of the April report, agrees JCPenney likely isn’t alone.

“My sense is it’s probably more than we originally thought,” she says, adding, “I don’t think a lot of people knew about the difference” between the MSD and EMV contactless standards.

Another question is what penalties, if any, the merchants will face that hadn’t upgraded their terminals for EMV contactless payments by Visa’s April 13 deadline. Visa declined comment.

‘Muscle Memory’

As the U.S. wrestles with its contactless-payment issues, Canadians can look south and smile. MSD did make some headway in Canada, but not for long because the country embraced EMV more than five years before the U.S. did.

The country’s largest acquirer, Toronto-based Moneris Solutions Corp., recently reported that in the first quarter contactless for the first time accounted for more than half of card-present transactions—51.5%. Contactless payments grew nearly 25% year-over-year while overall credit and debit card spending rose only 2.5%, Moneris reported.

By comparison, contactless is probably still in the low single digits as a percentage of U.S. card-based payments.

The reasons for this difference between the neighboring countries are several. One, Canada’s financial system is much more centralized than that of the U.S., making new technologies and systems easier to deploy.

“In Canada, the stars aligned,” says Patrick Diab, vice president of product and client solutions at Moneris.

A big factor is that few Canadian merchants own their POS terminals. Instead, they rent them from acquirers. That leads to quicker upgrades and helped spread terminals that supported both EMV contact and contactless NFC-based transactions, according to Diab.

“The refresh rate is quicker,” he says.

In addition, high-speed Internet, an essential element for fast contactless transactions, was coming into the market at about the same time the card networks mandated chip-and-PIN payments in 2006.

“Contactless without high-speed Internet loses its value,” says Diab.

When Americans finally do get dual-interface cards into their pockets, some researchers predict they will quickly become the favored vehicle for contactless payments, not the mobile wallets.

True, consumers have just learned how to dip, but the operative factor remains the act of pulling out the plastic, not a smart phone, to pay for something, according to Raymond Pucci, director of the merchant-services practice at Maynard, Mass.-based Mercator Advisory Group Inc.

“The contactless card will have a much better chance of adoption by consumers, the main reason being people have muscle memory on their cards,” says Pucci.

In any case, issues involving tap-and-pay ubiquity are now moving to the forefront.

A Very Busy Process

It’s behind the scenes, as it almost always is in the payments industry, that the concrete work remains to be done. For many acquirers and processors—the entities that are responsible for ensuring contactless readers are certified as EMV-compliant—that means selecting POS hardware and software and submitting them to testing labs for certification. That, in itself, is enough work to keep certification and testing labs and processors occupied for months.

Visa, so far, is the only card brand mandating that acceptance devices not support contactless MSD transactions for its cards in favor of its EMV contactless option, called qVSDC, or quick Visa Smart Debit/Credit transaction path.

The requirement, which only applies to merchants already accepting EMV contact and contactless MSD payments or deploying contactless in the future, says they must support only qVSDC, according to Itai Sela, president and chief executive of B2 Payments USA, a Toronto-based firm that provides payment-testing tools, card simulators, training and consulting, and POS-development services.

What may complicate testing and eventually certification processes for contactless devices is that Visa is the sole card brand mandating such a change, Sela says. The other card brands have not announced a cessation in support for mag-stripe contactless, although they highly recommended migrating to EMV-grade contactless. Indeed, they do mandate that any new contactless implementation must be EMV-enabled.

This may present a problem for merchants.

“One brand may say no certification is necessary to migrate to EMV contactless, just update your device and go,” Sela tells Digital Transactions, “but other brands may require certification” for upgrading to EMV contactless transactions. “The issue the industry has is [that] in some devices you can’t just change something for a single brand.”

In the case of contactless payments, the reader has a unique kernel in its operating system for each card brand. That kernel may share configurations, limiting the ability to turn options on or off for only a single network.

“They don’t have the technical ability to allow you to change a certain setting for just one card brand,” says Sela.

In the meantime, processors and acquirers have to contend with testing and certifying their payment devices and applications to the appropriate EMV specification.

EMVCo, the international organization that develops and maintains the EMV spec and related testing processes, does not mandate or enforce implementation policies. These are handled by payment networks independently of it, an EMVCo spokesman says.

Common to both contact and contactless EMV certification is ensuring compliance at three levels. Level 1 is related to the hardware certification, Sela says. Level 2 covers the compliance of the EMV kernel, which is the library of EMV and/or contactless commands enabling the configuration and support for the various EMV security features.

Once a device attains Level 1 and Level 2 certification, it can be integrated with a payment application, which requires a Level 3 certification to ensure its compliance, such as to a brand’s specification or for end-to-end certification.

Certification for EMV contactless is different from EMV contact transactions.

“While most POS terminals now support both contact and contactless, the requirements and features tested are different,” says Jean Fang, product manager of global laboratories at FIME, a France-based testing and certification-services provider. “Contact interfaces undergo electrical, protocol, and functional tests, while contactless interfaces undergo analog, digital, interoperability, functional, and performance tests.”

The certification process for contact and contactless is usually the same, Fang says, but the test plan and the reader type differs.

A typical process for gaining certification for contactless EMV works like this: “If merchant has an EMV-capable terminal and it is capable of contactless, the merchant contacts their processor to upgrade the terminal firmware and software,” says Vanderhoof, speaking in his capacity as director of the U.S. Payments Forum. Most EMV POS terminals made in the past few years come with support for contactless EMV, he says.

“If the terminal already is EMV-enabled, the merchant just needs to add the contactless software that supports Visa, Mastercard, [and] American Express [with Discover coming in 2019], and do certification,” Vanderhoof says. “Certification involves running a series of test scripts based on the payment-network requirements.”

If the terminal passes the certification steps, then the merchant will choose to activate contactless or keep it turned off until a later date.

“You’re supposed to run your certification process only after you know everything is fully tested,” Vanderhoof says.

Test, Then Certify

What tends to happen in some cases is that developers will try to develop based on test cases instead of developing a product to a full-requirement specification, Sela notes.

“Many in the industry totally miss that,” he says. “They test to certify instead of fully testing their solutions to ensure that everything is supported correctly and only then go for certification.”

In one example, a manufacturer of automated fuel dispensers, an industry that faces an October 2020 EMV liability shift (“Where EMV Spells Headache,” May), might have five families of products to sell to fuel retailers, Sela says. These might connect to six or seven gateways or processors, creating a veritable spider’s web of some 70 unique connections, each of which must be certified as compliant with each of the card brands’ EMV requirements.

“Then the problem is they are certifying without their main transaction type, which is used at the automated fuel dispenser and called a pre-authorization complement transaction,” Sela says.

Specifically, they should be at least testing that each connection can correctly complete this type of transaction. But that’s a challenge.

“Most of the brands don’t have a certification test case for preauth completion,” he says. The manufacturer will run 70 certifications, he adds, and not be able to prove that their only transaction type actually works.

Other issues may surface, too, especially following deployment, FIME’s Fang says.

“As ever, banks’ main concern comes with issuance and deployment in the field,” she says. “Everything has been put through its paces during certification, but going live can still bring some surprises. For example, the information inputted by a personalization bureau or processor during production may be different from what has been certified.”

“This is where expert consultants and testing partners deliver real value, mitigating challenges throughout the entire process to ensure a successful launch,” she adds. “Some banks even have internal procedures to run alpha/beta tests on all the devices/terminals before final deployment. Testing labs usually certify samples only.”

There may be other changes that may prompt recertification.

“POS devices are highly customizable,” Vanderhoof says. “Larger merchants and merchants with specialized payments needs such as accepting other forms of payment, loyalty, and payments switches and routing systems, may need to recertify if they make software, hardware, or configuration changes or they add new functions that impact payment and that, under payment-network certification rules, require recertification.”

Examples include operating-system changes; alterations to the kernel; the addition of new functionality (like cash back); or adding a new PIN pad, he says. Recertification means going back to each brand, according to Sela.

Clearly, achieving EMV contactless certification is a lot of work.

“Ultimately, certification is the foundation of worldwide payments interoperability,” Fang says, “enabling the acceptance of secure transactions regardless of the card or device used, the terminal technology, hardware, software, [or] the country in which the payment is made.”