October 2015 is the deadline for merchants to adopt EMV-compliant credit card terminals, in exchange for a liability waiver for fraudulent card present transactions. Explaining the EMV shift and payment security is difficult – there is a great deal of confusion about what the shift means, what security it really delivers, and whether it actually offers real benefits for merchants. Part of the problem is that the card brands have chosen to focus all their marketing on a single oversimplified value statement: the liability shift for card present transactions through non-EMV-compliant terminals. But digging into the specifications and working through the rollout process reveals a much larger change underway, with much broader ramifications. Unfortunately the press has failed to realize these implications, so the conversation has focused on liability, and lost sight of what else is going on. We produced this research paper to explain the additional changes underlying the EMV shift, its full impact on merchant security and operations, and where the shift will take the payment ecosystem.
The real story is both simpler and more interesting than its coverage to date.
Ultimately every paper we write at Securosis has the same core goal: to help security practitioners get their jobs done. It’s what we do. This paper is mostly for those at merchant sites struggling with the rollout and issues it creates. At the end of the paper we offer recommendations for practitioners of EMV and mobile payment; including whether they should adopt EMV terminals and practical considerations to protect themselves from new attack vectors if they do. As always, if you have questions or additional material to add, feel free to post a comment.