The Europay Mastercard Visa (EMV) standard, which aims to make payments more secure through the use of a chip rather than a magnetic stripe (magstripe) card, is slowly but surely continuing its march across the globe. The UK was one of the early adopters in 2004, but since the standard was mandated through the single euro payments area (SEPA), more European countries have progressed with their implementations in recent years. In fact, at the end of 3Q09, the European Payments Council (EPC) Cards Working Group found that EMV compliance had reached 70% for cards, 78% for point of sale (POS) and 94% for ATMs. EMV has now also been rolled out in other parts of the world, such as Australia, Canada and Brazil. In terms of the Middle East, there have been pockets of adoption, namely in Saudi Arabia, but widespread migration has to date eluded the region.
The main driver for most countries is preventing payment fraud. In the UK, for example, the introduction of the EMV standard reduced card fraud by 25% within its first two years of implementation. By contrast, payment fraud has not typically been seen as a big issue among financial institutions in the Middle East. However, times are changing. Rapid economic growth in the region combined with an influx of visitors from around the world has contributed to a dramatic rise in magstripe card fraud. ATMs in particular have been plagued by transactions executed with unauthorised cards.
At the same time, use of the ATM channel is growing rapidly. In fact, Retail Banking Research (RBR) predicts that the ATM market in the Middle East will grow by 75% over the next four years, with the total number of ATMs in the region reaching 70,000 from the current tally of 40,000. What’s more, the introduction of the Wage Protection System in the United Arab Emirates (UAE) serves to further increase ATM usage across the region. As the ATM becomes a more popular and regular touch point between customers and their banks, it is even more important that ATM fraud does not serve to discourage further uptake of the channel or negatively impact the reputation of banks. While most banks in the region have adopted EMV for their credit cards, the ATM channel debit cards remain non-EMV compliant. With recent changes, it seems that there is now a solid business case for banks to reduce fraud and maintain customer trust through compliance with the EMV standard for debit card transactions at the ATM. However, there are other, very specific factors at play in the region at present which are driving the broader migration to EMV.
Factors Driving Migration
Firstly, the UAE Central Bank has provided firmer guidelines on the EMV standard, and some banks in the UAE, both local and foreign, are already in the process of adopting EMV chip technologies for debit card transactions at the ATM. Given the strong support of the UAE Central Bank, it is likely that other banks in the region will follow suit. Since migration to EMV requires significant infrastructure change, no deadline for migration has yet been set, but banks should expect one soon.
Secondly, Qatar and Oman are experiencing increased cross-border travel as their economies grow. Qatar has been relatively sheltered from the effects of the economic downturn and, as a result, is rapidly becoming a key business centre for the region. This growth in business transactions has also seen an increase in ATM usage, as well as the potential for fraud.
Oman continues to witness a surge in tourism and ATM transactions are likely to increase accordingly. While tourists support the local economy and drive ATM usage, the experience of other countries within the Gulf region has shown that this growth in visitors is also likely to increase ATM criminal activity. Consequently, these countries are looking to implement EMV as a preventative measure before fraud becomes a serious issue. The UAE experienced a similar situation when tourism took off and the country’s wealth increased. While taking a proactive stance against fraud will reduce the costs associated with this problem, it will also do much to prevent a decline in customer confidence in the countries’ banks.
Finally, ATM traffic looks set to increase due to the introduction of the Wage Protection Scheme. Under the new legislation, companies will need to pay employees directly into their bank accounts. Since people will need to go to the bank to access their funds, both card and ATM usage will increase. This presents an opportunity for banks to generate return on investment (ROI) at the ATM, but also provides hackers with an increased opportunity to clone ATM cards.
So, how will the implementation of EMV help combat the growing fraud problem in the Middle East? Under the EMV Chip and PIN system, credit and debit cards containing an embedded microchip are authenticated automatically using a PIN. The use of algorithms in Chip and PIN cards sets more rigorous authentication processes than magstripe cards and they are therefore far more secure. Customers wishing to make a payment place their card into a PIN pad terminal or a modified swipe-card reader, which accesses the chip on the card. Once the card has been authenticated, the customer enters a four-digit PIN, which is checked against the PIN stored on the card. The transaction is completed if the numbers match.
While costly to implement, EMV Chip and PIN provides significant benefits to banks and retailers in terms of fraud reduction. Fraudsters are deterred from copying the chip, since it is expensive, time-intensive and requires resources out of proportion to the likely reward. As the chip is a computer device, it can interact with the accepting device, such as an ATM or payment terminal, and process the necessary data.
The introduction of EMV will unequivocally help to reduce payment fraud, but it will also involve considerable change at the ATM and other payment channels. There are many more types of card conditions with EMV cards than with static magstripe cards. As a result, ATM software applications – and, ultimately, host systems – need to be able to process a much wider range of scenarios. Because the chip is a computer device, it interacts with the ATM and processes data rather than being a simple static interface, as is the case with magstripe cards. This increased complexity requires a change in network infrastructure and ATM application testing, which causes a much higher risk of ATM downtime.
Facilitating Migration to EMV
Yet, the cost of migration to EMV systems is largely offset by the savings resulting from fraud reduction, as well as the additional functionality, such as personalised services, which the chip cards enable. The ability to provide innovative services at the ATM will help banks to ensure long-term business benefits from their initial investment in EMV compliance.
With this in mind, the question for banks in the Middle East is no longer whether they should migrate to EMV, but rather how. In implementing EMV, banks first of all need to truly understand the standards and their requirements. With key industry players such as Visa and MasterCard discussing the possibility of setting penalties for non-compliant institutions, banks must act quickly.
From a technology standpoint, EMV mandates are more complex than the traditional approach. Testing EMV-compliant ATMs is far more labour-intensive than testing traditional ATMs, for example. Once the EMV migration is complete, banks must ensure any faults are swiftly addressed and that uptime across their ATM networks is maintained. Furthermore, when upgrading their ATM networks, banks must be able to continuously certify the validity of their applications to comply with the international standards of EMV.
In order to maintain ATMs with EMV capacity, banks need to consider testing ATM networks on an ongoing basis. With the use of magstripe cards, Gulf banks have seen very little change in their ATM network testing routines and certification requirements. Banks should consider ATM testing automation in order to successfully maintain their EMV-compliant ATMs and ATM networks, and benefit from increased productivity, cost savings and compliance.
It’s clear that the migration to EMV will involve significant technical changes for the region, as well as a certain amount of investment. However, the Middle East does have the benefit of experience on its side. By joining a later wave of EMV adoption, the region can heed the lessons learnt from other migration projects across the globe. In doing so, Middle Eastern countries should be able to roll out successful EMV strategies quickly, ensuring they do not become an easy target for the fraudsters looking to exploit the weakest links in card security.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.