The key challenge that lies ahead is Acquirer Acceptance Testing (AAT), a complex process requiring software vendor and retailer to work together with a given bank in order to verify compliance with the Chip and PIN standards. However, conflicting interpretations of the standards – in combination with an ongoing evolution and limited testing resource – have created a huge testing gridlock. No retailer has achieved AAT in the past six months, in fact.
From January 2005, any retailer not compliant with Chip and PIN will be liable for card fraud and, not surprisingly, it's highly likely that criminals will actively target non-compliant outlets. Yet, while the sheer scale of issuing 120 million new Chip cards, upgrading 40,000 cash machines and introducing 850,000 retailer terminals is clearly quite a challenge, few retailers appreciate the other requirements of Chip and PIN.
While for the customer Chip and PIN may appear to be the simple addition of a PIN pad or PIN Entry Device (PED) to the existing till, the reality is somewhat different.
Most retailers are facing a significant upheaval in their stores, from the reconfiguration of networks through to changes in power points. It's highly unlikely that existing network infrastructures will support the additional message requirements of Chip and PIN. For most retailers the message size, which incorporates information both from and to the retailer, will far exceed the 128b routers currently in use. Therefore, the decision will have to be made either to upgrade routers across all outlets or, perhaps, to opt for a Virtual Private Network and centralise transactions to the acquiring banks.
Each PED requires its own power point, which may well cause a problem or two in store, while some Point of Sale (PoS) PCs may not actually have enough slots to support the additional PED equipment.
UK retailers also face the challenge of having to train 1.5 million shop floor staff to use the new equipment. This training will include not only the basics of Chip and PIN acceptance but also cultural issues. What's the company's policy on card failure or a forgotten PIN? How might this situation be handled without compromising customer loyalty?
Accrediting retailer solutions
None of these issues can be addressed until a retailer owns a system that has passed AAT. Today, that's the major stumbling block. The accreditation process is time consuming, but that's little excuse for neglect. A lack of bank resources and inconsistent interpretation of the rules is creating the aforementioned testing backlog. One that will seriously undermine retailers' chances of complying with Chip and PIN regulations prior to next January.
The two-phase process of accrediting the retailer-specific solution is extremely comprehensive. Each IT system and component has to attain accreditation first, prior to the complex, robust testing of retail-specific solutions that combine software, PED and acquirer. The process demands significant resources to be put in place by banks, technology vendors and retailers as data must always be checked simultaneously at retail and bank sites alike.
Given the traditional technology freeze instigated by retailers between October and January, even if the banks throw enough resources at AAT to unlock the backlog, rolling out Chip and PIN solutions across hundreds of stores will be a massive commercial c
For their part, the banks seem to have been taken by surprise in terms of the level of resources required to achieve AAT (which, at least in part, explains the backlog).
However, there are other problems. First, there's a clear inconsistency in the interpretation of Chip and PIN rules, not just between banks but also between testers within banks. There's also a need for a more pragmatic approach to retailer-specific waivers but, to date, there has been little or no consistency in this area either.
This inconsistency – in combination with the fact that the rules are still evolving, and thereby creating new technology requirements – means that software vendors are faced with a constant process of upgrading or tailoring solutions to achieve AAT for a specific retailer.
One solution here would be type approval, whereby the same PED, software and acquirer combination attains compliance rather than solely the retailer. Both MasterCard and BMS are hoping to go in this direction. Given the specific requirements of retailers, few have exactly the same elements of a solution that would enable them to take advantage of type approval.
Given the traditional technology freeze instigated by retailers between October and January, even if the banks throw enough resources at AAT to unlock the backlog, rolling out Chip and PIN solutions across potentially hundreds of stores will be a huge challenge. At even the most basic level, the question is whether or not the IT sector can provide the resources for network upgrades and system implementation on this scale?
Yes, some retailers – most notably the major supermarkets – seem confident of achieving Chip and PIN compliance before the due deadline. That said, it must be noted that even Tesco admits to an eight-month delay at present, despite embarking on the whole process more than two years ago.
Resistance to change
For most mid-range retailers, Chip and PIN is now a major challenge. Indeed, the complexity of the process is simply adding weight to the Chip and PIN resistance of some retailers. While those experiencing high levels of fraud can easily justify implementation costs, retailers with traditionally low levels of fraud are finding it hard to swallow (in spite of the fact that their own fraud levels look set to increase).
If the banks don't manage to feed some consistency into the accreditation process, and increase testing resources, retailers will not have the chance even to ponder their ability to achieve implementation on time. The ongoing delay is certainly undermining the credibility of Chip and PIN before it's even properly implemented. It's certain that without widespread High Street adoption, the value of Chip and PIN in being able to reduce fraud will be substantially reduced.
Source
SMT
No comments yet