The EMV Contactless Kernel Specification
Few things have taken a bigger bite out of card-present fraud than the EMV chip, but the days of inserting instead of swiping were not destined to last long. Contactless payments are becoming increasingly popular, especially in the wake of the pandemic.
While contactless payments are secure, there has not yet been one technological standard to unite them all. Once again, EMV is stepping in to establish the industry standards for the software programs that contactless payment at the point of sale. What is the new EMV Contactless Kernel Specification, and how does it affect merchants?
- What is the EMV Contactless Kernel Specification?
- Why Does EMV Want to Standardize Contactless Payment Terminal Software?
- When Will Merchants Have to Start Implementing the New Standard?
- What Features Does the EMV Contactless Kernel Specification Include?
There are well over 175 million contactless payment cards issued in the US alone, and mobile apps are expected to claim more than a third of the global payments market by 2024. Merchants have been assured that contactless payments are secure, utilizing the same encrypted tokenization methods that keep EMV chip transactions safe, and this is true. However, there has not been an industry-wide standard for the software that makes it possible for payment terminals to process contactless card and mobile payments.
This diversity of options has made things unnecessarily complicated for merchants and acquirers who simply want to know that they are using the most secure option, rather than having to weigh the relative merits, hardware requirements, and maintenance obligations from among a variety of different software kernels.
To resolve this dilemma and lay the groundwork for a smooth advancement of contactless technology, EMVCo started developing a Contactless Kernel Specification: a software standard for the entire payments industry to follow. In October 2022, EMVCo announced that the specification had been finalized. Let’s take a closer look at what this might mean for merchants and their service providers.
What is the EMV Contactless Kernel Specification?
The EMV Contactless Kernel Specification lays out the technical requirements for contactless EMV-compatible software kernels. This refers to the software program that controls the operating system and critical functions of the contactless payment terminal. EMVCo will manage the standard and license it royalty-free.
EMVCo announced that they were developing this standard in May 2022, following a two-month period of review and the release of a draft specification.
Before it was finalized, the draft specification was subjected to public review, a feasibility study, and input from members of the EMV consortium (Europay, Mastercard, Visa, and others) as well as other stakeholders in the payments industry.
The new standard will be compatible with existing terminal hardware and can work alongside older software systems while the period of transition is underway. EMVCo will publish a list of all kernels that meet the standard on their website.
Why Does EMV Want to Standardize Contactless Payment Terminal Software?
The main reason for the development of the EMV Contactless Kernel Specification is to simplify contactless payment acceptance and create a strong foundation for its future advancement. It addresses the fact that merchants and acquirers are currently stuck managing multiple kernel types.
Terminals that use the same type of kernel can look differently when you interface with them, but under the hood, they’re running the same engine. This means that important upgrades and security patches can immediately be pushed out to every terminal at the same time. When terminals use different kernels, they may not receive updates at the same time, and the installation processes may not be the same.
Currently, there are about twenty different kernels in use for contactless payment terminals. Maintaining multiple incompatible software systems for contactless payments is costly and inefficient for every stakeholder involved in the transaction.
A standardized kernel will still allow for diversity and variety in the payment terminal software market, but the core operations will all be following the same specifications, ensuring a greater degree of security and intercompatibility for merchants across the globe.
When Will Merchants Have to Start Implementing the New Standard?
The EMV Contactless Kernel Specification has only just been published, but there is not yet a timeline for the rollout.
For now, there may be no reason for merchants to rush to replace their payment terminal software with a version coded according to the new specification. Many of the features it includes are intended to provide added security against sophisticated cyberattacks for which the issuing bank would usually be held liable. Other features, such as cloud optimization and biometric verification support, may be more attractive to merchants.
Until their acquirers or card networks mandate adoption of the EMV Contactless Kernel Specification, merchants will be able to use their own discretion or about when or if to make the switch.
The change should go unnoticed by consumers, for the most part. The new kernel specifications only impact back-end operations and should not require any changes to the interface, except where it might be necessary to incorporate some of the new verification features.
What Features Does the EMV Contactless Kernel Specification Include?
The EMV Contactless Kernel Specification includes the following notable features:
- Biometric and mobile card verification support.
- Cloud optimization.
- Elliptic Curve Cryptography, which reduces the size of decryption key data used for card authentication without sacrificing security.
- Secure communication channels for maintaining privacy, preventing digital eavesdropping, and blocking “man-in-the-middle” and relay attacks.
- The option to securely store data on the contactless card itself.
For the most part, merchants are already protected from fraud-related chargebacks when they process contactless payments that utilize encrypted, tokenized data. The attacks that the new specifications are designed to prevent tend to be highly sophisticated, not the sort of low-effort fraud that retail merchants deal with on a constant basis.
The new standard for contactless and mobile card payment software is not likely to be disruptive. The new kernels are required to be compatible with existing hardware, and there’s no urgency for merchants to change out the software they’ve been using. The best thing to do at this point is start a dialogue with your acquirer about the advantages and timing of any possible changes.
Future developments may cause card networks to mandate the use of the EMV Contactless Kernel Specification, but for now, merchants should just be aware that these changes are in development.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: email@example.com