|July 11, 2014|
Previously published on July 8, 2014
Beginning in October of 2015, merchants, card issuers, and payment processors must comply with new technical requirements (known as the EMV standard) for debit and credit cards and the accompanying point of sale (POS) infrastructure, or risk being held responsible for the cost of fraudulent in-person transactions. The United States is the last major world economy to adopt these new standards.
What is the new EMV standard?
Named after its original creators (Europay, MasterCard, and Visa), the EMV standard requires smart chip technology to be embedded in payment cards, and also requires new POS devices capable of utilizing the capabilities of the chip technology. Some of these new payment cards may also require a personal identification number (PIN) instead of a signature in order to complete a transaction. The EMV standard does not require any specific form of cardholder verification via PIN, signature, or any other method. The issuer of the card will specify which verification method is required by placing specific rules on the chip.
What makes EMV enabled cards more secure than traditional cards?
EMV enabled cards are much more secure than traditional cards utilizing a magnetic stripe. With current magnetic stripe cards, the data housed on the magnetic stripe can be easily copied and magnetic stripe technology does not have the ability to verify the authenticity of the card itself. The smart chip embedded in EMV cards has the ability to encrypt every transaction differently and makes it significantly more difficult to copy payment data and re-use it. In addition, a cryptogram housed on the chip can verify that it is the original card, not a copy, and the EMV chip on the card and the EMV capable POS device interact dynamically, in real time, using sophisticated authentication technology. Although not all EMV cards will require a PIN for point of sale purchases, those that do will help validate that the person presenting the card is the true card owner. Most countries that have adopted the EMV standard have adopted PIN-based cardholder verification.
What is the "liability shift"?
Compliance with the new standard is not mandated by the card association operating rules. However, merchants that don't have POS equipment that meets the new standard by October 2015 (October 2017 for automated fuel dispensers) will assume liability for many fraudulent purchases. Today, card issuers ultimately bear 100% of the liability for card-present fraudulent transactions resulting from counterfeit, lost and stolen cards. Under the terms of a "liability shift" announced by the card associations, liability for these fraudulent transactions will move to the weakest link in the transaction. If a consumer uses a magnetic stripe based card in an EMV capable POS device, and the transaction turns out to be fraudulent, the issuer of the magnetic stripe card will be liable. However, if a consumer uses an EMV enabled card at a POS device that is not compliant with the EMV standard, liability for fraudulent transactions will ultimately rest with the merchant. This "liability shift" is intended to drive merchants to update their POS systems to be EMV compliant and to incent issuers to issue new EMV enabled chip based payment cards.
According to the Aite Group, card issuers are planning to ramp up issuance of EMV enabled cards during the fourth quarter of 2014 and the first quarter of 2015. The Aite Group predicts that, by the end of 2015, seventy percent of U.S. credit cards and forty-one percent of U.S. debit cards will be EMV enabled. Seventy Percent of U.S. Credit Cards to be EMV Enabled by the End of 2015, BUS. WIRE (June 10, 2014, 8:00 AM), http://www.businesswire.com/news/home/20140610005311/en/Seventy-Percent-U.S.-Credit-Cards-EMV-Enabled. In contrast, according to a report issued by First Annapolis Consulting, only 24% of small and mid-market merchants were aware of the new EMV standards with 28% indicating that they had heard of the new standards but were not aware of the details. Eighty percent indicated that their POS equipment was either not EMV capable or they did not know if it was EMV capable. Marc Abbey and Scott DeHaven, Lack of EMV Awareness Persists Among Small & Mid-Market Merchants, FIRST ANNAPOLIS (Apr. 2014), http://www.firstannapolis.com/articles/lack-of-emv-awareness-persists-among-small-mid-market-merchants.
What should merchants be doing now?
Don't wait to start planning an equipment migration. Now is the time to begin developing a strategy for implementation of the EMV standard. POS equipment upgrades can be expensive and time consuming. Figure out how much it's going to cost, how long it will take, and plan accordingly. In some cases, fraud prevention alone may deliver an acceptable return on investment. Some industry experts believe that card fraud at the point of sale may increase in the near term at merchants that do not have the upgraded POS infrastructure. Criminals may head to the merchants that lag behind as EMV is incorporated into the mainstream.
Several of the card associations are also relaxing certain of their requirements with respect to Payment Card Industry Data Security Standard (PCI DSS) audits for merchants who have at least 75% of their annual transactions processed via EMV enabled terminals. In some cases, the potential elimination of annual PCI DSS assessments and validation could offset a significant portion of the cost of new terminals.
In planning an upgrade of your POS terminals to comply with the EMV standard, also be aware that there are additional changes on the horizon relating to point of sale payments via mobile phones and tablets. Contactless readers which enable customers to pay with a wave of their mobile device at the point of sale are also becoming available. As these initiatives move closer to the mainstream, merchants should consider choosing a POS infrastructure that will be easily upgradeable to accommodate the evolving payment landscape.
Merchants should also recognize that the EMV standard does not protect against fraud in card- not-present-transactions (e.g. payments made via the web or over the phone). Merchants with a high volume of card-not-present-transactions should pay close attention to developments intended to increase security of these transactions.
When the United States' payment industry completes the transition to the EMV standard, it will put the world on a single global standard for fraud protection. Savvy merchants will view the new standard as an opportunity to not only protect themselves but to attract and retain customers who value security protection.