Top 10 Questions on EMV for Retailers
1) What does EMV stand for and why is this being implemented?
“EMV” stands for Europay, MasterCard and Visa, which is a global standard for cards equipped with a special computer chip used to authenticate card transactions. The information stored on the chip is more secure and difficult to ‘spoof’ than information stored on a magnetic stripe.
U.S. card issuers are migrating to this new technology to protect consumers and reduce the costs of fraud in response to numerous large-scale data breaches and increasing rates of counterfeit card fraud.
2) How will this impact merchants and consumers?
For merchants, the move to EMV will involve adding new in-store technology and internal processing systems, and complying with new liability rules. The cost of conversion for a small retail business to accept EMV is likely to run between $200 and $600 per terminal, depending on the type of card reader it uses. Beyond replacing the swiping device, retailers may also need to make upgrades to their POS system and train employees.
For consumers, it means activating new cards and learning new payment processes. Consumers began to receive their first chip-cards in early 2015, and by the end of 2015 most households will have at least one card with a chip.
3) Why are EMV cards more secure than traditional cards?
Traditional credit and debit cards have a magnetic stripe in the back of the card that stores data on the cardholder. Once the card is programmed, this data cannot be changed. While it’s easy for the merchant to read a traditional credit card in order to confirm a transaction (just swipe it) the ease of this process also makes these types of cards vulnerable to fraudsters and counterfeiters. Once a criminal copies a magnetic stripe, they can easily replicate that data over and over again – because the data does not change.
Next generation EMV cards have a small, metallic square containing a computer chip that supplements the magnetic stripe historically found on the back of the card.
Every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again. If a fraudster steals the chip information from one specific point of sale transaction, the information cannot be used for duplicate fraudulent transactions, and the card would just be declined if the data was used again. In this way, EMV technology will not prevent all data breaches from occurring, but it will make it much harder for fraudsters to successfully profit from what they steal.
4) How are EMV cards used to make a purchase?
Just like magnetic-stripe cards, EMV cards are processed for payment in two steps: card reading and transaction verification.
Unlike traditional cards, EMV cards are not processed by quickly swiping a card though a slotted credit card reader. Instead, a customer ‘dips’ or inserts the EMV card into a slot on a new type of card reader designed for EMV transactions.
When an EMV card is ‘dipped’, the reader extracts data stored on the card chip, and then sends the data to the issuing financial institution to verify the card’s legitimacy and create the unique transaction data. This process takes slightly more time (a few seconds) than reading a traditional credit card with a swipe, as the EMV data set unique to the transaction needs to be created. So, consumers will need to learn to be patient when dipping a card to wait for the transaction confirmation.
5) Is card dipping the only option for EMV cards?
No. EMV cards can also support contactless card readers, also known as ‘near field communication’ or NFC (note: many mobile wallets such as ApplePay also use NFC technology). Instead of dipping or swiping, NFC-equipped cards are tapped against a terminal scanner that can pick up the card data from the embedded computer chip through a close range wireless connection.
There is a global movement to make EMV cards dual-interface (i.e. contact and contactless), however, dual-interface cards and the equipment needed to scan them are expensive. So for now, most financial instructions are issuing contact cards.
6) Will consumers need to sign or enter a PIN for a card transaction?
While consumers will have to use one of these verification methods, the type of verification will depends on EMV card, as well as whether its debit or credit.
Chip-and-PIN cards generally work just like the checking-account debit cards that have been accepted by merchants for years. At the point of purchase, consumers enter a PIN that connects the payment terminal to the payment processor for real-time transaction verification and approval. This provides an extra layer of fraud protection. However, many payment processors and merchants are not equipped with the technology needed to handle chip-and-PIN credit transactions. So it’s unlikely that PINs will be required anytime soon.
As a result, the vast majority cards issued in 2015 will be ‘chip-and-signature’ cards, so the payment and authentication process will similar to how credit cards are currently accepted. Merchants will just add a second step after the EMV card dip requiring customers to sign a receipt slip.
Given the costs to merchants of upgrading equipment to accept chip-and-PIN cards, there will be an extended transition period before chip-and-PIN cards have widespread acceptance. While consumers will start to see some chip-and-PIN cards in 2015, it will probably take two to three years to fully convert to chip-and-PIN. Keep in mind that chip-and-PIN cards can be used in chip-and-signature mode, so these next generation cards can be used right away without requiring pin pads.
7) If fraud occurs with an EMV card, who will be liable for the costs?
Today, if an in-store transaction is conducted using a counterfeit, stolen or an otherwise compromised card, any losses from that transaction are the responsibility of the payment processor or issuing bank, depending on the card’s terms and conditions.
Following the Oct. 1, 2015 deadline created by major U.S. credit card issuers MasterCard, Visa, Discover and American Express, card-present fraud liability will shift to whoever is the least EMV-compliant party in a fraudulent transaction. As a result, any party not EMV-ready by October 2015 could face much higher costs in the event of a large data breach.
For example, if a financial institution has issued a chip card that is then used in a fraudulent transaction at a merchant that has not changed its system to accept chip technology, the liability for the fraud will be the responsibility of the merchant. A non-compliant merchant can still process chip card transactions using legacy magnetic stripe readers, but the merchant will be exposed to significantly more liability from fraudulent transactions.
The major credit card issuers each have published detailed schedules about the upcoming shift in liability. The change is intended to help bring the entire payment industry on board with EMV by encouraging compliance to avoid liability costs.
8) Can chip-cards be used at retailers that do not support EMV technology yet?
Yes. The first round of EMV cards — many of which are already in consumers’ hands — are equipped with both chip and magnetic-stripe functions to minimize the inconvenience to consumers. The new terminals are designed to help the consumer figure out which authentication process should be used.
For example, if you enter a card into the chip reader slot but the reader isn’t activated yet, the reader will deliver an error message and the consumer will be prompted to swipe the card instead. If a consumer tries to swipe an EMV chip card instead of inserting it, an error message will appear requesting that the card be inserted for EMV chip processing instead.
If chip-card readers are not in place at a merchant at all, an EMV card can be read with a magnetic card swipe, just like a traditional card. But while an EMV cards can be used with legacy card swipe readers, the merchant will lose that extra level of chip security and be exposed to card fraud liability.
9) Is everyone in the processing chain expected to meet the Oct. 1, 2015 deadline?
Not a chance.
Although the upcoming deadline is strong encouragement for all payment processing parties to become EMV-compliant as soon as possible, experts do not believe everyone will comply by that date. It expected that only 50 percent of banks and retailers will be completely transitioned over to EMV by the deadline. By the end of 2015, experts predict that only 70 percent of credit cards and 40 percent of debit cards in the U.S. –1.1 billion cards total — will support EMV.
10) What EMV card reader is the best?
That will depend on your processor. Each payment processor or gateway needs to certify each terminal model support with each of the card brands.
In addition to upgrading your POS system to EMV to prevent fraud, you may need to make other upgrades to your system – such as the ability to accept mobile wallet payments from vendors such as ApplePay. Near Field Communication (NFC) is emerging as the clear standard for mobile payments – but this market is still evolving. Retailers should be patient and allow their processing partners to certify a device that meets their needs rather than jumping in prematurely. Many processors are offering the ability to ‘trade in’ recently purchased non-EMV devices for EMV-compatible devices purchased in future. Ask your POS software vendor or payment processor for options.
Although retailers will probably need to adopt EMV in the near future, retailers do not need to bump their plans ahead of any pressing priorities in the next couple of months. This will allow processors, payment device manufacturers, POS software vendors and consumers to catch up. Currently all these parties are scrambling to launch solutions and certify partners, so it is advised to let all your partners get their offerings complete before jumping into the fray. However, by the end of second quarter of 2015, retailers should have a migration plan in place to enable a transition by the October 2015 deadline.
MicroBiz is a developer of cloud-based retail management software for multi-store, multi-channel retailers. MicroBiz allows small to mid-sized retailers to ring up sales and accept payments using tablets, Mac’s and PCs, view real-time inventory across multiple locations and manage back-end operations. The application seamlessly integrates with the free Magento ecommerce platform, enabling stores and ecommerce sites to be operated from a single application. MicroBiz software has been purchased by over 25,000 retailers worldwide. MicroBiz was founded in 1985 and is based in Menlo Park, CA.