What is EMV and do I need it for my business?
Fact and Fiction:
Is EMV a new law? NO
Does EMV have anything to do with PCI Compliance? NO
By now, you’ve certainly heard about the Europay/MasterCard/Visa (EMV) standard and a liability shift that’s slated for October 2015. However, there’s a lot of information out there—much of it is just plain confusing. Let’s take a look at some of the questions you may have about EMV, and separate the truth from the misconceptions.
Q: What is EMV?
A: EMV is a payment method in which an integrated circuit chip (ICC) is embedded into a plastic card. The ICC replaces the magnetic stripe on the card, holding the account number and other sensitive data. It also contains the logic needed for transaction processing and risk management. Point of sale equipment that accommodates EMV payments has been gradually deployed in other parts of the word over the past few years.
Q: Why is EMV coming to the U.S. now, and what is the liability shift?
A: The incidence of credit card fraud in the U.S. is increasing and is far higher than in other parts of the world where EMV has already taken hold. EMV supports enhanced identity verification methods—either chip-and-PIN or chip-and-signature. Additionally, the presence of the ICC within a credit or debit card makes it impossible to duplicate. This year, U.S. card issuers began to step up the distribution of cards with EMV chips in them.
As for the liability shift, as of this coming October, the liability for fraudulent transactions will be transferred from the card issuer to the merchant if the merchant isn’t utilizing EMV technology. The liability shift doesn’t apply to card-not-present (CNP) transactions, and EMV doesn’t prevent fraudulent use of credit cards for these transactions.
Q: Must I implement EMV-compliant equipment, and will I be forced to pay higher interchange rates if I don’t do so?
A: Contrary to what some people believe, there’s no mandate, and card networks will continue to charge the same interchange rates for EMV and non-EMV transactions. Merchants can deploy EMV-compliant equipment at their own pace, if they follow that route at all.
Q: Will EMV have any effect on credit card pre-authorization procedure?
A: Yes, the transaction flow of pre-authorization followed by a completion, for example restaurant addition of tip, will not work in its current form with EMV. The reason for this is that the amount of the authorization must be known at the time the EMV transaction is conducted, because the authorization amount is one of the data elements used to generate the transaction cryptogram. We are exploring ways to create a similar transaction experience, by completing a sale transaction followed by an adjustment, to add things like tips.
Q: I already have end-to-end (E2E) encryption, so is it okay to skip EMV?
A: Again, EMV is not a requirement. However, it can play a key role in card security. Combining EMV with E2E encryption lets merchants avoid the liability shift and reduce their scope of compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Q: Doesn’t the liability shift mean cards with magnetic stripes will no longer be issued and my existing POS equipment won’t work once it takes effect?
A: While it’s unclear how long cards with magnetic stripes will continue to be issued, they aren’t going anywhere for the foreseeable future. Canadian banks are still issuing magnetic stripe cards—and Canada switched to EMV five years ago. What’s more, card brands and issuers will almost certainly give merchants sufficient notice if they decide to stop issuing cards with magnetic stripe capabilities. So yes, your existing POS equipment will still work following the liability shift.
Q: Shouldn’t I just get an EMV-ready terminal that is separate from my point of sale hardware?
A: No. This will invalidate the functionality of your point of sale system. And remember—there are two types of EMV equipment: “EMV-ready” and “EMV-certified.” “EMV-ready” equipment simply has a slot into which consumers insert their chip cards to make payments. “EMV-certified” indicates that the hardware, payment application and device software have been certified to work best with specific payment processors and point of sale solutions. Contact our support to determine which devices will work best with your system and satisfy your business needs.
Q: What types of business have the highest risk?
A: History has shown that thieves target large ticket items like electronics. These items are easily resold and usually harder to trace. Typically they are not going to sit in a restaurant risking that a card will be declined drawing attention. Also cards usually get flagged after a couple of transactions so they look to maximize the amount stolen on the first transaction.
The idea of grappling with EMV and the liability shift may be daunting, but it doesn’t have to be. Consider all sides of the issue before making any EMV-related decisions, and call on vendors and other experts to point you in the right direction.
Please feel free to click on the video below for more information provided by Newsy.
More and more people are receiving new credit cards with microchips in them. Here’s everything you need to know.
Thursday October, 1st, 2015 marks a milestone in the effort to shift the U.S. to the use of microchip-embedded credit cards, a more secure alternative to traditional cards that require the swipe of a magnetic stripe.
But not to worry if your new chip-enabled card has yet to arrive in the mail. The October deadline is more a call to action for retailers than a cutoff, electronic payment experts say.
“That’s the date by which if a merchant doesn’t have a chip terminal, and a counterfeit card is used at that location, they may be liable for that fraud on that transaction,” says Stephanie Ericksen, vice president risk products, for Visa. But “we know, based on experience in other countries, it takes several years to get to critical mass. So we’re seeing Oct. 1 as more of a kickoff toward increasing the momentum toward chip. People will still be able to use their (cards with) magnetic stripes.”
Chip, or “EMV,” cards are more secure than those with just a magnetic stripe because they produce a unique code for each transaction, making them harder to counterfeit and preventing the card from being used for future fraudulent purchases.
A huge job to switch
The electronic payment industry has long called for adoption of such technology, but a series of high-profile data breaches at companies such as Target have underscored the need for more consumer protections.
Still, getting tens of millions of new cards in the hands of consumers, and then making sure millions of merchants can process them is a mammoth undertaking. Ericksen says that for nations like Australia, Brazil and Canada, it took two to three years to get to the point that more than 60% to 70% of the transaction volume was being made with chip cards, and four to five years to bump that up to more than 90%. “The U.S. is a much larger market,” she says.
The Strawhecker Group (TSG), a management consulting company for the payments industry, found in a recent survey that just 27% of merchants in the U.S. will be able to process chip-enabled cards by Oct. 1, down from the 34% that was predicted in March.
“EMV adoption has been slower relative to other countries due to the number of moving parts involved in making this transition,” Mike Strawhecker, principal at TSG, said in an emailed statement. “For example, there are thousands of banks that need to issue new cards to millions of consumers, millions of merchants that need to get their technology upgraded and staffs trained, as well as thousands of technology providers making changes to their infrastructures and offerings.”
Retailers are not happy
But Mallory Duncan, general counsel and senior vice president of the National Retail Federation, says that many of the group’s members are “disappointed” that they are being required to spend what will amount to a cumulative $30 billion to $35 billion on the implementation of new chip readers, though banks and card companies generally have opted for the less-secure option of chip cards that require a signature, rather than a pin. In the U.S., many of the new chip-enabled credit cards require a signature only, and not a PIN.
“We’re a little bit between a rock and a hard place,” Duncan says of the Oct. 1 liability shift. “We’re taking a baby step in order for the banks to save money, so that’s the concern. … If you’re really serious about reducing fraud, we’ve known for years that pins greatly reduce fraud.”
Many retailers are instead implementing other systems that they feel will be more effective in blocking hacking. “They will install the chip-reading equipment,” Duncan says, “but it’s less of a priority.”
Still, Ericksen says there’s been a great deal of progress. “We’re very encouraged by what we’re seeing so far,” she says. “We’re exactly where we expected to be. … It’s a lot of infrastructure to upgrade.”
As of Sept 15, more than 314,000 merchant locations in the U.S. were enabled to process chip cards, vs. 55,000 as of last September, Ericksen said in a briefing on the eve of the liability shift. Visa has also dramatically increased the number of chip-enabled cards that it has in the market, going from roughly 20 million at the end of August 2014, to 151.8 million as of mid-September. That represents roughly 21% of all Visa credit and debit cards in the U.S.
Also, the Payments Security Task Force says that roughly 60% of all cards from top issuers will be converted to chip by the end of this year, going to 98% by the end of 2017. Meanwhile, 40% of terminals are expected to be chip enabled by the end of 2015, according to the task force.
Effect on consumers
As chip cards, and retailers that can accept them, become ubiquitous, consumers will need to get used to changes at the cash register.
“I think there will be a learning curve for consumers … because it’s a big change in using something that we’ve been using the same way for decades,” says Matt Schulz, senior industry analyst for CreditCards.com. “It’s not hard. It’s just different. … Instead of swiping the card, you insert the card into the terminal and the card stays in there while you complete the transaction, whether it’s signing or entering in a pin. And when the transaction is done, you take the card out of the terminal and go about your business.”
That change, Schulz says, is of concern to some retailers. “Confusion about the use of the new cards is going to make lines longer during the holiday shopping season because the customer might be confused about how it works,” he says of what some merchants fear. “The employee at the checkout counter might be confused. And you add it all up and you could end up with some frustrated customers.”
Big retailers lead the way
Big retailers have been on the leading edge of the transition. Walmart, for instance, was able to accept chip-enabled cards at all of its locations as of Nov. 1, 2014.
“We’ve been a leader in pushing for payments that offer more security … and EMV technology does that,” says Walmart spokesman Randy Hargrove.
But among smaller businesses, there’s more urgency for certain retailers, like jewelry shops, to have updated their technology in time for the October liability shift, than, say, a neighborhood deli that has low-value transactions and repeat customers.
“We want all merchants to move to EMV as quickly as possible because it adds to security … but most card fraud occurs at electronic stores, (and) high-end luxury retailers where criminals want to use counterfeit cards,” Ericksen says. “If you’re a local coffee shop or nail salon, that’s not typically the place we see a lot of counterfeit fraud.”
Major retailers like Target, Walgreens and Costco have begun accepting microchip-enabled cards, also known as EMV cards — short for Europay, MasterCard and Visa, the companies ushering in the change. But many independent merchants and smaller chains including have been slow to implement the change because of the cost and volume of machines that need updating.
“We began readying our stores to accept chip-enabled credit cards a couple of years ago when we replaced PIN pads with EMV-capable terminals at checkout lanes,” said Tara Deering-Hansen, Hy-Vee spokeswoman. The supermarket chain has more than 230 stores in eight states, including Iowa.
“Despite our significant effort and planning, the state of the industry is such that many software vendors are not ready for the transition,” she said. “Many retailers across the country are like us and they’re waiting for their vendor partners to provide the software needed to communicate with already installed EMV card readers.”
Hy-Vee had hoped to make the transition by Oct. 1, but the company now predicts the technology will be available in its stores shortly after the first of the year.
Banks also have been slow to replace customers’ magnetic stripe cards with the new microchip-enabled cards. A CreditCard.com survey completed in early September found that 60% of Americans had yet to receive the new chip cards.
The deadline doesn’t change much for credit-card users, who still are not liable for credit-card fraud.
And don’t worry if you don’t have one of the new cards. Even retailers with updated technology will continue to accept both versions of credit and debit cards for the foreseeable future.
“There’s no demand that a consumer or a merchant would need to have a chip card or the chip technology on Oct. 1,” said Patrick Dix, spokesman for payment-processor Shazam. “For the consumer card holder, there’s really no change.”
The cards are an important move toward better credit card security, said Doug Jacobson, director of Iowa State University’s Information Assurance Center. But the current change is only the beginning.
“The first step is kind of a baby step and doesn’t buy us a lot,” said Jacobson, who is also a professor in the university’s electrical and computer engineering department.
That’s because most chip credit card users still will sign for purchases. The ultimate goal is to move toward widespread use of chip-and-PIN credit and debit cards as is the case in much of Europe.
The chip cards have better built-in defenses against fraud that make them much more difficult to duplicate than the ubiquitous magnetic stripe cards, Jacobson said.
“Today, with about $50 worth of equipment, I could copy your magnetic stripe and start replicating cards,” he said.
With chip cards, account numbers and expiration dates aren’t actually transmitted between customer and merchant. The chips create a one-time code to fund transactions — information that would be useless to a thief trying to replicate cards.
Jacobson expects that American consumers and businesses will need years to fully migrate to the new cards.
“We’re a giant credit-card market, and there are a lot of cards that have to be replaced,” he said. “I don’t know how many credit cards the average American has, but it isn’t one.”
Many credit-card issuers are like Des Moines-based Bankers Trust, which started a slow roll-out of chip credit cards in August.
Existing credit customers will receive chip cards as their old magnetic stripe cards expire or upon request. Debit cards won’t be updated until next year, said Stephen Sladek, the bank’s commercial banking product manager.
Sladek says massive data breaches have made customers pay more attention to account security issues. And even after adoption of EMV technology, customers still will need to monitor their accounts closely.
Online purchases won’t rely on the technology, for instance.
The new cards cost at least twice as much as the magnetic stripe cards, said Doug Gulling, chief financial officer of West Des Moines, Iowa-based West Bank.
And less than 20% of small retailers have adopted the new technology, said Jim Henter, president of the Iowa Retail Federation.
“Many of the larger retailers are up and running, but some of the smaller ones have a lot of integration issues to deal with,” he said. “It’s a work in progress.”
Ellen Martinson, who owns jewelry boutique Leona Ruby in Des Moines’ East Village neighborhood, got her new payment terminal last week and started using it right away. She said the transition was painless because it is not integrated into a POS system. It’s a completely standalone unit that just plugs into a phone line.
“There was not a cost for us. Our payment process company called and said they needed to swap out our terminal or we could be liable for fraudulent charges,” she said. “It took about 30 minutes, and we were up and running.”
Casey’s, the Ankeny, Iowa-based convenience store chain with about 1,850 stores in 14 states, has equipped all of its stores with the equipment needed to handle the new technology.
“But it’s not up and running,” said Bill Walljasper, senior vice president and chief financial officer. Terminals inside the stores will become functional next year, and the ones at the fuel pumps will be activated in 2017, he said.
“The benefit is to customers who can be more confident in using their cards,” he said.
How the chip cards work
As U.S. merchants begin transitioning to chip-card readers, consumers will notice the payment process works a little differently. Not all devices will look the same, but the steps are nearly identical.
1. Insert your credit card into the front of the card reader with the chip facing up rather than swiping it.
2. Keep it in the card reader and follow the prompts on the screen until your transaction is complete.
3. Remove the card. If a signature is required, just sign the receipt and you are done.
The chip card still will have a magnetic stripe for use at traditional machines. The new cards allow the transfer of card information over a small chip, rather than the magnetic strip. The chips are considered safer because they don’t pass out account information. Instead, they transmit a one-time encrypted code to finance transactions.
THIS IS THE MOST UP-TO-DATE LIST OF SOFTWARE AND CERTIFICATIONS – WE WILL KEEP THIS FORM UPDATED AS NEW RELEASES ARE PROVIDED.
|PROCESSOR NAME||CERTIFICATION STATUS||CERTIFIED DEVICE||CONTACT INFORMATION|
|OpenEdge (Formerly PPI/PayPros)||IN FINAL TEST / RELEASE Q4||(510) 795 – 4945 / KENNY LEE|
|Heartland||NO RELEASE DATE HAS BEEN PROVIDED||(310) 561 – 3966 / ANTHONY CLAVERIE|
|First Data (RC and BuyPass Only)||NO RELEASE DATE HAS BEEN PROVIDED||(213) 700 – 8596 / ED HUR|
|Vantiv||EMV CERTIFICATION COMPLETED||VX-805||(970) 335 – 4390 / CHRISTIAN VAN LINDT|
|TSYS / Elevon||EMV CERTIFICATION COMPLETED||PAX300||(706) 649 – 2310 / CUSTOMER SERVICE|
|Sterling Payment Technologies||EMV CERTIFICATION COMPLETED||PAX300||(970) 759 – 3189 / ELMO HUGHES|
|Cayan (Formerly Merchant Warehouse)||IN FINAL TEST / RELEASE Q4||(617) 896 – 5516 / MELANIE GUARD|
|Global East||NO RELEASE DATE HAS BEEN PROVIDED||(800) 367 – 2638 / CUSTOMER SUPPORT|
|Chase Paymentech Direct||NO RELEASE DATE HAS BEEN PROVIDED||(800) 934 – 7717 / TECH SUPPORT|
|WorldPay||NO RELEASE DATE HAS BEEN PROVIDED||(949) 701 – 6424 / KYLE HANNIS|