In the wake of large retail point-of-sale data breaches like the ones at Target and Home Depot last year, there has been a huge push for the US market to adopt the EMV chip standard for credit cards that is the standard in most other countries, and has been since the late 1990s.
You have probably heard about EMV “chipped” credit and debit cards, or “Chip-and-PIN” cards by now; and you may even have one or several of them yourself. So, it is important that you understand the new standard, and ensure that your small business is ready for it.
Here’s what you need to know:
About EMV “Chipped” Cards
What does a “Chipped” card do?
A “chipped” card contains an EMV computer microchip that stores all the track data that is currently stored on a credit card’s magnetic stripe. The chip microprocessor dynamically creates a unique one-time use code for each POS transaction. This results in encoded account information being transferred to the merchant, such as account numbers, differently with each transaction. This infographic from Visa provides an easy-to-understand overview of EMV Chip technology.
Why does a “Chipped” card provide better security?
The main advantage of EMV chipped cards over cards that use a magnetic stripe to store card information is that chipped cards do not contain static data that can be used to create counterfeit cards and fraudulent transactions. Thus even if a card skimming device were used, or an authorization request were intercepted at a retail POS terminal (as happened with the Target and Home Depot breaches), it would be useless to thieves as it could not be used to counterfeit a card, retrieve a customer’s credit card number, or process another transaction. As this excellent post on EMV puts it, intercepting an EMV transmission is like “stealing an expired password.”
What does “EMV” stand for?
“EMV” stands for “Europay, MasterCard, Visa” the three developers of the standard for the chip technology being implemented on credit cards.
How are EMV Chip Transactions Authorized?
There are three card-present transaction authorization methods available to use with EMV chipped cards:
- Chip-and-Signature: An EMV chipped POS System is used to authorize the transaction and the customer signs for the transaction on the POS terminal, as is currently done with most magnetic stripe credit card transactions today.
- Chip-and-PIN: The cardholder creates a PIN when the card is activated. Instead of a signature, the cardholder enters this PIN on the POS terminal to authorize the transaction. This adds a level of security, as even if the physical card were stolen it could not be used without the associated PIN. (This is the authorization method most commonly utilized outside the United States.)
- Self-Serve/Easy Pay: EMV chipped cards can be used without a PIN or Signature where signatures are not currently required—such as small ticket Visa “Easy Pay” transactions and transactions at gas pumps.
How are EMV Chips Read at POS Terminals?
There are three types of EMV Chips that can be embedded in credit and debit cards, each of which utilizes a different data transfer method.
- Contact Cards: Currently the most common type of EMV card is a “contact card” which requires being in contact with an EMV POS card reader for the entire duration of the transaction. In this type of transaction, the card is inserted into the reader, the customer authorizes the transaction via the reader interface, and then removes the card once the transaction has been completed.
- Contactless EMV: A contactless EMV chip is one that utilizes the NFC “tap to pay” technology that currently powers mobile wallet applications such as ApplePay. As this method has yet to gain widespread acceptance, is more costly for card issuers and merchants, has not seen significant customer demand, and carries some additional security risks, it is not currently the EMV adoption method of choice.
- Dual Chip: An EMV chip that supports both Contact and Contactless communication is embedded in the credit or debit card.
Will Magnetic Stripe Cards Continue to Work?
YES. For the foreseeable future all EMV cards will also have a magnetic stripe that enables them to be used at POS terminals that do not yet support chipped transactions; and that most EMV POS terminals will also enable reading the magnetic stripe on the back of a non-stripped card.
What is the Most Common EVM POS Implementation?
To minimize the transition for merchants and customers, it is expected that most retail EMV implementations will use contact chip and signature set-ups that will also continue to be able to process legacy magnetic stripe transactions. This video from Visa shows the process from start to finish:
What Do Card Issuers Need to Do to Migrate to EMV?
Card Issuers need to start issuing chipped cards to new accounts, and to replace existing magnetic stripe cards with chipped cards. Many card issuers started shipping chip-and-signature cards in 2014, and the roll-out is expected to continue throughout this year and next. Industry associations estimate that 578.5 million chip cards will be issued in the US in 2015, though that only accounts for 40% of the total cards expected to be issued. Most of these will be Chip-and-Signature cards. Chip and PIN cards will be less prevalent, though they are most likely to be found as debit cards (where consumers are already used to entering PINs). However, some card issuers are supporting Chip and PIN for credit cards
How Will EMV Impact Card Not Present Transactions?
The EMV standard is designed to secure retail transactions, and it does nothing at all to provide additional security for card not present transactions such as those entered online, over the phone, or via recurring billing systems.
Preparing Your Small Business for EMV “Chipped” Cards
What you need to do to get your small business ready for EMV largely depends on how you typically interact with your customers.
As noted above, EMV is a standard for card-present transactions. So, if your small business has a MOTO (Mail Order/Telephone Order) or E-Commerce merchant account you will not have to change anything at all in order to continue processing your card-not-present transactions.
So, if you get all your payment authorizations online, over the phone, or in the mail then EMV will not be a factor for you at all. Even if you have a virtual terminal or a mobile phone application that you use to hand-enter your customers’ credit card numbers (regardless of whether they hand you the card or you get the credit card information from them over the phone), you don’t have to change anything at all—as long as you don’t submit swiped track data along with your authorization request.
The biggest concern you should have about EMV as a MOTO/E-Commerce small business is the likelihood of increased fraud involving card-not-present transactions. Many experts predict that we will see an increase this type of fraud after EMV is widely adopted, because it will be far easier to execute than retail fraud.
So, to protect yourself make sure your business is following best practices for card-not-present fraud prevention such as using AVS match (address verification), verifying the CVV2 security code for all transactions, and staying alert for suspicious transactions such as those with billing addresses in the US and shipping addresses in another country. The Visa Card Not Present information page provides a wealth of information about available fraud prevention tools, as well as tips for identifying fraudulent transactions. Be sure to check out the If the Card is NOT There—You Need to be MORE Aware and Take the Order— but Don’t Get Taken In tip sheets.
Merchants who accept card-present transactions and have a retail/POS merchant account will need to upgrade their systems to support EMV. This includes implementing Point-of-Sale systems (including mobile devices that can be used to enter swiped card transactions) that are capable of reading the EMV chip transmission and processing the transaction using either Chip-and-Signature or Chip-and-PIN authorization. This not only means replacing card readers and other hardware used to enter the transaction, but also the POS software they use. Additionally, they will need to train staff to use the new POS devices and systems, and to instruct customers in how to use them.
That may sound like a significant investment of time and money that you would rather not undertake, especially if your small business has a very low transaction volume. And in the short term, because chipped cards will continue to have a magnetic strip for at least a few years, you may not need to upgrade for EMV—especially if you know your customers well and have not experienced any fraud in your retail business. (If that’s the case, count yourself very lucky!)
However, to make an informed decision about the EMV transition, you need to understand the EMV Liability shift that takes effect on October 1, 2015.
What is the EMV Liability Shift?
The card brands know that Merchants and card issuers may be hesitant to quickly transition to EMV because it will cost them a significant amount of money. This post discussing the EMV transition puts the cost of producing an EMV chipped card at 3 to 8 times that of a magnetic stripe card.
So while added security may be the EMV carrot, an October 1, 2015 change in the card brands liability rules is designed to act as the stick. (The change is applicable to all POS implementations, except those self-serve fuel pumps and ATMs, which have until October 2017 to be EMV compliant.)
Currently, as long as a retail transaction is properly submitted and authorized the merchant is not held responsible if it turns out to be fraudulent (as a result of a stolen or counterfeit card being presented), and the card issuer must absorb the loss. With the rule change the liability shifts to the party that has not implemented EMV. This means:
- If a customer presents a chipped card but the merchant processes it using the magnetic stripe, the merchant is liable in the case of fraud, even if the transaction is properly authorized.
- If a merchant has implemented an EMV POS terminal, but the customer presents a card that does not have an EMV chip, the card issuer is liable in the case of fraud.
- If both the card and the terminal are only magnetic stripe compatible, the merchant is not liable in the case of fraud as long as the transaction was properly authorized– just like it is today.
- If both the card and the POS terminal are EMV enabled, the merchant is not liable in the case of fraud, as long as the transaction was properly authorized.
This infographic from Visa, clearly outlines how the liability shift works.
Good News for Your Small Business Credit Card Accounts
Regardless of the type of transactions your small business processes, EMV will be a good thing for you as a small business credit card holder. Make sure that you get new EMV chipped credit cards (whether chip-and-pin or chip-and-signature) from your issuing bank. The added security will protect you every time you use the chipped card at an EMV-enabled POS terminal.
See weekly Small Business Tips like this one by subscribing to our blog.