IF YOUR BUSINESS ACCEPTS CREDIT CARDS, IT IS FACING A HUGE CHANGE IN LESS THAN A MONTH’S TIME.
The EMV liability shift is coming. Many merchants, especially small ones, are unprepared, and it could cost them enormously. If the EMV liability shift is news to you as a merchant, you need to understand the essentials quickly. This article explains what you need to know.
What is EMV?
Also known as “chip and PIN” cards, EMV cards allow customers to make payments by inserting a card into a reader. The reader reads the chip; on many cards, the customer must also enter a PIN. In the US, EMV cards will be chip-and-sign to begin with, with PINs added over time as the technology to support them is introduced.
EMV cards also have magnetic strips, so they can be used with the old swipe-and-sign method where necessary.
EMV stands for Europay, Mastercard, and Visa—the three companies at the forefront of the technology.
What is the EMV liability shift?
The rules about fraudulent credit card transactions are about to change.
Currently, when a card is physically presented to a merchant for a fraudulent transaction, the financial institution issuing the card gives a refund to the victim. (Card-not-present situations, such as online shopping, are at the merchant’s risk.)
To speed up the implementation of EMV technology, the credit card companies are changing the rules.
Starting October 2015, if a card with EMV technology—i.e. a chip—is used for fraud, and the card is accepted without an EMV reader—i.e. the magnetic strip is swiped—the merchant, not the bank, must pay for the fraud.
However, if an EMV card is used with an EMV reader and the purchaser inputs a PIN, then the bank will continue to be liable if the transaction is a fraud.
Why are the rules changing?
Many merchants don’t have terminals that accept chip-and-PIN cards. Without adoption by merchants, banks have little incentive to issue such cards, and then merchants have little incentive to buy new terminals—the kind of chicken-and-egg problem that plagues the American payments industry.
So credit card companies are trying to break the cycle. They’re telling merchants that if they don’t change, it will hurt them financially.
The wider problem is credit card fraud. Card fraud has become a staggering problem: there was $7.1 billion worth of credit card fraud in the U.S. in 2013—more than the rest of the world put together. Fraudsters likely target the U.S. because magnetic strip cards make fraud much easier.
Why are EMV cards safer?
There are three main ways EMV cards offer better security.
EMV cards are hard to skim. Magnetic strips are easy to read, and give away credit card information in accessible form. EMV cards have a series of layers of authentication, including dynamically generated one-time cryptograms. In other words, you can’t just steal the authentication information and use it to create a new card.
As a result, EMV cards are far harder to counterfeit. It is relatively easy to code the credit card information onto a magnetic strip and create a cloned card. Chips make that harder.
If the card is PIN-enabled, physically stealing it doesn’t get you the PIN, whereas signatures can be forged. Migration to a PIN system will make cards more secure.
Would EMV have prevented data thefts like the Target hack?
While EMV cards would have helped in some ways, the unfortunate answer is probably not.
PINs on EMV cards are encrypted end-to-end—that is, they’re encrypted by the PIN pad itself, and are never seen or stored unencrypted by a merchant like Target. So the Target hackers stole PIN numbers in encrypted form, but there isn’t any evidence yet that the encryption has been broken.
However, as security expert Lucas Zaichkowsky told Digital Journal:
Although the chip [on an EMV card] cannot be cloned, the card number and expiration date are still passed to the POS terminal in plain text during a chip read and is subject to theft the same way a magstripe read would be. Although less valuable than a magstripe … there are plenty of venues where fraud can be committed using just the card number and expiration date.
So hackers can still see unencrypted credit card numbers by hacking into point-of-sale terminals, and EMV card numbers could be stolen in the same way as anyone else’s, unless merchants invest in end-to-end encryption for all credit card data. So while EMV is better security, it’s not a foolproof solution to all problems.
What do merchants need to do?
First, merchants need point-of-sale terminals that accept EMV credit cards. The need is now absolutely critical ahead of the liability shift in October. This is, obviously, a potentially big undertaking involving potential changes to hardware, software, and procedures, and requires careful preparation and testing. Visa has issued an extremely detailed merchant guide that may be useful.
Staff must be trained and reminded to check whether cards have PINs and to use the EMV reader, rather than simply swiping every card. This may be complicated by the fact that consumer habits die hard—some consumers may prefer to swipe or forget not to. It may be necessary to post signs to remind both customers and staff.
Finally, while EMV cards will improve card security, vigilance is always required. Point-of-sale systems should be periodically inspected for tampering as part of normal security procedures.