June 2, 2015
In recent months, you may have noticed that new credit cards you receive now have a chip on them in addition to the ubiquitous magnetic stripe.
When using your card, you may also have noticed a change in the card reader. Many of them now have a slot in which the card is inserted, rather than swiped.
Welcome to the brave new world of EMV. EMV stands for Europay, MasterCard and Visa – the companies that initially worked together on card technology. American Express, Discover, JCB and UnionPay have since joined the EMV forces.
The recent changes you’ve noticed in the credit card world are the result of what is referred to as the EMV Mandate. This is not a mandate from the government, but an industry regulation by the major credit card companies. By October 2015, most merchants in the United States must shift to EMV acceptance. (Gas stations have until October 2017 to update to EMV acceptance for pay-at-the-pump service).
EMV provides a higher degree of security. The traditional magnetic stripe card, or swipe and sign, relies on visual inspection of a signature that is seldom inspected. Magnetic stripe cards are vulnerable to fraud since the data on the card is unencrypted.
A chip is embedded in EMV cards that communicates with the point-of-sale terminal and authenticates the transaction. The chip encrypts data differently every time the card is used which makes it difficult to use the data for fraudulent purposes.
EMV cards are PIN-capable, adding another layer of security. Rather than swipe and sign, the future appears to be chip and PIN.
There is some resistance to requiring a PIN. When card users cannot recall the right PIN, there may be some embarrassment on their part, and it simply takes additional time as the merchant must wait for customers to enter the correct information. Additionally, some environments, such as fine restaurants, are not receptive to the use of a PIN.
With the move to EMV, the industry is shifting the risk of fraudulent transactions to the merchant from the card processor. A party using a less secure technology will be liable for fraud and data breaches.
Merchants not using EMV technology will be held responsible for that liability. The negative impact on a retailer who is the victim of fraud or a data breach cannot be minimized. On the other hand, merchants may receive some PCI compliance fee relief from the credit card companies.
To alleviate disruptions during the changeover, cards are being issued with both the chip and the traditional magnetic stripe. Merchants are generally regarded as EMV-compliant if at least 75 percent of all transactions are processed on hardware capable of EMV, even if the card is swiped.
In the near future, expect to see cards and equipment without stripe capability. The delay in applying EMV to pay-at-the-pump terminals is indicative of the issues faced in replacing the card technology in the pumps. But with time, this should be alleviated.
The cost of EMV terminals run from approximately $150 to $500 each. Because one is required for each checkout, the investment can be expensive for merchants.
But some companies are able to rent the terminals from their credit card processor, though it’s not known if those rents will increase when businesses upgrade, or if merchants will be required to buy them in the future. Of course, the big “cost” is the liability shift to merchants if they don’t use the EMV.
The introduction of the cards will reduce card-present fraud activity. In every country that has implemented EMV, this type of fraud has decreased. The United States is one of the last major market countries to implement widespread usage of EMV – which is believed to be the reason that more than half of the world’s credit card fraud happens in the United States.
By using EMV cards, stolen credit card numbers cannot be used by thieves to make new counterfeit cards because the card data cannot be skimmed at the time of card use.
Unfortunately, when fraud prevention measures are taken in one area, the fraud moves to another, more vulnerable target. Card-not-present (CNP) transactions – online, mail order and telephone purchases – appear to be the new weak link.
These transactions will need additional security as EMV comes into more frequent use. Some credit card companies offer address verification services, card verification value and 3-D secure fraud tools that can be used by merchants to combat fraud. Some companies send an email to the cardholder when a card-not-present transaction occurs, alerting the cardholder to notify the company if it is not a valid transaction.
Tokenization is a promising step toward more security in CNP transactions as it picks up where EMV leaves off. EMV does nothing to encrypt the data once the card is in the merchant system. Tokenization replaces the card data with a “secure token.” The actual account number on the card is removed from the merchant database and replaced with a string of numbers and letters that serve as a proxy for the actual card data. The merchant can use the token for recurring payment processing or other legitimate purposes.
Given the rampant amount of credit card fraud and the high incidence of data breaches in recent months, the move to EMV is a step in the right direction. It will create difficulties during the changeover, but it brings the United States in line with global credit card processing and will reduce the incidence of credit card fraud.
This article was originally posted on June 2, 2015 and the information may no longer be current. For questions, please contact GRF CPAs & Advisors at marketing@grfcpa.com.