October 1, 2015, will probably be just another normal shopping day for most American consumers. But to any business relying on the collection of payment via point-of-sale (POS) credit card terminals, this will mark a very important day—when EMV hits America.
EMV—the acronym for Europay, MasterCard and Visa—is a global standard for credit and debit cards equipped with computer chips and the technology used to authenticate chip-card transactions. In the wake of numerous large-scale data breaches and increasing rates of counterfeit card fraud, American card issuers are compelling merchants to migrate to this new technology to reduce the costs of fraud and protect consumers.
But, that’s not all. The real punch this change will pack is what it means to merchants accepting credit and debit cards. Banks are shifting the liability for in-person card transactions to merchants on that date.
Yes, you read that right. If you, as a merchant who accepts credit and debit cards, do not have a chip and pin-capable POS system, the liability of any fraudulent card transactions will fall firmly on your shoulders and hit your pocketbook. That is the leverage banks will use to get businesses to make the necessary investment to purchase EMV-equipped terminals and POS systems.
There is a great deal of information, and misinformation, in regard to the US EMV integration, so shedding some light on the realities may prove helpful for everyone concerned.
Why the change?
There are an estimated 1.24 billion payment cards and 15.4 million POS terminals currently in the world, most of them in other countries. The new “chip and pin” method of paying for something is already the standard, with a current adoption rate of more than 75 percent in Europe, Latin America, Africa and the Middle East, and Canada. Asia and the Pacific regions are a little over halfway in their deployment efforts.
Visa, the prime force behind the push for American merchants to embrace chip-card technology, states that the pace of EMV-adoption is accelerating globally. It is estimated that 62 percent of transactions conducted outside of the US involve a chip-enabled card used at a chip-enabled terminal.
The United States is the last major market to still use the old-fashioned swipe-and-sign system, a big reason why almost half the world’s credit card fraud—estimated to be $10 billion in 2015—happens in America, despite accounting for only about a quarter of all credit card transactions.
The problem is magnetic swipe cards, which the majority of Americans carry in their wallets, have become easy targets for forgery criminals and “skimmers” (digital pickpockets who skim the data from a mag-stripe via a simple smartphone app when in close proximity to a card holder’s purse or wallet). The result is a great deal of fraud.
How chip-card technology works
What makes global financial transactions work across many cards and devices are ‘smart’ chips embedded within new EMV-compliant credit and debit cards. These chips make interfacing with the various POS terminals possible.
Commonly known as “chip and pin” cards, the chip refers to the integrated circuit built into the card, and the pin is inputted to validate the transaction. All merchants in the US will have to become very familiar with the prominence of the chip and pin or face consequences.
Unlike magnetic-stripe cards, every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again. If a hacker were to steal the chip information from one particular POS transaction, typical card duplication wouldn’t work because the stolen transaction data can only be used once and the card would just get denied. EMV technology will not prevent data breaches from occurring, but it will make it much harder for criminals to successfully profit from what they steal. Likewise, the key reason for the liability shift is not actually to shift liability around the market—it’s to drive fraud out of the market.
At first, some banks are not assigning unique PINs to card holders when a new chip-card is issued. If a terminal doesn't have the ability to accept a PIN, it will then step down to accepting a signature. The liability for card-present fraud will shift to whichever party is the least EMV-compliant in a fraudulent transaction. For example, a bank that issues a chip card that is used at a merchant that has not yet changed its system to accept chip technology. This potentially allows a counterfeit card to be successfully used and the liability then shifts to the merchant.
Here’s what should happen at the checkout register in a store: Instead of ‘swiping’ a credit card, the buyer will do what is called 'card dipping' instead, which means inserting the card into a terminal slot and waiting for it to process. (This is why some have coined the phrase “chip and dip” to describe the procedure.) When an EMV card is dipped, data flows between the card chip and the issuing financial institution to verify the card's legitimacy and thus creates unique transaction data that is placed on the card’s chip.
Now, this new process isn't as fast as the magnetic-stripe swipe method, so if a person just sticks the card in and pulls it out quickly, the transaction will likely be denied. In the beginning, it will take a bit longer for the transmission of data to occur. Therefore, training your person at the register to ask the buyer for a little bit of patience may be a good idea.
EMV cards can also support contactless card reading, or near field communication (NFC)—ApplePay and MasterCard’s Paypass are examples of this type of transaction. Contactless transactions are more consumer-friendly because all they have to do is tap the card and the whole process is much quicker.
Around the world, there is a move to make EMV cards dual-interface, which means contact and contactless. However, in the US, most financial institutions are issuing only contact cards at this point. Dual-interface cards and the equipment needed to scan them are more expensive so right now, the first step is to successfully integrate EMV cards into the American shopping scene. Dual interface will become more commonplace down the road.
So, what’s the plan?
For merchants and financial institutions, the switch to EMV means the addition of new in-store technology and internal processing systems, and compliance with new liability rules. For consumers, it means activating new cards and learning new payment processes. Most of all, it means greater protection against fraud.
Chip-enabled cards—while initially more expensive to produce—have a longer lifespan than magnetic stripe cards, as well as being capable of ‘flash-updating,’ which lowers costs to the banks over time.
According to Smart Card Alliance, an estimated 600 million Americans will receive an EMV chip card by the end of 2015. However, American banks will still issue cards that have both the magnetic swipe and the embedded chip and pin technology. They don’t want a situation where a transaction cannot be processed if a merchant does not have the EMV equipment. Several credit card transaction processors, such as Visa, Square and IGroovv offer merchants who make the switch an incentive package on equipment, and some cost relief on the merchant’s end.
If the rapidly approaching October 1 deadline is stressing you out, there’s little reason to fret. The major US credit card issuers have estimated that only 59 percent of retail locations will be EMV-compliant by the end of 2015. So, you have some time but do your research sooner rather than later.
The transition to EMV could prove easier for small businesses—simply buying a new terminal or adding a new external pin pad may do the trick. In contrast, the larger quick-serve chain stores will likely have to invest heavily as they look to upgrade thousands of terminals and systems. By the way, gas stations with automated fuel dispensers have until October 2017 to make the switch and procure EMV-compliant card readers at the pump.
Although the liability shift will require a new investment in hardware, it may be a good opportunity to think broadly about your point-of-sale in general and use this as an opportunity to enhance your POS system beyond just becoming EMV-compliant. Upgrading outdated retail technology is sure to improve how you engage with customers, track your inventory, improve reporting, deliver omni-channel (in-shop, mobile and online) integration and address payment card industry data security system (PCI DSS) compliance.
Just how disruptive the change will be depends on how motivated merchants are to upgrade their existing POS systems and how willing they are to help consumers through the transition. Good luck!