As of October 15th, of 2015, if a merchant is not processing on an EMV capable machine they will be responsible for 100% of any fraudulent transactions they accept and would have absolutely no recourse. If they take a fraudulent transaction they are going to have to pay for it and there is no other liability avenue to pursue. This is for any transaction whether it was made on an EMV card or a regular magstripe. In time, consumers may not feel comfortable paying at a business that only accepts magstripe transactions. Foreign consumers are already accustomed to paying with EMV and some foreign cards do not even have a magstripe anymore, so a business owner could lose those transactions all together.
What is EMV?
EMV, (or “EuroPay, Mastercard, Visa”), is the global card technology of choice and it is finally coming to the US. This technology will replace the magstripes we have become so familiar with and will ultimately alter the payment procedure for millions of consumers and cause thousands of business owners to upgrade equipment at the point of sale.
EMV is not a new technology; In fact there are an estimated 2.36 billion EMV cards worldwide and 37 million EMV terminals. The US is just the last major country to adopt this standard.
EMV was developed in the UK to combat the duplication of counterfeit cards and has been extremely successful in rendering stolen card data useless to thieves. The latest figures from the European Central Bank indicated in an August report that as much as 78% of all counterfeit card fraud is carried out in countries that have yet to transition to EMV. Hence the reason that the US is now the global leader in card fraud with 47% of local fraudulent transactions although it does only 23% of the transactions globally. Coupled with tokenization and encryption, EMV is the ultimate in security within the payments industry and will help to reduce fraud within the US.
EMV cards utilize chip based technology vs. the traditional magstripe on the back of payment cards. These chips are much more advanced than the magstipe technology that is currently in use today. The customer profile is built into the chip, giving the card issuing bank much more control of the card capabilities. You can deactivate a card remotely, and can even set up an offline balance where the consumer can make purchases up to a certain amount without the terminal communicating to the processor to verify. Finally as a feature, you can require no customer verification under a certain amount – ex. no sig or pin on a transaction under $200.
There are different Customer Verification Methods (CVM) that can be used for an EMV transaction on both credit and debit cards.
- Chip and Pin
- The cardholder will have a unique 4 digit PIN that they will enter to complete the transaction (ergo: “PIN Debit”)
- Chip and Signature
- The consumer would still insert the card but would only be required to sign
- EMV transactions can also be performed with a contactless device that would transmit the payment information via NFC like a smartphone, contactless card or fob (such as ApplePay)
PCI vs EMV
EMV and PCI are not mutually exclusive. While the liability shift has direct impact on all business throughout the US as does PCI compliance, EMV and PCI compliance do not hinge upon one another.
PCI compliance is a standard set forth by the PCI Security Standards Council™, and the specific requirements vary according to the type of business and individual operating practice. The PCI Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of data security measures. The PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. At the highest level PCI DSS encompasses the following core activities:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Currently, the EMV requirement does not impact the need for PCI compliance, or vice versa.
EMV is coming, and as a retailer it’s imperative to explore your options and to be aware of the potential ramifications for lack of compliance. As details are still forthcoming on the EMV rollout, please contact us should you have any questions about EMV or your POS system.