Crash Course: What are EMV and the EMV Liability Shift?

Transcription

1 Are You EMV Ready?

2 Are You EMV Ready? In the months leading up to October, 2015, the EMV liability shift and the details surrounding it have been the talk of the retail and hospitality industries. A significant portion of this buzz has centered on whether merchants are or would be EMV ready as of October 1, when the liability shift took hold. In this ebook, we ll take a look at what EMV really is and what you need to do to be truly EMV ready. Crash Course: What are EMV and the EMV Liability Shift? In case you missed it, or you still don t quite understand what the EMV liability shift is and what it means for merchants, here s a crash course just for you. EMV Defined: EMV stands for Europay/MasterCard/Visa. Developed by these three card brands, it s an open-standard set of specifications for chip card payments and payment acceptance solutions. Among other things, the standard calls for using payment processing technology that can accommodate chip cards (also known as chip-enabled cards or smart cards ) into which an integrated circuit chip (ICC) is embedded. While banks will, for several years, continue to issue cards with a magnetic stripe on the back, the ICC serves as a magnetic stripe replacement. It contains the account number and other sensitive data, as well as the logic needed for transaction processing and risk management. EMV Liability Shift Defined: Before October 1, 2015, issuers assumed financial liability for fraudulent card-present transactions completed with counterfeit, lost, or stolen cards. However, as of that date, such liability shifted to merchants shoulders, who now take the financial hit if a customer presents a chip card at the point of sale, but their equipment is not EMV-compliant (i.e., doesn t accommodate chip cards) and a loss occurs as a result of being forced to rely on the magnetic stripe or manual account number entry to authorize the transaction. The liability shift doesn t apply to card-not-present (CNP) transactions, and EMV doesn t prevent fraudulent use of credit cards for these transactions. 2

3 What EMV Means for Merchants: Contrary to what some people maybe even you may believe, there s no mandate to replace or upgrade your point of sale equipment because of the EMV liability shift. However, opting out of this change puts merchants at risk of suffering financial losses from the chargebacks that result from having processed what has turned out to be a fraudulent transaction or transactions. Depending on the extent of loss, these chargebacks and penalties may be so high as to severely impact a business or force it to close. Retailers whose stores sell high-end items might be more likely to be targets of card-present fraud based on the high resale value of their inventory, but the scope of any particular incidence of fraud could lead to significant financial hardship for restaurateurs and smaller merchants as well. Ignoring the EMV liability shift also means facing penalties charged by card issuers for allowing fraudulent card usage in their establishments through the use of non-emv-compliant equipment. Conversely, EMV compliance brings some exemptions from account data compromise penalties. MasterCard, for instance, has made its merchants exempt from 100% of account data compromise penalties providing that at least 95 % of MasterCard transactions originating in their stores were completed on EMV-compliant point of sale terminals. Also, as more and more merchants do achieve EMV compliance, fraudsters will concentrate their efforts on those who haven t upgraded their technology to work with the EMV liability shift. If you re in the latter group, you ll almost definitely be served a bigger slice of the fraudulent transactions pie and its accompanying financial complications. 3

4 EMV Brief: Wait... How Does EMV Really Work and Why is it Important? The workings of EMV may sound complicated at first, but that s not really the case. EMV Transactions 101: Chip cards come in two varieties and communicate with point of sale hardware in two different ways: contact and contactless. Contact cards feature contact plates that transmit necessary information when they are inserted into readers. Contactless cards contain antennas that let them communicate with readers through radio frequency (RF) technology. There are also dual-interface cards that can be used in contact and contactless transactions. Smart chip transactions are processed in four different ways: 1. Tap and go, wherein necessary transaction information is sent to its destination by RF technology. 2. Chip-and-PIN, which involves waving or inserting a chip-enabled and entering a PIN to further authenticate the transaction. 3. Chip-and-signature, where a signature is required after a card has been waved across a reader or inserted in a point of sale terminal. 4. Chip-and-choice, in which the cardholder decides whether to provide a PIN or signature. A few U.S. issuers are distributing chip-and-pin cards, but most have followed the chip-and-signature route. If a customer attempts to use a chip-and-pin card in a terminal that does not have PIN acceptance capability, the terminal will automatically revert to chip-and-signature mode. 4

5 The rationale for EMV is also easy to understand. EMV has been the standard elsewhere in the world particularly in Europe for quite some time, because it: Decreases card fraud. The ICCs in chip cards store information securely and carry security credentials that are encoded by the card issuer at the time each card is manufactured for the individual cardholder. The presence of the chip and the encoding of these credentials make it difficult for fraudsters to create counterfeit cards. In order to be successfully processed, EMV transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with Application Cryptogram Generation (CDA). EMV transactions also create unique transaction data; it is impossible for perpetrators to harness any captured data to process new transactions. Decreases losses from payment card fraud. Consider the case of the United Kingdom, where the adoption of chip-and-pin technology sparked a drop in payment card fraud from 18 basis points to 12 basis points between 2001 and What s more fraudulent card activity recorded in the United Kingdom decreased by 17% between 2009 and Enables interoperability with the global payments infrastructure. Chip cards can be used on any EMV-compatible payment terminal in the world. This interoperability will become increasingly important as some nations consider phasing out mag-stripe cards entirely. For merchants that cater to large numbers of customers from abroad, chip card acceptance is therefore a must. 5

6 EMV Preparation: Making Your Roadmap There s quite a laundry list of steps that need to be completed in order to prepare for the liability shift and go with the flow so if you haven t gotten started already, now s the time to get moving. You may have missed the October deadline, but the sooner you stop procrastinating, the better mostly because if you re hit with a data breach now, you ll find yourself in very hot financial water given your responsibility for the damage. Here are a few key steps in the right direction: Determine your equipment needs. You may need just a new, separate PIN pad to get started with EMV or, you may need an entirely new point of sale system and setup. Check with your point of sale vendor or value-added reseller to find out the type of equipment you ll require to suit your individual business needs. Budget for necessary equipment and upgrades. Again, your point of sale vendor or VAR can offer guidance here. Ensure that all hardware and software has proper EMV certification. Such certification is issued by EMVCo, the body that administers the EMV standard and handles testing. Create an employee and customer education program. EMV transactions differ from non-emv transactions in some subtle ways; for example, chip cards must be left in the terminal for the duration of the transaction, and restaurant tips are settled at the same time as the check. Your vendor or VAR can provide tips for teaching employees how to use EMV-compliant equipment, and for helping employees to assist customers in that same regard. 6

7 Looking to the Future: What s Ahead for EMV and PCI Compliance? While the EMV liability shift has already taken effect, there are additional related milestones to keep in mind as you delve into the EMV compliance realm. Some of these milestones pertain to EMV alone, while the scope of others includes adherence to the Payment Card Industry Data Security Standard (PCI DSS) as a prerequisite for being deemed in compliance with the EMV standard. Let s break everything down by card brand, starting with the October 1, 2015 deadline. Visa October 1, 2015 Any merchant whose POS hardware and software accommodates chip-enabled cards is exempt from financial liability for fraudulent card-present transactions. If a merchant is not EMV-compliant, and a fraudulent transaction occurs with a magnetic stripe card, the fraud liability remains as before with the issuer. October 1, 2017 The liability shift extends to the petroleum sector. Automated fuel dispensers must also accommodate chip cards if operators with these units in place are to be considered EMVcompliant (and not liable for any losses stemming from the use of fraudulent credit or debit cards to pay for petroleum purchased from their stores). 7

8 MasterCard October 1, 2015 Under MasterCard s fraud liability hierarchy umbrella, the party that has made investment in the most secure EMV options is protected from liability for card-present fraud losses from transactions completed with counterfeit, lost, and stolen cards. For merchants, this protection means EMV-compliant point of sale technology. Merchants became 100% exempt from account data compromise penalties enforced in keeping with the PCI DSS if at least 95% of MasterCard transactions processed in their stores originate from EMV-compliant point of sale terminals. October 1, 2017 The EMV liability shift for retailers with automatic fuel dispensers (described above) goes into force. The Final Word Laying it all out on the table, the plusses of moving ahead with EMV compliance most importantly, freedom from worry about liability for fraudulent card-present transactions and exemptions from stiff penalties imposed by issuers trump such minuses as hefty technology investments and educating employees and customers about how to use EMV-compliant point of sale equipment. Now that you have a clearer picture of EMV and know how and why it s important to jump on the bandwagon, you can take the plunge with confidence. About Touch Dynamic Founded in August of 2001, Touch Dynamic is an ISO 9001:2008 certified manufacturer of All-in-One touch terminals, small form factor PC s, mobile POS devices and touch screen monitors for a variety of industries. We understand the demands on our channel partners and provide unique products and additional value-added services to help them meet the specific needs of their customers. Touch Dynamic has leveraged our employees extensive experience in these markets to develop a focused product line of unmatched quality and features. We back it with a support staff that is highly skilled and motivated to solve any issue that might arise.