The EMV liability shift date, October 1, 2015, has come and gone, but many retailers have still not made this critical update. Most are left wondering: Is it too late? The good news is that it’s not too late for your business to upgrade. However, if credit card fraud takes place at your establishment before you take action, you will be held responsible for the financial repercussions.
Here, we break down key considerations that merchants must take to upgrade their payment technology to support EMV.
1. Understanding the Liability Shift: Why EMV?
Previously, if fraudulent credit card activity was detected at a retailer’s physical store, liability fell to the issuer of the card (i.e. the bank or credit union). But in October, 2015, all that changed. Now, any merchant who fails to upgrade their card acceptance and payment processing system from the swipe-and-sign magstripe card reading system to the EMV smart card acceptance technology bears the financial brunt, and for good reason.
The state of credit card security in the United States is a major issue. According to the Payments Security Report by BI Intelligence, in 2014 alone, there was $32 billion in credit card fraud—up significantly from $23 billion the year before.
EMV cards aren’t the cure-all, but they’re a major step in the right direction. Big card brands such as MasterCard, Visa, American Express and Discover Network are driving the mandatory shift to encourage speedy adoption of the fraud-reducing EMV technology. You can learn more about the liability shift by downloading our free ebook.
2. Payment Security: How EMV Helps?
EMV stands for Europay, MasterCard and Visa (the entities who created the card technology standard). Chip-enabled cards have an embedded microchip that provides real-time risk assessments on purchase activity based on the card user’s profile. The chip also generates a unique cryptogram each time the card is inserted or “dipped” into an EMV-enabled payment terminal, a process that cannot be counterfeited.
However, the cards still also contain a magstripe for use at non-EMV enabled devices, which can be counterfeited. The trouble for fraudsters comes in when they try to use these cards at an EMV enabled terminal or mPOS device. Since the chip cannot be duplicated, the counterfeit card becomes a magstripe-only card and can only work when used on a non-EMV enabled terminal or mPOS device. EMV enabled terminals will determine from the magstripe data that the card should be a chip card and needs to be inserted in the chip reader, but the card won’t have a chip to read and the transaction won’t be processed.
3. Cybercrime: Rise of Data Breaches in the U.S.
Data breaches in the US have been on the rise in the past few years. Take Target, for example. In early winter 2013, 40 million credit card numbers were stolen from the retailer’s records. As a result, net profits dropped by a whopping 46 percent. And the financial repercussion? About $200 million just to re-issue new credit cards. Many brands including Neiman Marcus, P.F. Chang’s, and more have been victims of data breaches since then.
This mandatory change in liability should not have surprised anyone. It was announced in 2011, and the Oct. 1 2015 deadline was well advertised. But many merchants were unable to meet it. Magstripe cards haven’t been entirely phased out and likely won’t be for some time. But there’s no getting around the fact that you must upgrade your payment technology and become EMV-compliant or bear the liability of a chargeback in event of a fraud.
Financially, we’re talking coverage of any chargebacks that result from fraudulent activity. In addition to the EMV liability shift for acceptance of fraudulent cards, if card data from your servers is stolen, you are also subject to additional penalties by the payment networks for lacking a secure system. Today’s consumers are aware and concerned about their security, and they’re taking it upon themselves to shop with merchants they know to be safe.
4. Obtaining EMV Compliance: Buttoning Up
The EMV migration can be a significant undertaking and it’s important to have the right technology partner experienced with EMV. These technology partners will be able to advise you on the most cost-effective and time-efficient way to transition, especially considering you’re already past the deadline and operating at risk.
Next, you’ll need to invest into EMV-enabled smart payment terminals or mPOS solutions. This technology requires careful consideration, including:
- Current hardware deployment
- Store count
- POS capability
- Sales volume
Keep in mind changes may be required of your current hardware and software to support the new system. EMV technology isn’t plug-and-play, and from start to finish, the installation process could take as long as four to five months for setup. You will also want to structure your timeline to include training for your staff and implement beta testing. Learn how leading retailers migrated to EMV by downloading one of our latest case studies.
5. EMV Certification: Making it Official
Beyond purchasing EMV-enabled smart terminals or mPOS solutions, you must also become certified by EMVCo and by the credit card issuers from which your store will accept payments. The certification process could take several weeks to several months to complete depending on the size and complexity of your business.
The certification process takes merchants through three levels:
- Levels 1 and 2 focus on certifying payment equipment (hardware and software)
- Level 3 (completed by the acquirer for some smaller businesses) involves end-to-end certification and covers conduct between the merchant and card brand.
6. Cost of EMV: Investing for the Future
Once again, cost will depend entirely on the size and complexity of your business. If you only have one stationary location for payment acceptance, you don’t need a fancy wireless terminal with volumes of memory. But a larger retailer looking to check out more customers simultaneously—and via mobile options throughout store aisles—might prefer portable smart terminals or mPOS solutions that connect via Wi-Fi or Bluetooth to a host system.
Regardless, the current recommendation is that you implement a PIN-capable EMV payment solution, as it’s hard to predict how the standard will change in the future. With both chip and PIN-enabled technology, your bases will be covered in both the near-term and long-term.
7. Getting Started: Find a Trusted Technology Partner
We get it—the mandatory push to invest in new technology frustrates some people. But the longer you wait, the more time you spend at risk. Instead of looking at it as a burden, think of it as contributing to the greater good and fighting back against fraudsters. Since EMV was implemented in the U.K., credit fraud has been reduced by 72 percent.
It’s easy to be intimidated by the investment and the technology. By working with a technology partner that provides smart, trusted, secure and seamless payment solutions, your customers will appreciate the added protection, your reputation will remain intact and you will avert liability that could cost millions.
Looking to learn more? Watch our on-demand webinar to help you clearly define the next steps for your organization so you can finally get your EMV migration strategy up and running. Watch the recorded webinar here: EMV Migration: Lessons Learned + Next Steps.
Allen Friedman, Vice President, Payment Solutions, North America/Ingenico Group