Business after the EMV liability shift

used with permission from HP Technology at Work

What is EMV chip card technology? Is it really more secure than magnetic stripe technology? Is compliance worth the cost of upgrading? It’s been over a month since the “EMV liability shift” went into effect in the U.S. on October 1, 2015, but many businesses still have unanswered questions.

To help you get the answers you need to minimize your liability, we’ve enlisted expert insight from Lorena Kubera, VP & GM of HP Retail Solutions Global Business Unit, and Cory McElroy, Director of Product Management & Marketing for HP Retail Solutions.

Here’s what you need to know to master the EMV shift.

Q: What is EMV?
A: EMV stands for “Europay, Mastercard, and Visa,” the three companies that originally developed this chip card technology in the mid-1990s. Simply put, the technology embeds a secure computer chip in the body of a credit card. This chip stores the payment application and has three key functions:

1. Perform processing tasks
2. Store confidential information securely
3. Perform cryptographic processing¹

The result is a more sophisticated credit card that allows for additional security measures, such as authentication of the chip card, digitally signing payment data, and more robust cardholder verification.¹

Q: Is EMV more secure?
A: Yes. You’ve probably heard that EMV technology is more secure than magnetic stripe technology, and it is by a very large margin. When Canada made the switch to EMV cards, credit card fraud dropped 73% within three years.² Similarly, since France made the switch they’ve seen credit card fraud drop by 80%.2 Considering that just over half of the world’s credit card fraud now happens in the United States,² the switch to EMV technology could save consumers and businesses billions of dollars per year.

However, no security technology is perfect. Here are a few reasons EMV cards might not have as a large of an impact on card security in the U.S. as we’ve seen in other countries:

• Increased attention from hackers—When magnetic stripe cards were used for the vast majority of U.S. purchases, hackers had no reason to focus on EMV. With the recent mass shift, however, hackers will likely begin to probe the new cards and systems for vulnerabilities.
• Increase in online fraud—EMV chip cards greatly improve security for in-store transactions. When used for online purchases, however, they have the same vulnerabilities as magnetic stripe cards. This means online credit card transactions remain vulnerable, and online fraud rates may even increase. For example, in Europe the switch to EMV saw online credit and debit card fraud rates increase from 25% in 2004 to 64% in 2010.³
• Signatures vs. PINs—There are two versions of EMV chip cards: chip-and-signature and chip-and-PIN. While the latter offers more security—it’s harder to guess a PIN than fake a signature—the majority of EMV chip cards distributed in the U.S. are chip-and-signature.⁴ As a result, “while there is some increased fraud protection over plain magnetic stripe reader cards today… it’s not the ultimate solution like chip-and-PIN is,” says Kubera.

Q: How long will the EMV migration take?
A: It will likely be several years before the migration is complete in the U.S. Here’s why:

• It’s up to credit card issuers to make the final switch to chip-only cards. Until they’re ready to make that change, and eliminate magnetic stripes for good, the migration won’t be complete. While 600 million EMV credit cards are projected to reach cardholders by the end of 2015⁵, only 25% of U.S. financial institutions will have issued EMV debit cards or plan to do so by the end of 2015.⁶
• Retailers are not required to upgrade their systems to accept EMV for now. If a retailer is willing to accept the increased liability—perhaps due to an ROI decision or lack of information about why they should upgrade—then they can continue to accept magnetic stripe payments. A “fallback transaction” occurs when an EMV chip card’s magnetic stripe is used on an EMV-enabled terminal. In such cases, when the retailer is fully EMV compliant, it’s the credit card issuer who is liable for any fraud—a fallback to the pre-migration setup.⁷

Q: Does my business need to be EMV compliant?
A: It’s not required, but it’s often a good idea.⁸ Businesses are not required by U.S. law to be EMV compliant and may choose to put off their upgrades. “Every merchant has to do this internal ROI calculation,” explains McElroy. “If I’m selling a $5 meal, am I willing to take on a $5 fraud liability versus paying hundreds of dollars to upgrade?” For many businesses, the losses they could incur are much higher than the costs of upgrading their terminals and payment processor, making compliance an easy choice.

Upgrading to EMV compliant terminals and systems ensures you will not be held liable for in-store credit card fraud when EMV is used. Additionally, it is a good opportunity for your business to start accepting other payment methods—such as mobile wallet applications. You are essentially “future-proofing” your business by investing in technology that will allow you to accept whatever payment methods your customers would like to use.

Q: How will EMV affect the checkout process?
A: Unless a customer or employee has lived abroad for some time, they may need some help learning how to use EMV chip cards. In the absence of a large advertising push—such as we’ve seen for many of the newer mobile payment systems—“there will be a period where businesses are going to have to explain to customers how they make their payment,” explains Kubera.

“Every time you change a process, there naturally is a slow down,” says McElroy. To keep your transactions moving smoothly—especially during the busy holiday periods—here are a few EMV-specific tips:

• Train employees on how to use the system from both ends, in case they have to swipe or insert the card for a customer
• Write up scripts, so that employees know exactly what to say when a customer is struggling or performs the wrong action
• Set up reminders or instructional signs near the checkout showing customers how to use the new system
• Make sure customers don’t leave their cards behind. During the Canadian EMV migration customers often left their cards in the machines after a purchase⁹

Parting thoughts
EMV credit cards are a nice step forward in terms of security, but there is still a ways to go until the EMV migration is complete. If you haven’t already, we suggest you take steps to ensure your business is 100% EMV compliant as soon as you can. In the event that fraud does occur, the party that is least EMV compliant is the one that is held liable. And in the case of a tie, where both parties are equally compliant, the liability remains with the card issuer.⁹ The sooner you upgrade, the sooner you won’t have to worry about your liability.

Additionally, try to approach this EMV migration as an opportunity—rather than a cost. If you’re knowledgeable about the new setup and ready to educate your customers, they will see that they can trust you and may feel more secure doing business with you. Expanding the number of payment types you accept will prepare your business not just for EMV, but for a variety of payment methods vying for a place in our wallets.

 

 

[1] EMVCo, A Guide to EMV Chip Technology, 2014
[2] HP, EMV Chip Cards are Coming. Is Your Business Ready?, 2015
[3] Entrepreneur, Online Debit, Credit Fraud Will Soon Get Much Worse. Here’s Why., 2014
[4] U.S. News, 6 Things You Need to Know About the New Chip Cards, 2015
[5] CreditCards.com, 8 FAQs about EMV credit cards, 2015
[6] PULSE, One of Every Four Debit Cards to be Converted to Chip by End of 2015, 2015
[7] EMV Migration Forum, Understanding the 2015 U.S. Fraud Liability Shifts, 2015
[8] Time.com, Here’s Why Your Credit Card Now Has a Chip and Why You Should Care, 2015
[9] Intuit, Step-by-Step Guide to EMV Migration for Small Businesses, 2015