What Merchants Need to Know About EMV
- What is EMV?
- What makes EMV different than the traditional magnetic stripe card payment?
- What are smart cards?
- What are the advantages of EMV technology?
- When do the new liability shift rules take effect?
- How will EMV impact my business?
- What's a dual interface terminal?
- What if I choose not to upgrade or replace my equipment to accept EMV transactions? Will I still be able to process card payments?
- How do I know if I have an EMV-enabled terminal?
- Is it true that I may be able to purchase a peripheral device for EMV acceptance instead of a new terminal?
- If I have an EMV capable terminal, do I need a new application download to enable EMV acceptance?
- What makes a terminal EMV ready?
- Will there be new interchange categories for EMV capable cards?
- What chargeback, or disputed transaction, codes are currently associated with EMV?
- What if I accept face to face transactions using a computer or an internet payment gateway (virtual terminal)?
- What does EMV migration mean for card not present (CNP) merchants?
- How will EMV requirements impact mobile card acceptance?
- What if I process payments and allow my customers to get cash back? Are there differences in EMV requirements?
- To be EMV ready, do I need to be able to support chip and PIN, chip and signature and near field communication (NFC), or contactless payments?
- If I am fully EMV enabled, do I still need to be Payment Card Industry Data Security Standards (PCI-DSS) compliant and incur PCI-DSS related validation fees?
- Are there any best practices for EMV migration?
- What can I do now to prepare?
- EMV is the global standard for card present payment processing technology – and it's coming to the U.S.
- EMV uses an embedded chip in the card that holds all the same cardholder information that is stored on the magnetic stripe, and more.
- This “smart card” technology provides an additional form of card authentication for the transaction – providing better validation the legitimacy of the payment type being used and helping reduce the use of counterfeit payment cards at retail points of sale.
- The EMV chip helps protect you from card present counterfeit transactions, but not those made with a lost or stolen card. Businesses will need to ensure they verify the identity of the person presenting the card for payment.
- EMV is the best existing technology in use today to authenticate cards and cardholders ensuring that a card is not a counterfeit or “cloned” card. The embedded chip generates a one-time value to make each transaction unique. This is known as dynamic authentication.
- Magnetic stripe data is static; the data is the same each time the card is used at all terminals and is easily “cloned”. This “smart card” technology provides an additional form of card authentication for the transaction – providing better validation the legitimacy of the payment type being used and helping reduce the use of counterfeit payment cards at retail points of sale.
- EMV-enabled cards, or smart cards, have an embedded secured microprocessor chip that stores cardholder data and creates a unique value for each processing transaction. Smart cards come in three forms:
– Contact Cards get inserted into a card reader for transaction authentication and must stay in the terminal for the duration of the transaction, which ends when the receipt is printed.
– Contactless Cards aka, “Tap-and-Go” cards use a radio frequency and a nearby (within a few inches) contactless-capable reader for transaction authentication.
– Dual Interface Cards combine contact and contactless technology and use dual interface terminals for transaction authentication.
- EMV technology contains advanced security features that can help reduce card present counterfeit fraud.
- It can offer consumers more convenience and instill greater confidence at the point of sale (POS).
- When the Visa and MasterCard liability shift occurs in October 2015 for retail businesses and October 2017 for petroleum pay-at-the pump businesses, you may avoid the financial liability associated with counterfeit card transactions by being EMV ready.
- October 2015 is when the financial liability shifts from card issuers to retail merchants for counterfeit fraud card present transactions, and October 2017 for petroleum pay-at-the-pump merchants, if only the magnetic stripe authentication is used when the card is EMV capable. The table below shows who is financially liable for counterfeit card present transactions based on EMV readiness after the liability shift.
|Scenario: Counterfeit Card Presented||Card Issuer EMV Enabled||Merchant Acquirer EMV Enabled||Merchant EMV Enabled||Financial Liability|
*Card Issuer liability remains subject to other Card Network rules.
- Customers who are unfamiliar with chip based cards will need to be trained on how to insert or tap their cards in or over the device.
- Employees will need to understand these new procedures in order to help customers and to explain the security benefits as customers ask questions.
- Dual interface terminals are able to process chip transactions from various payment products including contact or contactless chip cards, mobile devices and wallets, and magnetic stripe cards. The image below shows how this works.
- Yes. Chip cards will have the embedded microchip and the magnetic stripe. However, you are subject to the liability shift for card present counterfeit fraud transactions.
- An EMV-enabled terminal will have a slot where the smart card can be inserted, a contactless radio frequency reader, or both. Ask your bank representative if your terminal is EMV ready.
- Yes. Some terminals can be upgraded to fully support EMV transactions with only a peripheral device versus needing a new terminal. We will provide additional information on what you may need to be EMV capable as it is available.
- Yes. You will need to download a new application to read smart cards on EMV capable terminals.
- There are two components; the terminal device and the application it uses to read the card. EMV certified terminals have the ability to communicate with the chip card via contact or contactless. The application drives the device, allowing it to authenticate the chip card and cardholder, as well as authorize the transaction either online with a PIN, or offline with the chip.
- Not at this time. The card brands have not announced any new interchange categories for EMV card acceptance, so the transactions will qualify at the current rates.
- With EMV, the Associations will have new chargeback codes. For Visa, a 62 code is for a Counterfeit Transaction dispute and an 81 code for Fraud, Card Present. MasterCard also has two codes. For Counterfeit Fraud, you will see a 4870 code, but a never-received-as-issued (NRI) fraud dispute will be a 4871 code.
- While there are a few virtual terminal card readers on the market, manufacturers continue to develop “future proof” EMV-enabled devices. As we near the liability shift date, we will provide more information when it becomes available to us.
- As EMV technology is adopted in the card space, it is expected that fraud will also shift to the least secure channels, including CNP. From an online fraud perspective, it's important that CNP businesses be prepared for this anticipated shift. Strategy is key, and it's essential that you take the extra measures to know good customers and good customer behavior beyond just Address Verification Service (AVS) and Card Validation Values (CVV). You should consider strengthening the value of these tools by supporting additional technology, such as CAPTCHA, a program that is designed to tell humans apart from computers automatically, to help mitigate fraudulent activity. An example of what CAPTCHA looks like is below.
- The EMV liability shift affects all card present transactions. So, there is no distinction made if you accept cards using a smart phone or tablet.
- There are no unique EMV requirements for cash back transactions. However, the same liability shift applies like all other card present transactions.
- The card brands vary on their requirements, but to be fully prepared, you will want an EMV device that can process chip and signature, chip and PIN, and contactless payments.
- Yes. PCI-DSS compliance is mandatory for all merchants.
- Do your research in advance. As equipment upgrades have the potential to be both costly and time consuming, it's best to get started earlier versus later. Figure out how much it's going to cost, how long it's going to take and plan accordingly. Also, when planning on how to update your systems to support this change, you will want to take a look at the cost versus benefits of EMV.
- Training and product awareness at both the business and employee level is crucial to a successful implementation. As EMV acceptance is very different from the traditional magnetic stripe (the card is inserted into the terminal as opposed to swiped, for example), it is important that everyone is familiar with the new requirements to make the customer experience as smooth as possible.
- Don't wait until the last minute to migrate. You may begin to feel the pressure once the EMV card migration starts to reach its critical mass – with issuing banks beginning to issue chip cards to new and existing customers. Businesses that have not already migrated to EMV may consequently have to answer to their customers as to why they have to continue to swipe their new chip cards – especially when the market presents chip technology as the safer way to pay.
- Talk to your bank representative and begin assessing what a chip card payment migration plan would look like for upgrading or replacing all consumer facing POS devices.