Savvy business owners know that payments are about more than just swiping credit cards. Accepting payments smartly and securely can make or break your business. Merchants unknowingly accept payments from fraudulent cards far too often. Headlines about the use of fraudulent cards due to card data breaches, and concerns about the safety of new payment options like Apple Pay®, are generating buzz, but can also leave a small business owner wondering what truly matters.
In the world of payments fraud, one of the hottest topics is EMV® (Europay®, Mastercard®, and Visa®). EMV is the global standard for authenticating cards using an embedded chip, also known as “smart cards” or “chip-and-PIN.” EMV is likely to gain widespread adoption in the U.S. following a liability shift for fraudulent card-present transactions beginning October 2015, when merchants could be footing the cost of chargebacks due to fraudulent card use. With the liability shift comes considerations and investments that can impact your daily business operations, your customers’ experience, and your bottom line.
So what do you need to know about EMV? Why does it matter? What are the real issues that EMV raises for your business—right now? This paper explores all of these issues and more, helping make sense of EMV for your small business.
What is EMV?
The EMV standard is managed by EMVCo™, a joint venture of American Express®, JCB®, MasterCard®, Visa®, and China Union Pay®. Its intent is to minimize fraudulent transactions and to help eliminate credit card counterfeiting.
How does EMV work?
The EMV standard is based on smart card technology. While EMV chip cards look just like standard magnetic stripe cards, they contain a microprocessor, or chip, that enables every
transaction they initiate to carry a unique cryptogram. That cryptogram is validated by the issuer, and
it’s difficult for criminals to break it and steal card information for counterfeit use.
How will EMV impact payment card fraud?
Although new in the U.S., EMV has been in effect outside of the U.S. for years. So what’s happened to fraud in those markets? Fraud-related losses at U.K. retailers have dropped 67 percent since 2004.1 And Europe has experienced a 36 percent decline in credit card fraud.2 However, it’s estimated that in the U.S., fraud cost retailers approximately $32 billion in 2014 which represents a 39 percent increase from 2013.3
The first major push by the card brands for your adoption of EMV technology goes into effect on October 1, 2015. On that date, you and your acquirer (people like us)—as opposed to only card issuers— will also assume the financial burden associated with the fraudulent use of counterfeit, lost, and stolen cards. This means EMV merchants are protected from financial liability for card-present counterfeit fraud losses beginning in October 2015.4 If neither or both parties are EMV compliant, the fraud liability will remain consistent with what it is today.4
My customers don’t use chip cards, so why should I care?
While EMV hasn’t yet gone mainstream, the payment card industry is paving the way. Aite Group® predicts that approximately 70 percent of cards in the U.S. will have EMV chips by the end of 2015.5 So even if the majority of your customers are not yet using chip cards, it’s likely that they soon will.
How will EMV change my customers’ experiences at my point of sale (POS) terminal?
At the POS, there will be two primary changes to the customer experience:
• Instead of swiping the card, the customer will insert the card into the reader
• The card must remain in the reader for the duration of the transaction
This represents a fundamental change in the way many cardholders use their payment cards. Most retail POS systems allow the cardholder to simply swipe their card through the reader without the card ever leaving their grasp. You should be prepared for customers to insert the card and then immediately try to remove it from the reader. You should also be prepared for a jump in the number of cards left behind by customers.
How can I help my customers with their EMV transactions?
Thoroughly train sales associates and cashiers on the EMV POS transaction process so they can assist customers in completing the sale efficiently. Device prompts and prominent signage may also help.
What else should I be thinking about when it comes to fraud?
Avoiding data breaches requires both technology investments and vigilance on your part. In addition to fraud, consider the following security measures and how they can work with EMV to create a comprehensive solution to better protect your business.
• Don’t store full credit card data on your POS system. If you need to store data for future use, make sure the POS uses tokenization, where the card data is stored at your processor, but ready to use when you need it. It eliminates real card data by replacing it with a unique token to complete the transaction.
• Use end-to end (E2E) data encryption to mask full credit card data while it’s in
transmission from the card to the POS, from the POS to the authorization network, and back. E2E masks the full credit card number with meaningless characters so the real card data is never visible.
• Accept mobile payments like Apple Pay® and PayPal Mobile in-store. These new and emerging payment types rely on Near Field Communication (NFC) devices and employ tokenization technology to complete transactions so that no card information is present. Both EMV and many mobile payments use NFC technology, so implementing an EMV terminal will enable mobile payment acceptance as well.
You should work closely with your POS software providers in the days leading up to the October 2015 liability shift. This will help ensure that you understand your options, have time to implement changes, and minimize disruptions. The sooner you start taking steps to becoming an EMV merchant, the easier and better protected you’ll be when the liability shift takes effect.
How can I prepare?
EMV merchant processing solutions require some changes to your existing POS system. There are different approaches for EMV adoption and some may suit your business better than others depending on a variety of factors. A standalone EMV terminal is a quick fix, but it may not interact with your integrated POS system. This could potentially result in a loss of the benefits that an integrated POS system offers. You should work closely with your POS software providers in the days leading up to the October 2015 liability shift. This will help ensure that you understand your options, have time to implement changes, and minimize disruptions. The sooner you start taking steps toward EMV acceptance, the easier and better protected you’ll be when the liability shift takes effect.
Adoption and rollout won’t be turnkey. For merchants, EMV technology introduces a significant change to transaction protocol and can impact transaction speed. But the tradeoff between those concerns and the safe transactions enabled by EMV is measurable, with the potential to benefit you and your customers alike.
Although it may seem overwhelming, EMV represents a real opportunity to further reduce fraud across the payments ecosystem. However, it’s important to remember that there’s no one-size-fits-all EMV solution. Adoption will differ depending on the unique needs of your business and how it fits into your overall payments needs. That’s why it’s important to evaluate your specific situation and consult with an expert to identify the best small business EMV solution.
1 Smart Card Alliance, http://www.smartcardalliance.org/publications-emv-faq/#q3.
2 Security Intelligence, http://securityintelligence.com/emv-chip-cards-a-better-way-to-pay-and-fight-fraud/, 2015.
4 Visa, http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf, 2011.
5 Aite Group, http://www.aitegroup.com/report/emv-lessons-learned-and-us-outlook, 2014.
Aite Group, American Express, Apple Pay, China Union Pay, EMV, EMVCo, Europay, JCB, MasterCard, PayPal, and Visa are registered marks belonging to one or more unaffiliated third parties that do not endorse or sponsor Mercury Payment Systems, LLC.
The foregoing is provided for information purposes only, and is not legal advice. You should review your compliance obligations with your own legal or other advisors.