EMV. Chip cards. Smart cards. Nowadays merchants and customers hear these words all the time. The EMV card — which stands for Europay, Mastercard and Visa — is the global standard for chip-equipped cards; these chips authenticate transactions as they happen. As merchants, you’ve probably noticed customers dipping their cards rather than swiping them.
This leads us to ask: what does this all mean, and why the changes?
What is EMV?
EMV technology developed in an effort to reduce fraudulent activity in the credit card processing world. With data breaches becoming more common, merchants and consumers alike are seeking to add protection to their transactions. EMV technology provides extra security for transactions processed with a microprocessor chip.
The primary and most important difference between an EMV transaction and a standard magnetic stripe transaction is the type of information that is taken from the card. In a traditional magnetic stripe transaction, all of the information taken from the card is static (always the same). This is where skimming comes into play. Skimming is when the information on the credit card stripe is stolen from a terminal or magnetic stripe directly; a clone credit card is then created to process fraudulent transactions. This is how thieves are able to make purchases using an actual card and a magnetic stripe. However, in terms of security, EMV cards differ in 2 major ways.
First, terminals can recognize when the card being used is an EMV card, so even if a thief managed to steal your card information, they would still have to make a clone card on a magnetic stripe. Once they’d attempt to swipe the card, the terminal would identify the card as EMV –meaning a chip should be used to process the transaction — but the thief will have no chip on the card and would be unable to complete the transaction.
EMV cards also use dynamic information whenever a transaction is processed. This dynamic information is ever-changing, and it’s what allows transactions to be processed successfully. Say a thief steals your information. By the next transaction, the card information would already be changed and the transaction would be declined. EMV chip card recognition and dynamic information make it nearly impossible for stolen information to be used in a card present environment.
What Does This Mean to You as a Merchant?
Visa and MasterCard set a hard deadline for having an EMV capable terminal for October 15th, 2015, which already has come and gone. You might believe that all businesses accept EMV cards, but this really isn’t the case. That’s because businesses technically aren’t required to accept EMV cards, but rather only ‘highly suggested’. The credit card associations (Visa, Mastercard, AMEX) have created a liability shift that will push businesses towards accepting EMV transactions. The Liability for fraudulent transactions has shifted towards the merchant and business owners, but only if they are not in compliance with the EMV Requirements. The liability shifts from the card issuer to the merchant when the bank has provided an EMV credit card (to protect the consumer) but the merchant has not upgraded to an EMV terminal. The reasoning behind this being that the card issuer did what they could to protect the consumer, but the merchant did not do so by not having a terminal capable of accepting EMV Cards. On the contrary, if the Business is EMV ready but the card issuer has only provided the consumer with a traditional magnetic stripe card then the card issuer has not protected the consumer therefore the liability is on the card issuer. This plan was set in place to create an incentive for both merchants and card issuers alike to transition to EMV capable cards/devices.
Are There Exceptions?
There are exceptions to the October 15th, 2015 deadline set by the Credit Card Associations.
exceptions have been created for the liability shift with regards to Automated Fuel Dispensers and ATM Transactions. Their deadline has been set to take effect in October of 2017 per VISA and MasterCard. The shift does not apply to card-not-present transactions where either the consumer is manually entering their card information or the business is having to manually enter the information.
Where Are We Going Now?
The end goal for the credit card associations is to have 100% of consumers with EMV Cards and 100% of (card present) businesses to have the required devices in order to accept transactions. All of this is an effort to reduce card present transactions that are fraudulent. Additionally, in many parts of the world cards no longer have any cards with magnetic stripes, they are all contactless/EMV only. We are going through the change therefore issuing institutions still provide credit cards with both magnetic stripe and chip.
There are a lot of mixed feelings about the change to EMV credit cards and the shift of liability. It is all in an effort, that even though costly at first, will in the end prevent a higher amount of fraudulent transactions therefore saving businesses, issuers, and the card associations money. There are many myths and misunderstandings about EMV where some people believe that EMV is supposed to rid 100% of fraud in the credit card industry but these features are designed to protect businesses who transact face to face with consumers because processing online has other vulnerabilities that can be addressed in alternate ways.