EMV & Smartcards: Ready or Not, Here They Come
There are certainly costs associated with the transition to EMV, but the benefits come in the form of increased security, reduced fraud, and even expanded marketing opportunities for small businesses.
EMV is already the payment standard in every major market except for the United States, making the switch to EMV in the U.S. long overdue.
- What is EMV?
- What is a smartcard?
- What is the purpose of EMV?
- How are EMV cards processed?
- When is EMV coming?
- Preparing your business for EMV
- EMV Fallout & Collateral Damage
What is EMV?
EMV is a technology standard originally developed by Europay, MasterCard and Visa in 1994 that utilizes smart cards to increase the security and global compatibility of credit and debit card transactions.
Today, EMV Integrated Circuit Card Specifications are maintained and enhanced by EMVco, an organization collectively owned by American Express, JCB, MasterCard and Visa.
With EMV, a customer's credit card information is transmitted to a business's credit card machine via a small microchip in the customer's credit card instead of via a magnetic strip that is the current standard.
What is a smartcard?
A smart card is a plastic payment card that has an embedded microchip with memory and often micro processing functionality.
Smart cards are the same size and shape of traditional credit cards, and most feature a magnetic strip in addition to a microchip so that it can be accepted by businesses with point of sales systems incapable of reading a smart card.
Unlike magnetic strip cards that store and transmit static cardholder information to a business's point of sale device, the microchip in a smart card adds a bit of dynamic data to each individual transaction. Think of this dynamic data as a one-time-use password that protects each transaction.
The ability of the microchip in a smart card to generate dynamic data is a key factor in EMV's security, and it's also where smart cards get their name.
What is the purpose of EMV?
EMV satisfies two main objectives. It decreases credit and debit card fraud on card-present transactions through increased security, and it creates a consistent cardholder experience worldwide through a global payments standard.
EMV Security & Fraud
EMV utilizes microchips instead of magnetic strips to transmit cardholder data at the point of sale. Unlike magnetic strips that transmit static information, a microchip attaches a unique cryptogram to each and every transaction.
This makes each transaction unique, thereby thwarting a fraudster's attempt to duplicate a transaction.
The dynamic cryptogram generated by a smart card also protects against "card skimming," which occurs when a fraudster reads the magnetic strip information from a credit or debit card without the cardholder knowing and then uses the information to make card-not-present purchases.
Once obtained, the card information can be used for "card transplant" fraud. This occurs when a fraudster uses inexpensive devices to copy a Cardholder's magnetic strip data to a blank card. The card copy is then used to make purchases, or in the case of ATM cards, to withdraw funds from the cardholder's account.
The EMV standard will also help reduce card-not-present fraud by reducing the amount of stolen credit card information available for use online, although this benefit will not be realized until the EMV standard has been widely utilized for some time.
Global Payments Standard
The United States is the only major market in the world that has yet to adopt an EMV standard. People traveling from the Unites States abroad will find it is difficult to make purchases with a magnetic strip card; conversely, visitors from Canada, the United Kingdom, and elsewhere will find it virtually impossible to use their smart cards to make purchases within the United States.
A globally adopted EMV standard allows cardholders to travel freely and make purchases anywhere using a single technology.
How are EMV cards processed?
EMV is a card-present technology, meaning the card must connect directly to a business's point of sale system either physically or within a distance of no more than a few inches through near field communication (NFC).
EMV cards are not swiped like magnetic strip cards. Instead, they are processed using near field communication (NFC) or physical contact.
In the case of NFC, a cardholder simply waves her smart card in front of a reader on a business's POS device to make payment.
Alternatively, a cardholder can insert her EMV card into a slot in the business's credit card machine and a reader within the machine connects with the card to initiate contact.
Smart cards that are capable of both contactless and physical transactions are called dual interface cards. Most smart cards are dual interface, but not all.
The four basic methods for processing an EMV transaction are listed below.
Contactless ("tap and go")
For a contactless transaction, the cardholder simply waives her card in front of a business's POS device to provide payment information. She may then be prompted to enter a personal identification number (PIN), or to sign a receipt once the transaction has been authorized.
Chip & Pin
A "Chip and PIN" EMV transaction occurs when a cardholder inserts her card into a business's POS device and the card remains within the device while she provides a PIN number to unlock the card. Chip and PIN is the most widely utilized EMV standard worldwide.
Chip & Signature
A "chip and signature" transaction occurs when a customer signs a sales receipt instead of providing a PIN number to complete the transaction. It is speculated that the U.S. will utilize chip and signature instead of chip and PIN since it is very similar process to what consumers are accustomed to with magnetic strip cards.
Chip & Choice
A "chip and choice" EMV transactions occurs when a customer is given a choice of completing a transaction by providing a PIN number or signing the sales receipt.
When is EMV coming?
The seed for an EMV transition has already been planted, and Visa has led the charge with a roadmap for EMV adoption with an August 2011 announcement that outlines a merchant incentive and a fraud liability shift.
Technology Innovation Program (TIP)
Visa's TIP went into effect October 1, 2012 and it allows U.S. merchants to skip PCI validation once 75% of their transactions originate from a device capable of transacting both NFC and physical EMV transactions.
The TIP program is a step in the right direction, but it fails to account for PCI compliance fees that many merchants pay to their credit card processor. Eliminating the requirement for validation loses much of its appeal if the associated costs are not also eliminated.
Bank to Processor to Merchant Liability Shift
Perhaps a far stronger motivator than Visa's TIP is the liability shift that is scheduled to take place October 15, 2015.
Under the shift, credit card processors will be responsible for fraud losses that occur as a result of a cardholder being forced to pay using a magnetic strip instead of a smart card due to a business not having a smartcard-capable device.
The cost of the fraud losses will ultimately be passed by the processor to the business where the fraud originated, thereby leaving the businesses on the hook.
(The liability shift will not occur for gas stations until 2017 due to the higher cost of transitioning equipment to EMV-capable devices.)
Preparing your business for EMV
The best time to begin preparing your business for an EMV transition is now. EMV-capable credit card processing machines and POS terminals have been available for some time.
Purchasing New Equipment
You don't need to rush out and buy new equipment, but if a new equipment purchase is on the horizon, be sure to purchase a credit card machine that is EMV-capable, and consider the following:
- Purchase a device that is both contact and contactless capable
- Consider terminal manufactured by Ingenico that also offer built-in customer loyalty programs
- Contact your current processor for a discount on equipment
EMV Fallout & Collateral Damage
As retailers and other card-present businesses begin the transition to EMV and become more secure, card-not-present businesses will experience an increase in fraudulent activity.
After the EMV standard has been in place for a while, and fraudulent card information becomes more scarce, card-not-present fraud will begin to drop. However, until that time, e-commerce and other card-not-present businesses should hone fraud detection methods.
Card-not-present businesses that rely heavily on AVS matching should look toward more sophisticated fraud detection such as dynamic fraud scoring at the point of sale.