EMV & Smartcards: Ready or Not, Here They Come
There are certainly costs associated with the transition to EMV, but benefits come in the form of increased security, reduced fraud, and even expanded marketing opportunities for small businesses.
EMV chip cards are already the payment standard in every major market except for the United States, making the switch to EMV in the U.S. long overdue.
- What is EMV?
- What is a smartcard?
- What is the purpose of EMV?
- How are EMV cards processed?
- When is EMV coming?
- Preparing Your Business for EMV
- EMV Fallout & Collateral Damage
What is EMV?
EMV is a technology standard originally developed by Europay, MasterCard and Visa (hence the acronym EMV) in 1994 that utilizes smart cards to increase the security and global compatibility of credit and debit card transactions.
Today, EMV Integrated Circuit Card Specifications are maintained and enhanced by EMVco, an organization collectively owned by American Express, JCB, MasterCard, and Visa.
With EMV, a customer's credit card information is transmitted to a business's credit card machine via a small microchip in the customer's credit card instead of via a magnetic strip that is the current standard.
What is a smartcard?
A smart card or chip card is a plastic payment card that has an embedded microchip with memory and often micro processing functionality.
Smart cards are the same size and shape of traditional credit cards, and most feature a magnetic strip in addition to a microchip so that it can be accepted by businesses with point of sales systems incapable of reading a smart card.
Unlike magnetic strip cards that store and transmit static cardholder information to a business's point of sale device, the microchip in a smart card adds a bit of dynamic data to each individual transaction. Think of this dynamic data as a one-time-use password that protects each transaction.
The ability of the microchip in a smart card to generate dynamic data is a key factor in EMV's security, and it's also where smart cards get their name.
What is the purpose of EMV?
EMV satisfies two main objectives: It decreases credit and debit card fraud on card-present transactions through increased security, and it creates a consistent cardholder experience worldwide through a global payments standard.
EMV Security & Fraud
EMV utilizes microchips instead of magnetic strips to transmit cardholder data at the point of sale. Unlike magnetic strips that transmit static information, a microchip attaches a unique cryptogram to each and every transaction. This makes each transaction unique, thereby thwarting a fraudster's attempt to duplicate a transaction.
The dynamic cryptogram generated by a smart card also protects against "card skimming," which occurs when a fraudster reads the magnetic strip information from a credit or debit card without the cardholder knowing and then uses the information to make card-not-present purchases or to "clone" cards.
Cloned cards can be used for "card transplant" fraud. This occurs when a fraudster uses inexpensive devices to copy a cardholder's magnetic strip data to a blank card. The card copy is then used to make purchases, or in the case of ATM cards, to withdraw funds from the cardholder's account.
The EMV standard may also help reduce card-not-present fraud by reducing the amount of stolen credit card information available for use online, although this benefit will not be realized until the EMV standard has been widely utilized for some time.
Global Payments Standard
The United States is the only major market in the world that has yet to adopt an EMV standard. People traveling abroad from the United States will find it is difficult to make purchases with a magnetic strip card; conversely, visitors from Canada, the United Kingdom, and elsewhere will find it virtually impossible to use their smart cards to make purchases within the United States unless the card has a magnetic strip which can be run in machines in the US.
A globally adopted EMV standard allows cardholders to travel freely and make purchases anywhere using a single technology.
How are EMV cards processed?
EMV is a card-present technology, meaning the card must connect directly to a business's point of sale system either physically or within a distance of no more than a few inches through near field communication (NFC).
EMV cards are not swiped like magnetic strip cards. Instead, they are "dipped" into a special slot where the chip makes contact with the reader or processed using near field communication (NFC.) In the case of NFC, a cardholder simply waves her smart card in front of a reader on a business's POS device to make payment.
Smart cards that are capable of both contactless and physical transactions are called dual interface cards. Many smart cards are dual interface, but not all.
The four basic methods for processing an EMV transaction are listed below.
Contactless ("tap and go")
For a contactless transaction, the cardholder simply waives her card in front of a business's POS device to provide payment information. She may then be prompted to enter a personal identification number (PIN), or to sign a receipt once the transaction has been authorized.
Chip & Pin
A "Chip and PIN" EMV transaction occurs when a cardholder inserts her card into a business's POS device and the card remains within the device while she provides a PIN number to unlock the card. Chip and PIN is the most widely utilized EMV standard worldwide, but is not very common in the United States except for chip debit transactions. Very few credit cards issued in the US today are chip and PIN.
Chip & Signature
A "chip and signature" transaction occurs when a customer signs a sales receipt instead of providing a PIN number to complete the transaction. As mentioned above, the US largely utilizes chip and signature instead of chip and PIN since it is very similar process to what consumers are accustomed to with magnetic strip cards.
Chip & Choice
A "chip and choice" EMV transactions occurs when a customer is given a choice of completing a transaction by providing a PIN number or signing the sales receipt. Some businesses report that customers are not given a choice between PIN or signature at the time of sale. We cover the reasons that may happen in our article on EMV PIN Debit.
When is EMV coming?
The official liability shift deadline for implementing EMV was October 2015. However, the rollout time was ambitious, and many businesses have not made the switch. Additionally, pay-at-the-pump gas stations have an extended deadline of October 2020.
Technology Innovation Program (TIP)
Visa's TIP went into effect October 1, 2012 and it allows U.S. merchants to skip PCI validation once 75% of their transactions originate from a device capable of transacting both NFC and physical EMV transactions.
The TIP program is a step in the right direction, but it fails to account for PCI compliance fees that many merchants pay to their credit card processor. Eliminating the requirement for validation loses much of its appeal if the associated costs are not also eliminated.
Bank to Processor to Merchant Liability Shift
Perhaps a far stronger motivator than Visa's TIP was the liability shift that took place in October 2015.
Under the shift, credit card processors will be responsible for fraud losses that occur as a result of a cardholder being forced to pay using a magnetic strip instead of a smart card due to a business not having a smartcard-capable device. The cost of the fraud losses will ultimately be passed by the processor to the business where the fraud originated, thereby leaving the businesses on the hook.
Preparing Your Business for EMV
The best time to begin preparing your business for an EMV transition is now. EMV-capable credit card processing machines and POS terminals have been available for some time.
Purchasing New Equipment
If you have not yet upgraded to an EMV chip card reader, it may be worth doing so. Be sure to purchase a credit card machine that is EMV-capable, and consider the following:
- Purchase a device that is both contact and contactless capable
- Consider universal terminals in case you need to switch processors in the future
- Contact your current processor for a discount on equipment
EMV Fallout & Collateral Damage
As retailers and other card-present businesses begin the transition to EMV and become more secure, card-not-present businesses will experience an increase in fraudulent activity.
After the EMV standard has been in place for a while, and fraudulent card information becomes more scarce, card-not-present fraud will begin to drop. However, until that time, e-commerce and other card-not-present businesses should hone fraud detection methods.
Card-not-present businesses that rely heavily on AVS matching should look toward more sophisticated fraud detection such as dynamic fraud scoring or even 3D Secure solutions at the point of sale.