Digital Transactions Authoritative, insightful and timely information for payments professionals
Erik Vlugt
When it comes to testing hardware and software and training staff, the chip card deadline is a lot closer than it looks. Merchants should start getting ready now.
The 2015 EMV liability shift may appear to be a concern for the future; but in reality, merchants need to have EMV on their agenda right now.
“EMV,” or the Europay-MasterCard-Visa payment standard for chip-card interoperability, has spread to every major developed country and is banging on the door of the United States. The new EMV requirements will affect merchants, processors, card issuers, and every other payments industry player in some form or fashion.
As with other emerging standards, technology, and trends, EMV will be met with some skepticism. But sooner rather than later, merchants must come to the realization that EMV is unavoidable and will ultimately lead to a much more secure payments ecosystem.
Merchants that choose to procrastinate may find themselves unable to absorb the liability they will be exposed to after 2015. To help merchants decide on their position on EMV it is vital that they understand the benefits of EMV.
Avoiding Fraud Liability
In a word, it’s all about security. Let me explain.
Unlike many other retail technologies, EMV is not a consumer-driven trend. Early on, consumers are unlikely to seek out merchants that accept EMV payments simply because they are EMV compliant. EMV will not provide any particular competitive advantage or opportunity for consumer loyalty and incremental revenue.
Rather, the incentive to install EMV-capable devices and start accepting EMV payments is coming from that liability shift in October 2015. As EMV becomes ubiquitous in the U.S., as it has in so many other countries, we do expect there will be a natural tendency to favor merchants that have adopted EMV to provide a more secure shopping experience.
EMV supports three types of consumer-verification methods (CVMs): PIN, signature, or no CVM. PIN (also known as chip and PIN) is widely regarded to provide the best inherent security, versus chip and signature, or no CVM. This goes back to basic human authentication theory, which is that human verification—the fact that you are who you say you are—is based on one or more of the following:
– something you know, like a password or a PIN;
– something you have, like a card, or someone’s physical signature on the card;
– something you are (fingerprint, retina scan, DNA, etc.)
Current payment card magnetic-stripe technology is based on “something you have,” and in the case of payments that also require your signature, a thief who has stolen a credit card may have two forms of “something you have” if you have signed the back of your card. With your card, and a simple forgery of your signature (which is why it doesn’t qualify as “something you know”), a fraudster could easily rack up hefty charges.
Chip-and-PIN-based-EMV, on the other hand, currently offers both “something you have,” like your card, and “something you know” your PIN. Depending on the card issuer (i.e. the bank) and use-case, it is reasonable to expect that we will see all forms of CVMs (chip, signature, and no CVM) in the U.S.
In October 2015, unless the merchant is EMV-prepared, the burden of card-fraud risk shifts to the merchant. That means that when card fraud occurs with a credit or debit card that is EMV-capable at a merchant location that is not EMV-capable, the merchant may be liable for the fraud.
An Aite Group report from 2010 put the total costs of credit card fraud in the U.S. at $8.6 billion and the total number of people affected by card fraud at around 10 million. According to the U.S. Department of Justice, the median amount of reported per card fraud per incident is around $399.
That cost only reflects the fraud charges and does not take into account any ancillary administrative cost or damage to the brand that results from negative publicity.
More Complex
Not only are merchants required to acquire and operate EMV-capable devices and associated software, but also the entire payments ecosystem—from the acceptance device to the point-of-sale and/or switch software through the acquirer/processor and ultimately to networks—must be upgraded and certified.
The most important consideration for merchants is that they need to begin preparing for EMV now, not later. Implementing EMV is an order of magnitude more complex than existing systems. But given time and the right partners, it can be achieved, as it has been by millions of merchants around the world.
The effort involved in acquiring, installing, and certifying EMV-capable acceptance devices will vary depending on the size and type of retailer. Most small-to-medium-size merchants won’t be required to perform end-to-end testing, whereas larger merchants may well be responsible for this as well.
In either case, merchants should be in discussions with their payment provider and/or acquirer to determine if the equipment and systems currently in place will support EMV, and if not, what is required. Planning for this now will help make the upgrade process less difficult later.
Once the new hardware is in place, tomorrow’s EMV-capable acceptance devices will need to remain current with new EMV technologies and requirements. As EMV specifications get updated, those devices will require regular updates as well, or risk potential issues. Partnering with companies that can simplify this update and device management task will be critically important.
Another consideration to plan ahead for is training. An EMV transaction is different from a traditional transaction. Merchants, employees, and customers will need a bit of help as the pace of migration from current systems to EMV-compatible systems could be rapid or slow, depending on the merchant. Some transaction differences include:
– An EMV transaction requires the customer to insert a payment card into the payment device, usually leaving it there for the duration of the transaction. Initially, customers may be inclined to immediately insert and remove their card just as they do now at vending machines and many fuel pumps.
– In industries like restaurants and hospitality, EMV will likely mean that a server will no longer walk off with the customer’s card. The U.S. may move towards a more European pay-at-the-table model where the server waits while the payment is completed on a portable/mobile device, or a payment device is left with the customer. In either case, consumer education will be critical for the overall consumer experience.
– With the addition of new systems, there will be new training requirements for merchants and employees as existing processes may change substantially.
Start the Conversation
Merchants should get educated and prepare. Early planning will result in a more secure experience for consumers while avoiding unnecessary additional liability for merchants. Here’s a quick checklist:
Hardware: Begin working with your acquirer and/or payment provider to determine the status of your existing system and the required level of upgrade or replacement.
Software: As with hardware, determine your software vendor’s plans for the EMV transition. Find out where they are currently in their development, testing, and certification. With 2015 less than two years away, software vendors should be actively updating and enabling systems and entering the testing and certification phase in the coming months.
Marketing: Determine whether you will be communicating to consumers that they can shop securely in your stores owing to your early transition to EMV.
Associate Training: Training should be a three-fold effort between vendors, banks, and industry-infrastructure players to educate company IT staff on system usage and maintenance. Store-level training will also be necessary to ensure that employees are fully versed in the differences between EMV, mag-stripe, and even contactless payments. With a myriad of potential payment-acceptance types occurring at checkout, employees will need to know how to navigate each and remain trained as changes occur.
Consumer Education: When the U.K. moved to chip-based EMV payments, there was an accompanying consumer-education campaign. The slogan “I love chip and pin” was used, as the transition date coincided with Valentine’s Day. This slogan was plastered on store windows and posters, and its simplicity helped drive both awareness and usage. It is unlikely there will be such a large, sponsored campaign in the U.S., so it will be up to everyone involved to help drive awareness.
October 2015 may seem like a long way off, and merchants may feel like they have all the time in the world to prepare. In reality, as we get closer to the liability-shift date, and as more merchants and vendors procrastinate on development, certification, and installation, it may become difficult to qualify vendors, get EMV installed, certified, and updated, and get staff trained in time.
If a merchant’s regular POS replacement cycle is nearing, now is the perfect time to acquire EMV-ready equipment. Most major hardware vendors have been deploying EMV-capable devices outside the U.S. for many years and have certified hardware ready today. If a merchant has recently updated its POS infrastructure and the new hardware does not support EMV as it stands, there are options, such as EMV-capable PIN pads that connect to existing systems.
Either way, start the conversation now, so we will all be prepared.
Erik Vlugt is vice president of product marketing at VeriFone Systems Inc., San Jose, Calif.
