By David Dorf-Oracle on Feb 25, 2015
If you’ve received a new card from your bank in the last six months, it’s likely an EMV card with a chip. Banks are issuing EMV cards, and retailers are installing EMV-capable terminals to accept those EMV cards. Both are working toward the October 2015 deadline whereby the liability shift occurs. Today, when a counterfeit card is used in a store, the bank takes the loss. But after the liability shift, if the bank has issued an EMV card, but the retailer has not upgraded to an EMV terminal, then the retailer takes the loss resulting from counterfeit cards.
In that scenario the bank has done its part but the retailer hasn’t – so the retailer is the weakest link and takes on the risk. If the retailer has an EMV terminal, but the card is not an EMV card, then the risk goes back to the bank since it’s the weakest link.
Most retailers understand the situation and have carefully weighed the risk versus the cost of upgrading terminals. But there are many other nuances with the EMV migration. Below are eight things every retailer should know:
1. If you’re not already testing EMV-capable terminals, you’re behind. But you’re not alone as many retailers are questioning the cost of upgrading terminals. The rollout in the UK and Canada took several years, so don’t expect anything special to happen on October 1 when the liability shift occurs. It will be just like any other day.
2. The EMV specifications allow several methods for cardholder validation: online PIN, offline PIN, signature, and none (for low value transactions like vending machines). The issuing bank decides which method to use when the card is programmed. Then when the card is inserted into the terminal, the terminal will request a PIN or signature to verify the cardholder’s identity.
The card brands are recommending online PIN (where the PIN is sent to the issuer for verification, similar to debit transactions) instead of offline PIN (where the chip validates the PIN), but this decision will be transparent to both the cardholder and merchant.
In the US, a PIN is not mandated so many banks will configure their cards to request signatures. Obviously this is not as secure and also places a burden on the retailers to retain signatures. For this reason the NRF has been advocating “Chip and PIN” vs “Chip and Signature.” Only Mexico and Brazil continue to use signatures.
3. The chip in the EMV cards is really aimed at preventing counterfeit cards, but it does nothing to help with other types of fraud. Creating a counterfeit card, which is relatively easy with mag-stripe cards, is nearly impossible with chip cards. The liability shift only impacts counterfeit cards; retailers are still not responsible for stolen card usage.
4. The EMV specification supports both contact and contactless (NFC) cards with some cards supporting both. As mobile payments mature, it’s likely that contactless gains popularity so it’s probably worth the investment in terminals that support NFC.
5. New EMV cards will continue to have a mag-stripe for several years as terminals are upgraded. If a consumer tries to swipe an EMV card in an EMV-capable terminal, the terminal will ask them to insert instead. If the card’s chip or the chip reader malfunction, the consumer will be told to fall-back to mag-stripe. And if the mag-stripe doesn’t work, merchants will call for a manual authorization.
6. When a card is inserted, it must be left until the transaction completes. The chip is a tiny microprocessor that must communicate with the terminal, verifying each other’s authenticity. Often consumers remove the card prematurely and the transaction must be restarted. Or worse they forget to take the card with them when the transaction completes. Cashiers will need to be diligent as consumers are educated.
7. Initially fraud won’t decrease. Instead, card-present fraud in stores will migrate to card-not-present fraud online. Thieves can still steal account numbers off the front of the cards or the cards’ mag-stripe, but they won’t be able to create counterfeit EMV cards. That will drive them online where EMV doesn’t help (yet).
8. Account numbers are not encrypted. Each transaction gets a unique cryptogram that ensures the card is not counterfeit, but otherwise the account number and associated data travel the same path we’re used to. Put another way, EMV cards and terminals would not have prevented recent thefts at large retailers. But it does make it harder to use the stolen account numbers, because EMV cards can’t be counterfeited and used in stores.
Retailers still need to follow PCI recommendations to encrypt card numbers in transit and at rest, as well as protect point-of-sale systems from malware.
Infographic from http://www.welchatm.com/blog-emv-by-the-numbers.html.
The worst mistake retailers can make is not knowing the facts about EMV. Stay informed, and be prepared for the coming changes.