Google+

Blog Home
Share this Post: 

Industry Regulations and EMV

PAI – Feb 1st, 2016

EMV is here—and merchants need to be aware now of the impacts and benefits these changes will have on their businesses.

In an effort to build a better defense against credit card fraud, new regulations will
require all merchants to make changes at their POS stations. As of October 2015,
merchants operating in the U.S. will be required to upgrade their credit card terminals, mobile credit card readers, and POS systems to what is called "EMV technology.” Failing to upgrade will result in a shift of liability from the card-issuing bank to the merchant.

As a small merchant, here’s what you need to know about industry regulations as the
card-issuing banks are mass deploying EMV chip cards to credit and debit card holders
all over the United States.

What Is EMV?

EMV stands for Europay, MasterCard® and Visa®, the companies who initially
developed the standard. First deployed in Europe in 1992, EMV-based cards are more
secure than simple magnetic stripe cards. The chip card creates a unique encrypted
code (digital signature) for each transaction when the card is used, making it much more difficult for hackers to breach than the traditional magnetic stripe model.

The chip that is embedded into the payment device is a mini computer that performs
additional security checks and validations during a transaction. It adds dynamic data to a transaction that makes each transaction unique. This is unlike a magnetic stripe that uses static data that never changes, making it easier to replicate.

Why Should Merchants Upgrade Terminals to Support EMV?

In 2013, leading up to Thanksgiving and Black Friday—the unofficial kickoff to the holiday shopping season—the worst credit card fraud in U.S. history at the time was perpetrated, and as a result, sent shockwaves through the retail industry and drew attention to a serious flaw in this country’s credit card system. 

According to Bloomberg Businessweek, the fraudsters had installed malware in Target’s security and payments system. "At the critical moment when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in [and] capture the shopper’s credit card number.”1

The unfortunate timing, the high profile of the retailer, and the sheer scope of the fraud (it affected 40 million credit and debit card-holders between November 27 and December 15, 2013) attracted a great deal of media attention. Much of the focus was on the fact that the United States still uses magnetic stripe cards—cards that contain static data that is easily cloned, making them more susceptible to being compromised by criminals. 

In late 2011, the major card associations in the United States (MasterCard, Visa, American Express, and Discover) had already announced plans to move to chip-based technology by October 1, 2015 as this is already the standard in more than 80 countries globally. However, the consumer impact of the breach at Target, and less than a year later at Home Depot and Staples, primed consumers to more readily adopt the new technology just as fast as the card issuers could deploy the new chip cards. 

Now merchants and card issuers alike must prepare as the liability for fraudulent transactions shifts. Effective October 1, 2015, either the card issuer or the merchant who does not support EMV will now assume the liability for counterfeit or stolen card transactions (with the exception of automatic fuel dispensers, which shift in October 2017). 

How Will EMV Cards Change the Point of Sale Experience?

Initially, most issuing banks are deploying cards with both an EMV chip as well as a traditional magnetic stripe to ensure that consumers are not limited to spending only in locations where the technology has been upgraded. 

The card-issuing bank actually programs the card to look for EMV capability within the merchant’s hardware. If the machine is EMV capable and the consumer instead swipes the magnetic stripe, then the terminal will prompt the cardholder to "dip” the card in the EMV slot. If, after a defined number of attempts, the chip is not read in the EMV slot, the merchant will be prompted to perform a magnetic stripe transaction. Likewise, if the magnetic stripe then fails, the merchant can fall back to existing card procedures and manually enter the card information or call the processor to voice-authorize a transaction. 

For a mobile or contactless payment, cardholders tap their payment device to the terminal. Again, they may need to sign, enter a PIN or do nothing, depending on the issuer and the dollar amount of the transaction.

What If I Keep to the Status Quo?

You might wonder if it’s worth the investment to switch to the new EMV-ready equipment. After all, you know your customers—many of them give you repeat business. Maybe you haven’t been hit by credit card fraud before, or if you have, as long as the bank was satisfied that you acted in good faith, they absorbed the loss and that was the end of it.

The answer to this way of thinking is simple: with the increase of credit card fraud and the sophistication of hacking technology, it’s no longer safe to assume that it won’t happen to your business. 

And, if and when it does occur, the liability will shift to you, meaning at the very least the entire transaction will come out of your pocket and you won’t have the option to present your side of a chargeback to the bank.

A small or medium-sized-business owner will often underestimate their store’s vulnerability. As the bigger stores become the first to adapt to the technology, criminals will look for new marks. And, contrary to popular belief, not all credit card fraud is perpetrated by large syndicate groups in foreign countries. Small-time thieves can easily commit fraud with relatively basic pieces of technology.

Cards embedded with an EMV chip will be more difficult to hack. If you have the equipment to accept EMV cards, the hackers are more likely to skip your establishment. The addition of entering a PIN (or a signature) at the POS adds a second layer of security for the cardholder and the merchant.

As more consumers begin to receive their EMV credit and debit cards, they’re going to expect that the retailers that accepted their credit cards before will also accept these new cards.  

Consumers may have been unaware of the flaws in their magstripe credit cards before, but the recent barrage of media coverage concerning credit card breaches has changed all that. Many of your customers watch the news and are concerned about the rise in credit card fraud—even if they aren’t financially liable, they don’t want to have to regularly check their credit report and worry about fraudulent charges. 

What’s the Future Beyond EMV?

There is no guarantee that retailers upgrading to an EMV-ready terminal will become completely secure. Hackers are constantly trying to stay one step ahead of their marks— the moment you adjust your settings to block them, they’re looking for new ways to break the code. 

But if you consider that the U.S. currently makes only 24% of all credit card sales yet accounts for 50% of fraud worldwide,2 it is clear that countries that no longer use magstripe cards are suffering fewer instances of fraud. EMV will be mandatory, so not upgrading will make you an even bigger target for fraudsters looking for easy prey. And when that happens, you’ll be stuck with the bill.

Having a payment-processing provider who stays on top of the latest technology is vital. Payment Alliance International is constantly monitoring the marketplace for the most innovative technologies. Since forming in 2005, we have quickly become an industry leader in electronic payments. Our payment expertise allows us to be a valuable partner with organizations that include the NRA Business Alliance, Crown Council, National Association of Sporting Good Wholesalers, Big Boy Restaurants International, and others.



Riley, Michael, Elgin, Ben, Lawrence, Dune, & Matlack, Carol (2014). Missed alarms and 40 million stolen credit card numbers: How Target blew it. Bloomberg Businessweek. Retrieved from: www.businessweek.com/articles/2014-03-13/targetmissed-alarms-in-epic-hack-of-credit-card-data (accessed November 14, 2014).
2 SquareUp (n.d.). Get ready for the nationwide switch to chip cards. SquareUp. Retrieved from: https://squareup.com/emv?gclid=CIv4nJC_7MECFQ9p7AodeU8AXg (accessed November 14, 2014).


Tags: [Merchant Solutions] – [Credit and Debit Cards]