By Sean Curran
The past two years have been anything but quiet for the retail industry, with some high-profile cases shining a spotlight on fraudulent use of or access to credit/debit cards and personal information. Despite the wave of trouble, the United States has lagged other parts of the world in adopting more secure payment systems. That is changing.
A transition to EMV payment card technology (named for the companies that developed the standard: Europay, MasterCard, and Visa) is underway. EMV cards have an embedded chip that stores and protects cardholder data, reducing the risk of a fraudulent card being used at the point of transaction. On the transaction end, these cards require a terminal that can read the chip. The cardholder inserts the card and then enters a PIN (“chip-and-PIN”) or signs (“chip-and-signature”) to complete payment.
October 2015 marks a critical point in the transition: a “liability shift” with respect to bearing the costs of fraudulent payment card use. From October 30, retailers continuing to use “swipe” technology will assume liability for fraudulent transactions if the customer presents an EMV card. If a retailer has and uses EMV technology but the customer does not present a card with an EMV chip, the bank remains liable for the fraudulent transaction. If a retailer has and uses EMV technology and the customer uses an EMV chip card, the bank still remains liable for the fraudulent transaction.
Each Banking institution within the United States is responsible for determining and managing the rollout schedule of EMV cards, with the majority of smaller banks electing to replace non-EMV cards with EMV capable cards only on their expiration. As a result, there will be a transition period. Nevertheless, to manage fraud liability any business that accepts a payment card at the point of sale or service will need to have technology and processes in place to support both EMV and non-EMV cards.
Many related considerations
At the most basic level, retailers will need point-of-interaction devices that support EMV cards. Costs for adding or upgrading to such devices can range from $500 and $1,000 per payment terminal. But while technology is driving the change, there are other related considerations.
Depending on the technologies in use, point-of-sale (POS) systems may not work with EMV devices. If so, a retailer may need to consider upgrading their POS application to integrate EMV point-of-interaction devices with its POS system or fall back to manually entering the tender amount.
Upgrading related systems and processes.
EMV technology lessens the risk of accepting a fraudulent card at the point of transaction, but it does not eliminate the risk of a data breach during the process of transmitting payment card information to the bank for authorization. In fact, many of the recent major breaches have resulted from attacks on the POS systems, using malware to capture the payment card data in memory when it is received from the point-of-interaction terminal.
An alternative, a more secure method called Point-to-point encryption, can be leveraged to protect the payment channel in retail stores. Point-to-point encryption technology encrypts the payment card data at the point-of-interaction and transmits it encrypted all the way through the transaction process—from the point-of-interaction device to the POS system to the bank. Given the effort and investment that will go into upgrading terminal technology, this represents a good opportunity for organizations to leverage their investment by looking to adopt the added security of point-to-point encryption technology.
Likewise, upgrading or replacing devices to meet EMV standards may also provide a good opportunity to incorporate other evolving transaction methods, such as Apple Pay or Google Wallet, which may not be cost-effective on their own.
Balancing risk management with increased transaction time.
For retailers and consumers alike, one of the biggest changes may be the increased time required for an EMV transaction, which requires the EMV card to remain present in the point-of-interaction device throughout the authorization process. To this point, some low value transaction merchants (for example, quick-service restaurants) have been able to complete a transaction in seconds. These retailers are concerned about the added time a customer will remain at the register through the EMV “dip” process, with some transactions taking up to 20 seconds to complete.
Accounting for fraud risk.
Because banks have previously carried much of the risk associated with fraudulent payment card use, most retailers have little experience estimating the impact on future financial performance. With the majority of major retailers in the United States already supporting EMV payment capabilities, the smaller retailers may be hit the hardest as fraudulent transactions shift to those not yet accepting EMV cards.
In addition to interacting with new equipment, employees will need to understand their elevated role in risk management. In conjunction with training employees to use new devices and processes, it will be important to educate them on the importance of using chip technology whenever possible to limit the merchant’s liability associated with fraudulent cards.
While the change to EMV technology benefits all involved, it is a big change nonetheless. That’s all the more reason for taking action now—and for looking as broadly as possible at the issues and opportunities associated with the change.