By: Maura Keller (updated by Keith Reid)
Editor’s Note: This article originally ran in the FMN Fall 2015 print magazine. It has been updated slightly to reflect the passage of the Oct. 1, 2015, deadline. The content is still relevant for the many companies that have not updated their systems to be EMV compliant.
As part of the EMV roll out in the U.S., petroleum retailers should have been EMV compliant inside their stores by Oct. 1, 2015. Research suggests that many retailers have failed to meet that deadline. They have until Oct. 1, 2017, to address payment at the forecourt via their fuel dispensers. Here is an overview on the costs, liabilities and benefits with getting on board.
The term “EMV” is derived from Europay, MasterCard and Visa, the original backers of this standard. EMV cards are currently in use in Europe, Canada and in many other regions.
Currently, the credit cards in use in the U.S. have a magnetic stripe on the back that is encoded with two “tracks” worth of data. These tracks are in a standard format and can be read by standard magnetic stripe readers. The data on the tracks is not protected by any type of encryption. Because this data is not protected in any way and because magnetic stripe readers and writers are inexpensive and easily acquired, the track information from one card can be skimmed by a hardware or software device.
EMV is the term for the global standard for integrated circuit (IC) cards utilized for the purpose of authenticating credit and debit card transactions. EMV cards typically have both a magnetic stripe as well as an integrated circuit (“chip”). These cards can be read by any standard magnetic stripe reader by swiping them, but they can also be inserted into an EMV terminal. Contacts in the terminal create an electrical connection with the chip on the card. When used in EMV mode, the card stays in the reader for the duration of the transaction.
“The U.S. is the last major market to adopt EMV standards for payment cards; however, other countries have seen significant reduction in fraud related charges as a result of adopting EMV,” said Michael Cerminaro, president & CEO of Allied Brand Capital. As an example, EMV chip-and-PIN has been highly successful reducing domestic fraud in the UK. Since 2004, domestic fraud losses on UK-issued payment cards have fallen by over 34%. EMV, also referred to as Chip-and-PIN, has successfully thwarted the primary fraud losses it was designed to prevent, counterfeit and lost or stolen card fraud. Allied Brand Capital is focused upon building collaborative solutions to assist petroleum retailers with their EMV migration needs. This includes working directly with many of the leading equipment manufacturers to provide cost-effective solutions.
One key component for retailers, as it pertains to EMV compliance, is its accompanying liability shift, which means that those merchants (or retailers) still using non-EMV compliant POS devices that choose to accept transactions made with EMV-compliant cards assume liability for all transactions at their site that are found to be fraudulent. Currently, payment card issuers take the loss for any counterfeit or other fraudulent charges.
As Joe O’Brien, vice president of marketing at Source North America Corporation explained, EMV compliance will have a direct effect on retailers, primarily because they need to make sure they have the POS terminal and infrastructure necessary to handle the increased data required for proper processing of EMV transactions, while still having the equipment ready to accept magstripe cards for the foreseeable future.
“EMV transactions with a chip in the card frequently have a few additional approval steps with older credit card processing systems, so the consumer may notice a bit of a delay at the register—nothing that would make you think twice about it though,” O’Brien said. “Additionally, consumers will become more acquainted with always keeping the card in their possession—rather than handing it over to a cashier to run it for them.”
It’s important to remember that the migration to EMV is not a mandate in the traditional sense. As Paige Anderson, director, government relations at NACS, explains, it is the credit card companies that imposed the October 1, 2015 deadline for EMV—not a government regulator. Also, most POS/card readers will be able to accept both magnetic stripe cards and cards with the embedded chip. So customers who haven’t received their new credit or debit card with the embedded chip will still be able to use their cards and will be accepted by most retailers.
“The only change that [happened] on Oct. 1, 2015 is that the liability for fraud shifts to the retailer if the retailer has not changed over their systems to EMV,” Anderson said. “In addition, banks need to have 75% of their cards EMV capable for the liability shift to happen. Some revised industry numbers have indicated that less than 25% of cards [were] EMV by October 1.”
Indeed, as there is no legal requirement to use the equipment necessary to accept EMV chip cards and transmit all the required EMV data at time of purchase, a retailer could simply accept an EMV card and run it through a POS terminal that has old magstripe technology.
“The transaction will still be completed, but the retailer has now assumed the full liability of any subsequent theft related to this transaction—including future losses—if the credit card info is stolen and used elsewhere,” O’Brien explained. “Or the retailer could opt not to accept EMV cards—this is entirely impractical for most ongoing businesses of any size. In some ways, it is a bit like taking a calculated risk—why spend $10,000 to cover a risk that you think may only be $5,000 if there is a problem.”