A significant change is happening to payment card technology. Any company that accepts credit cards as a form of payment needs to know about it if they intend to continue accepting payment cards in the future. The technology is called “EMV” (EuroPay, MasterCard, Visa). The card brands hope that EMV technology will significantly reduce the amount of fraud in transactions where the payment card is present. This blog post will discuss how EMV works, why it was adopted, how merchants can comply with its requirements, the incentives to adopt (and penalties in failing to adopt) the technology, and the security pros/cons of EMV.
SPOILER ALERT: EMV is effective in reducing the risk of fraud from counterfeit payment cards used for in-person transactions, but the best way to minimize payment card fraud is through implementation of point-to-point encryption and tokenization. The liability shift is an appealing incentive to adopt the technology, but many merchants have been reporting difficulty finding EMV software that works properly with the EMV hardware.
What is EMV? EMV (EuroPay, MasterCard, Visa) is a payment method that combines a plastic card with a microchip. Unlike your typical credit card, credit cards with an EMV chip generate a different code with every purchase a consumer makes. The code is shared with the issuing bank as part of the transaction to authenticate that the card is legitimate. Because the code changes with each transaction, even if a thief steals the information contained on the magnetic stripe of the credit card, he cannot create a counterfeit card because he cannot replicate the codes generated by the microchip. It is this inability to make counterfeit cards that makes EMV technology so important to the card brands and issuing banks.
Why was EMV created? EMV was created because criminals/hackers were stealing credit card information, selling it, and using it to create counterfeit credit cards. Those counterfeit cards are then often sold or used as part of identity theft and dark web crime rings. By requiring a microchip that generates a random code for each transaction, card brands have made it almost impossible to create a counterfeit card. EMV technology, however, is only helpful in preventing fraud where the card is present. Online transactions, for example, do not benefit from the technology because an e-commerce transaction usually does not require that a card be inserted or swiped into a point of sale terminal (which would allow for the micro-chip’s unique code generation). There are, however, other technologies like point-to-point encryption and tokenization (discussed below) that could potentially eliminate payment card data breaches.
How does a merchant become EMV-compliant? To become EMV-compliant, a merchant must install EMV-enabled point-of-sale terminals and obtain certification from its acquiring bank that its payment application for each card network is certified for EMV. The cost of a new EMV-compliant terminal can be between $250 and $500, depending on whether the merchant wants to purchase one that will also accept near-field communications payments like Apple Pay. The merchant also needs to ensure that EMV-compliant software is installed in these terminals. Several of payment card forensic contacts and merchant clients have told me that they are having issues implementing the software solutions.
What if a consumer wants to swipe her card instead of use the chip feature? Assuming the consumer is using an EMV card at an EMV-enabled terminal, the terminal will require the consumer to use the chip instead of swiping the card.
Is a signature or PIN required to complete a transaction? Each issuing bank will have different requirements. Visa has said that a signature accompanying the chip is sufficient. MasterCard, however, appears to prefer use of a PIN with the chip. If a merchant does not support the “Chip and PIN” system, but the subject transaction could have been performed with a PIN, then the merchant may be responsible for chargebacks related to those transactions.
Will merchants pay lower interchange fees if they adopt the EMV-compliant terminals? No and there are no current plans to change that, though it is possible the card brands could change their mind if EMV is not adopted quickly enough.
What is the “liability shift”? Until recently, issuing banks were responsible for card-present counterfeit fraud losses. As a way to encourage merchants to adopt EMV, the card brands have implemented a shift of liability as a “carrot” and “stick” approach. For most merchants, as of October 1, 2015, if they have been certified through their acquiring banks as EMV-compliant and they subsequently suffer a breach, they are not responsible for card-present counterfeit fraud losses. MasterCard requires that 95% of its transactions originate from EMV-compliant POS terminals for the liability shift to apply to 100% of the charges; the liability shift applies to only 50% of affected MasterCard transactions if only 75% of MasterCard transactions originate from EMV-compliant POS terminals. Merchants are not required to be EMV-compliant, but doing so gives them the protection of this liability shift. The liability shift likely applies to both magnetic stripe cards and EMV cards that are compromised, but the card brands have released public statements that create ambiguity.
Are there any exceptions to the October 1, 2015, deadline for the liability shift? Yes. The liability shift does not apply to automated fuel dispensers (gas pumps) until October 2017. Also, MasterCard is shifting its liability to ATM owners in October 2016; Visa is shifting that liability in October 2017. The EMV software for fuel dispensers and ATMs has been particularly lacking, making it extremely challenging for merchants to fully implement EMV technology. For small businesses that accept mobile payments (like Square), merchants will need to purchase new EMV readers. (Square has been assuming the liability until its customers purchase the EMV readers). Unfortunately, these delays may harm these merchants because they could result in a spike in fraud for those companies as criminals shift their focus to these targets that are easier to compromise without the EMV technology.
Besides the liability shift, why else should merchants move quickly to become EMV compliant? First, EMV has been shown to significantly lower fraudulent activity for card-present transactions. Second, fraud migrates to non-EMV compliant terminals. Third, if 75% of transactions are processed through EMV-enabled terminals and the terminals support contact and contactless transactions, the annual PCI DSS compliance validation with a QSA is no longer required. Fourth, you may be protected from assessments by card brands arising from a compromise of magnetic stripe cardholder information, if 95% of card-present transactions are from EMV-capable terminals 30 days before the start of the compromise event. Fifth, from a public relations standpoint, you do not want to be known as a company that doesn’t take customer security seriously. Finally, the EMV-capable POS terminals also allow the merchant to accept contactless transaction devices, which may be a feature the merchant does not currently offer.
Are there security weaknesses to EMV? Yes. As mentioned earlier, EMV is only helpful in reducing fraud where the payment card is present during the transaction; online purchases and other e-commerce would not be protected by EMV (for the time being). Also, some payment card security experts have observed that an EMV-compliant merchant still possesses personal account numbers for credit cards because EMV merely attaches the randomly generated code to the personal account number, meaning that a hacker could still potentially access the payment card information by merely removing/scrubbing the code from the personal account number, assuming the hackers access unencrypted information.
Are there better ways to secure payment card transactions? Absolutely. EMV is a “fraud-reducer,” but point-to-point encryption (P2PE) and tokenization is a “fraud eliminator.” P2PE encrypts the personal account number through the entire transaction process, so the merchant never possesses unencrypted personal account numbers and does not have the keys necessary to unlock the encrypted information. Tokenization takes security one step further by replacing the personal account number with a different number that is worthless to a hacker, so the merchant never possesses this valuable information. An example of tokenization is Apple Pay – when you pay for goods or services with Apple Pay you are not providing the merchant with your credit card number, but rather with a random number that would be useless in any other context.
In short, companies that accept credit and debit cards as a form of payment should move quickly to become EMV compliant. While EMV is not a panacea to protect against fraud, it can significantly reduce it and, more importantly, provide other benefits to a company, like the liability shift. Companies that want to take their security to the next level, however, should consider implementing P2PE and tokenization.