This article was originally published on KioskMarketplace.com.
Is there ONLY one way they can be impacted? Is this something that may adversely affect kiosk owners, even manufacturers, if they do not ensure their kiosks are EMV-enabled? To answer this, we may need to take a step back and analyse exactly what being EMV-enabled means and what happens if a kiosk isn’t ‘upgraded’ to ensure it is.
WHAT IS EMV?
EMV is a global payment standard that was established by the major international credit card companies. The acronym stands for “EuroPay”, “MasterCard”, “Visa”. The standard relies on modern credit card manufacture that utilizes of an embedded microprocessor chip. It replaces other card options that use the more commonly known magstripe or magnetic strip that stores data on the band of magnetic material found on the back of older cards. These cards have been proven to be less secure, as information on the magstripe can easily be retrieved and replicated, leaving the cardholder vulnerable to fraud.
WHY EMV IS IMPORTANT?
EMV technology was introduced as an option that, along with other security measures, could decrease fraudulent credit card activity. Some of the benefits of the implementation of EMV technology includes:
- Fraud Prevention – EMV cards have been proven to prevent fraudulent transactions. It is nearly impossible to clone because the chip is tamper-proof, making counterfeit card fraud extremely difficult. This, along with the security features mentioned below, are a huge deterrent to would-be fraudsters.
- Highly Effective Security Features – There are several security benefits of chip card technology. – It uses a unique card authentication process that makes it more secure. This process includes a one-time cryptographic transaction code (cryptogram) for each transaction that is never replicated or reused. Because the cryptogram is dynamically created by the chip card on each transaction, the data cannot be copied to use on other card present transactions. – Chip cards have built-in sophisticated encryption that allows cardholder verification. There are four (4) cardholder verification methods (CVM) supported by EMV: offline PIN, online PIN, signature, or no CVM. – Issuer-defined rules can be used to provide transaction authorization. The transaction can be authorized either online or offline (if offline authorization is supported by both the card and the POS. Card brand support in the U.S. varies.) These security features complement other payment security standards such as point-to-point encryption (P2PE) or tokenization, providing an additional layer of protection for users.
- Global Interoperability/Success – EMV is being successfully used in many countries including the United Kingdom, Europe, Canada, and Australia. According to an article by Ingenico Group, the United States is the last developed major country to adopt the technology.
Not convinced? Let’s do a side-by-side comparison of EMV to the magnetic strip card technology:
|MAGSTRIPE TECHNOLOGY||EMV TECHNOLOGY|
How do we know EMV isn’t more trouble than it’s worth and that it’s effective?
It is now a ‘choice’ in name only. Merchants who do not implement it are now liable for fraudulent transactions. Its effectiveness is already being seen in other countries such as the United Kingdom and Australia, that have already introduced it. Here are the facts and figures:
- 1.62 billion cards, 45% of the World’s payment cards, have EMV chips. This does not include the U.S. (Source – Move to Chip).
- 23.8 million terminals, 76% of the world’s payment terminals, can accept EMV cards.
- European Union – As the EU completed its migration to EMV, in 2013, the region saw an 80% reduction in credit card fraud. During the same period, the US witnessed a 47% increase in credit card fraud. (Source – Discover Financial Services)
- Canada: Debit losses fell from a high of $142 million in 2009 to $38.5 million in 2012 – a 73% drop. (Source – Gemalto)
- France: When EMV was implemented in 2005, counterfeit card fraud dropped by 91% while fraud from card theft fell by 98%.
Just imagine what effect it could have on the credit card fraud in the US. A study conducted by Javelin Strategy and Research stated that the number of in-store credit card fraud victims reached 5.6 million in 2015, up from 5.4 million in 2014. Online/mobile fraud or ‘card-not-present’ fraud reached 6 million in the US in 2015, up from 4.8 million in 2014. Unfortunately, the upcoming year doesn’t look too promising either.
Did you know that it is estimated that credit card fraud in the United States will reach $4 billion by the end of 2016, up 12.5 percent from last year? This is according to an article published by CNBC earlier this year. The article goes on to say that, this estimate could increase to as much as $10 billion between now and 2020 as fraudsters attempt to ‘cash in’ before chip card technology becomes the standard.
The study estimates that most of this fraud will be as a result of stolen credit card numbers online and via mobile channels. The other types of fraud could include application fraud — stolen/hacked information used to open new credit card accounts and thirdly, account takeover, where hackers use compromised data to log into consumer and business accounts online and siphon funds from them.
When broken down by transaction, Javelin’s study states that the average loss amount for existing cards was $980 in 2015, while the average for new-account fraud — which accounts for 20 percent of all fraud losses — was $2,379.
It is hoped that EMV implementation will significantly reduce these figures. However, implementation has been a slow process so far, with approximately one-third of the nation’s retailers completing implementation as of December. This is a stark contrast to the amount of chip cards being issued – 65 percent of all U.S. credit cards and 33 percent of U.S. debit cards were issued with chips, as of June, according to creditcards.com. However, experts expect that once the majority of merchants (84 percent according to Javelin) make the switch in the next three to four years, card security problems typically associated with magnetic swipe cards will greatly diminish.
But wait, three to four years? Wasn’t the deadline October 2015?
WHAT HAPPENS IF YOUR BUSINESS OR KIOSK IS NOT EMV-COMPLIANT?
The deadline, or the EMV liability shift date, was October 1, 2015, just over one year ago. It marked the date instituted by the various card brands for merchants to upgrade their payment infrastructure to accept EMV chip cards to avoid liability for fraud from counterfeit cards made from EMV chip cards. The liability, which prior to the deadline was borne by the issuer of the card (i.e. the bank or credit union) now shifts to the merchant or operator, who will now be responsible for paying any chargebacks resulting from fraudulent activity. This is quite a huge change that could have great financial implications, but merchants were given ample notice of the impending shift which was announced in 2011.
It hasn’t been for lack of trying. Many retailers encountered issues trying to implement the technology, including “long lines to install and certify the software and equipment needed to process chips”, according to an article by Olga Kharif at Bloomberg Technology. This might have been due to many trying to adopt the technology close to or after the deadline date, which for some, might have been a decision made only after they had to pay chargebacks.
An article on KioskMarketplace.com cited statistics from the State of Retail Payments 2016 Study by the National Retail Federation and Forrester Research which “reported that 57 percent of merchants have installed EMV equipment, but cannot enable it because they still are awaiting system certification. Of those, 60 percent have been waiting six months or longer.”
However, at the time of Kharif’s article, written earlier this year, Visa announced that “it was simplifying its equipment-certification process and changing its chargeback policies to reduce liability faced by merchants who haven’t yet moved to accept chip cards.” The article also stated effective July 22, Visa would “block all counterfeit-card chargebacks under $25” and by October would allow “banks to charge back only 10 counterfeit transactions per account, and will require them to assume liability for all transactions thereafter.” The $25 chargeback limit is temporary, and is set to expire in April, 2018.
WHAT YOU NEED TO DO AS A BUSINESS OWNER, KIOSK MANUFACTURER OR OPERATOR
Merchants and operators shouldn’t be disheartened or overwhelmed. The Ingenico Group’s blog titled, The EMV Fraud Liability Shift Date Has Passed: Is It Too Late for Me? lists the following steps needed for a business to become EMV-compliant:
- Invest in EMV-enabled smart payment terminals, mPOS solutions or kiosks. Consideration should be given to current hardware deployment, store count, POS capability and sales volume. Changes to current hardware and software may be required to support the new system. The installation process could take as long as four to five months for setup, including training of staff and beta testing.
- Become EMV-certified by EMVCo and the credit card issuers from which your store will accept payments. The certification process could take several weeks to several months to complete depending on the size and complexity of the business. The certification process takes merchants through three levels: – Levels 1 and 2 focus on certifying payment equipment (hardware and software) – Level 3 (completed by the acquirer for some smaller businesses) involves end-to-end certification and covers conduct between the merchant and card brand. Many kiosk providers are now building EMV-compliant kiosks, making it much easier for operators. Businesses interested in purchasing a kiosk can also stipulate it as a requirement to their kiosk provider. Businesses all over are taking the steps necessary to become compliant – “70 percent of U.S. consumer credit cards now have chips, and 76 percent of the 200 biggest merchants are able to accept them.” However, the EMV migration process has been slower for smaller merchants, according to MasterCard.
The easiest way for businesses to start the process of compliance is to find a technology partner or expert they can trust. At SlabbKiosks, we have partnered with the Ingenico Group to ensure that we can provide our customers with EMV-enabled kiosks through their Unattended Partner Program. The program works with kiosk providers, system integrators, value-added solution providers and gateway providers to enable acceptance of all payment methods while delivering secure, EMV and NFC-enabled unattended self-service solutions. They also provide seamless payment solutions and can take any company through the steps required to ensure they become EMV-compliant.
Chip card technology is by no means a panacea for credit card fraud, as it currently doesn’t address the type of fraud that occurs when credit card transactions are done via phone or online. That’s why it is important to always check your credit card statements for fraudulent activity every month. Many technology partners, such as Ingenico Group, recommend additional security measures such as tokenization – a technology that eliminates the need for retailers to store sensitive data on their network. It is the technology used by Apple Pay and Android Pay. Some credit card companies also offer their own versions. Some experts believe that two factor verification systems might be the solution when checking out of online retail sites or possibly an online form of EMV. However, for now, we have seen what EMV technology can do and it will become more effective if widely adopted. It is a step in the right direction, that everyone must take.