Big changes are happening in the credit card processing industry that will impact every business accepting credit card payments. As a financial institution, your small business customers will likely look to you for answers around these changes. It’s crucial you are prepared to answer:
- What are EMV Chip/Smart Cards and why should I care?
- How will my business be impacted by EMV?
- When will my business need to be ready for EMV?
Not sure how to address these questions? Let’s take a deep dive into what you need to know to help educate your small business customers.
What is EMV?
EMV stands for Europay, MasterCard and Visa. It is a payment specification that defines how chip-based credit cards (smart cards) will interface with new credit card terminals and Point-of-Sale (POS) systems at Card-Present (brick and mortar) businesses. Ideally, once EMV is fully deployed, credit cards will no longer be “swiped”. EMV is intended to replace the magnetic stripe with a more secure chip-based technology. EMV credit cards will be inserted (often referred to as “dipped”) or waived over a terminal (contactless interface using Near Field Communication) at which time the chips built into the cards will interact with the terminal to authenticate a transaction and verify the cardholder. The cardholder will be required to enter a unique PIN number or provide signature. The specific procedure will vary by credit card issuer and the terminal will prompt for the required customer authentication. After the EMV authentication and verification, the credit card sale will be handled much like it is today. PIN authentication is the most effective approach to maximize fraud protection, however, the authentication method is up to the credit card issuing bank.
Business Impacts: Card-Present Businesses
The primary goal of EMV is to reduce fraudulent payments resulting from counterfeit and lost or stolen credit cards at Card-Present businesses. This in turn will reduce chargeback disputes that lead to lost revenue for businesses, processors and credit card issuers alike. However, fraud prevention comes at a price. According to Javelin Strategy & Research, the EMV rollout price tag will top $8 Billion in the U.S. alone. The cost to Card-Present businesses will be driven by investment in new credit card terminals and POS readers compatible with the new chip-based smart cards with EMV-compatible terminals and readers ranging from $150 to several hundreds of dollars per unit.
With the potential for significant investment needed to support EMV, many businesses are asking why they should outlay their capital for new EMV-ready equipment. EMV technology will help reduce fraudulent payments, ultimately saving businesses lost revenue and decreasing the time spent fighting chargeback disputes. There is also the consideration of the “liability shift” – as EMV is rolled out in October of this year, any Card-Present business not ready to accept EMV smart cards will assume 100 percent of the liability for counterfeit fraudulent payments, meaning your business will lose charge backs tagged as fraud due to counterfeit credit cards if the card counterfeited was an EMV card. The specifics of the liability shift can be confusing, however, it is clear a business’ liability will increase if they do not support EMV. EMV has been implemented in other countries, resulting in significant reduction in fraud for those businesses that adopted EMV capability. However, for card-present businesses that choose not to support EMV, the incident rate for fraud increased. Finally, the customer’s perception should be taken into account. As smart cards become more prevalent, customers will become more accustomed to dipping vs. swiping their credit card. Businesses without EMV supporting equipment may notice customers raising concerns regarding the risk of using their credit cards in non-compliant terminals and POS readers.
To be safe, Card-Present businesses should comply and support EMV. Generally, the risks associated with not supporting EMV outweigh the costs to purchase compliant equipment. Ultimately, businesses are not mandated to comply. The magnetic strips will continue to be available on issued cards for some time to come and each business will need to determine their course of action based on their specific needs.
Business Impacts: Card-NOT-Present and E-Commerce Businesses
Terminals, virtual terminals and gateways currently being used by Card-Not-Present (CNP) and eCommerce businesses will continue to work in the new EMV world and credit card payments will be taken in the same way they are today. However, with the new rollout, fraud is expected to increase significantly for CNP and eCommerce businesses. Both Europe and Canada realized a significant increase in fraud activity at CNP and eCommerce businesses as EMV was implemented. In fact, according to the Aite Group, Canada realized a 133 percent increase in CNP fraudulent payments as EMV was introduced in 2008.
Even with past reports of fraud, CNP and eCommerce businesses are not helpless – there are actions that can be taken now to prepare for this forecasted increase in fraudulent activity, like utilizing code validation and address verification. Beyond these measures, it will be even more critical to know your customers on a personal level. eCommerce businesses should require customer registration and assign user IDs and passwords to track users and monitor those who commit fraud or submit charge back disputes. In some cases, software providers may require upgrades to leverage more secure encryption and tokenization methods. For added fraud avoidance, 3D Secure or fraud scoring systems may be implemented. 3D Secure systems, namely Verified by Visa, MasterCard SecureCode and American Express SafeKey, have been around since 2001. These technologies require cardholders to register their credit card and the supporting eCommerce website will authenticate the transaction with 3D Secure at checkout to ensure the purchaser is in fact the cardholder. One downfall of this solution is that cardholders must proactively register their credit cards. In contrast, fraud scoring systems determine the risk level by rating each sale using technologies that track IP origin and proxy detection, as well as mine social media and customer history. These robust tools can aid companies in identifying and avoiding high-risk sales that may turn into chargebacks due to fraud.
Increased diligence will be needed by businesses accepting CNP and eCommerce payments. Businesses should question all unusual sales. Examples of questionable sales may include:
- International orders that are rare for your business
- High dollar orders by a new customer
- Large number of a particular product in a single order
- Many separate orders made by the same credit card number
- Customers who request to use their own freight shipping companies
Timeline for EMV
The card associations set a date of October 2015 for EMV compliance by Card-Present businesses. Other POS systems, like automated fuel dispensers used at gas stations, have until 2017 to support EMV and many card issuers are currently in the process of distributing smart cards to their cardholders. While Card-Present businesses are expected to be ready to support smart cards in October, many cardholders will still carry magnetic strip only credit cards and will find many EMV equipment terminals to be equipped to accept both types of cards, prompting the user for the expected method of authentication. With that being said, many industry research groups project complete EMV readiness will not happen until after 2018. Until then, customers and store employees will need to understand the procedures for handling both card types for years to come.
The time to prepare for smart card acceptance is now. Working with a trusted advisor, businesses should begin to assess what is needed to upgrade terminals and POS card readers. Outlining a plan to manage the replacement of old equipment with new EMV compatible equipment can help ease the financial impact. However, businesses should be cautious of deceitful sales groups who are leveraging EMV as a means to scare businesses into making unnecessary changes and costly purchases of equipment.
Patrick O’Boyle is a founding Partner of MSP Consulting. Patrick has more than 20 years experience advising businesses in areas of technology-enablement, payment services and customer service and support.