EMV chip cards offer increased fraud protection to consumers, merchants and card issuers. If you haven't yet migrated your business's credit card processing equipment to an EMV-capable terminal or card reader, you need to start the process so that you can protect your business from liability and do your part to prevent credit card fraud. First, however, you should understand how chip cards work and how EMV regulations may affect your business. If you have specific questions about EMV-related issues, click the following topics to find links to articles written by industry experts. Otherwise, continue reading for a comprehensive look at EMV chip cards.
In This Guide:
- Is your business EMV compliant?
- Could EMV bankrupt your business?
- Are EMV cards actually safer than other cards?
- Do you know the difference between “chip and pin” and “chip and signature”?
- Is your business exempt from the liability shift?
- Does your mobile card reader need to be EMV compliant?
- Do fuel pumps and ATMs need to be EMV compliant?
- Have you implemented layered security measures in your card processing?
- Is EMV the same thing as PCI?
- Does EMV work with “contactless” RFID technology?
- Are you aware of EMV’s vulnerabilities?
- Do you “swipe the stripe” instead of “dipping the chip?”
With the additional security that EMV-chipped credit and debit cards offer your customers, as well as the protection from counterfeit fraud liability that you gain when you update your credit card processing equipment to accept these cards, attaining EMV compliance is a smart move for your businesses. Understanding the information in this guide can help your businesses navigate the costs and challenges of migrating to this technology that adds an additional layer of security to your payment processing.
What Is EMV?
EMV refers to a technical standard for the microchips used in credit and debit cards and the devices used to accept them. These specifications were developed by credit card companies in order to establish a global standard that makes it possible for consumers to securely use their payment cards with businesses worldwide.
What Does EMV Stand For?
EMV is an acronym for EuroPay, MasterCard and Visa. These companies founded the organization EMVCo in 1994 to establish specifications that would ensure compatibility of chipped cards and payment terminals worldwide. The organization registered its EMV trademark in 1999, and since that time, the rest of the world's largest credit card issuers, American Express, Discover, JCB and UnionPay, have each purchased equal shares and have representation in EMVCo.
What Do EMV Cards Look Like?
EMV-chipped cards can be either credit or debit cards and are the same size and shape as typical credit cards. The distinctive feature is the small microprocessor chip embedded into them. Most cards still have a magnetic stripe on the back so that your customers can continue using them at your business if you haven't yet updated your equipment to include EMV credit card readers.
EMV Stats: Cards in the U.S.:
- The U.S. is now the country with the most Visa chip cards
- 70 percent of Americans have at least one EMV chip card in their wallets
- 40 percent of consumers haven't made a purchase using a chip card in an EMV-enabled terminal
- 600 million EMV chip cards were issued in the U.S. in 2015
- 617 million EMV chip cards are expected to be issued in the U.S. in 2016
- 98 percent of payment cards will be EMV chip cards by the end of 2017
Sources: ABI Research, CardHub, MasterCard, Visa
Where Did EMV Originate? A Brief History of the Chip Card
Microchips have been used as a security measure for credit cards in Europe since the 90's, but as EMV chip card technology developed, U.S.-based businesses weren't required to adopt the technology. Most felt that existing security protocols were sufficient, and merchants, banks and card issuers resisted the transition to EMV due to the costs they would incur as a result of upgrading to the new technology. However, as fraud increased in the United States and decreased in countries utilizing EMV standards, it became apparent that additional security was needed. To hasten the transition to EMV, the card brands announced new rules that went into effect October 1, 2015 that shifted the liability for card-present purchases made with lost or stolen cardholder information to businesses that didn't meet EMV compliance for credit card processing.
Where Has EMV Been Adopted?
EMV is used in more than 80 countries in Africa, Asia, Europe and Latin America. Canada and Australia have also adopted EMV technology. Nearly every region using this technology reports a decline in credit card fraud. Tim Appleby, a security strategist from IBM's Security Intelligence, notes a significant decrease of credit card fraud in countries that use EMV cards and cites a 25 percent dip in Australia, a 35 percent decrease in Canada and Europe, and an astounding 80 percent drop in credit card fraud in Brazil. Appleby suggests that the reluctance to adopt EMV technology in the U.S. has made it an easy target for fraudsters, since magnetic stripe cards are easier to counterfeit than chipped cards, and has contributed to increased levels of credit card fraud attacks on U.S. businesses and consumers.
EMV Stats: U.S. Merchants' EMV Adoption Status:
- 1.2 million U.S. merchant locations have chip-enabled terminals and are accepting payments made using EMV chip cards
- 22 percent of merchants are EMV-capable
- 53 percent of merchants plan on being EMV-capable within 12 months
Major retailers with 100 percent EMV-compliant terminals:
- Best Buy
- CVS Caremark
- Dollar General
- The Home Depot
- Rite Aid
- Trader Joe's
Sources: Boston Retail Partners, CardHub and MasterCard
Why Is EMV Important?
Implementing EMV is important because payment card fraud is rampant in the U.S., in part due to its reluctance to adopt EMV security standards. Because payment cards in the U.S. continue to use magnetic stripe technology, it's a gold mine for criminals who counterfeit credit cards. Payment industry experts at The Nilson Report estimate that while 25 percent of the world's credit card transactions originate in the U.S., it receives nearly 50 percent of the fraud.
Additionally, 90 percent of data breaches occur at small businesses, according to security experts from processing giant First Data. Small businesses are choice targets because criminals expect to find less stringent security measures and older technology that they can more easily access. Failing to implement EMV technology at your business signals to criminals that the security on your payment system may be out of date and easy to infiltrate.
Is EMV More Secure?
Magnetic stripe cards have been in circulation since the 1960s and use the same technology as cassette tapes. The data on the magnetic stripe is static, which means that it doesn't change from transaction to transaction – making it easy to use once it's been copied. And because it's an old, familiar technology, it's been adapted for other uses so the tools and materials needed to copy and duplicate magnetic stripe cards are readily available online.
EMV is more secure because it's a newer, more sophisticated technology. The EMV chip generates a unique code that's only valid for the current transaction. This makes it much more difficult for criminals to intercept and replicate usable data. If, however, a thief were able to skim the data, the data would include a previously used transaction code and the transaction won't go through.
Will Accepting EMV Cards Stop Fraudulent Charges?
EMV cards are only effective against card-present counterfeit fraud when you have an EMV-compliant card reader to accept them with. They don't prevent online fraud, and they don't prevent fraud if cardholder information is stolen from the magnetic stripe, as can occur when thieves attach skimmers to terminals with mag-stripe readers.
EMV & Layered Security: What Do I Need to Look For?
In addition to upgrading to EMV-compliant equipment, it's also important that you ensure that your business is PCI compliant and that you work with a processor that can provide P2PE and tokenization technologies. A multi-layered security approach with each of these technologies in place is effective at deterring data theft and reducing the usability of stolen payment card data.
What Is the EMV Liability Shift?
In the past, credit card issuers generally covered the costs of fraudulent purchases, but as of October 1, 2015, the card issuers shifted fraud liability to the party who is the weakest link in the payment process. This means that if you haven't upgraded to EMV processing equipment and implemented it, you are the liable party and you are legally responsible to cover costs related to fraudulent credit card use that occurs at your business's point-of-sale.
Although EMV compliance is voluntary, the costs of fraud to your business can easily exceed the cost of purchasing new equipment. For this reason, it's important to carefully consider whether the cost of upgrading your equipment outweighs the risks of retaining older credit card processing technology so that you can make an informed decision.
Four Benefits of Accepting EMV Chip Cards
You should consider several factors if you haven't yet adopted EMV technology at your business. When you upgrade and implement EMV-ready equipment, you accomplish the following:
- Protect your business against counterfeit fraud. When your customer uses his or her EMV chip card with your EMV card reader, your equipment verifies that the card is valid. This gives you peace of mind because you don't need to worry and wonder whether you've processed a counterfeited card.
- Protect your business against fraud liability. The main benefit that you receive when you upgrade to EMV-compliant equipment is protection from fraud liability. Because of the October 2015 liability shift, if you fail to upgrade your equipment, you are considered the weakest link in the payment chain, and any liabilities resulting from counterfeit fraud at the point–of-sale fall on you. By upgrading to EMV-compliant equipment, you shift the liability for counterfeit fraud back to the credit card companies.
- Let your customers know their payment data is safe. No one wants his or her information hacked. EMV compliance lets your customers know that when they do business with your company, they don't have to worry about their cards being skimmed or their data being compromised.
- Frustrate fraudsters. Using EMV technology discourages criminals from targeting your business because it makes it tougher for them to obtain and replicate usable payment card information. Countries that use EMV report significant decreases in counterfeit credit card fraud since adopting this technology.
What Are the Drawbacks of Chip Credit Cards?
Despite the increased security that EMV offers, it's important to be aware of the hurdles that you can expect to encounter as you implement your EMV-compliant terminal. Such challenges include the following:
- Upgrading costs. EMV mobile card readers offer the most affordable solutions as they often cost $100 or less. Stand-alone terminals are also affordable and generally cost around $200. However, the costs for updating POS systems vary greatly, depending whether you have a single checkout station or multiple and whether you need to purchase a new EMV-compliant card reader that plugs into your existing system, to update your software or to overhaul your entire system. If you have a customized system and require EMV certification, there may be an additional expense.
- Training employees and customers. Accepting chip credit cards is slightly different than swiping magnetic stripe cards. For a smooth transition, it's important that you identify which procedural changes your business needs to make and educate your staff about them so they, in turn, can train your customers. These are some differences to consider:
- Dipping the chip. The biggest change is that instead of handing your clerk a card, your customer inserts his or her chip credit card into the terminal and leaves it in the machine until the transaction is complete. If he or she removes the card early, it cancels the transaction.
- Waiting for the transaction to complete. Your customers may wonder why it takes EMV transactions longer to complete. Although it takes just a few extra seconds, the extra time may be frustrating for customers who are in a hurry. It may be helpful for your staff to use this time to briefly explain to customers that the terminal is communicating with the chip and that this technology helps prevent fraud. You could also consider using this time to tell your customers about your business's upcoming sales or promotions.
- Removing the chip credit card from the terminal. As your customers adjust to using EMV terminals, they may forget to remove their cards after the transactions are complete. You may be able to program your terminal to beep when it's ready for the customer to retrieve his or her card or set the receipt printer to require the card be removed prior to printing. Otherwise, your sales clerks may need to remind customers not to leave their cards.
- Tipping. If your business accepts tips, you need to find out if your terminal is certified to adjust tips; if it isn't, you need to get the tip and add it in so that you have the final total before you process the transaction. This means that your employees need to present the bill and allow your customer to add the tip before running the card.
- Implementation delay. One of the most frustrating drawbacks of EMV occurs when a merchant has upgraded to equipment that has a chip card reader but is unable to activate it. Typically, this affects merchants with a customized or proprietary payment system as it may require a software upgrade or EMV certification performed by the card brands. If your small businesses use a basic terminal or a pre-configured POS system that is EMVCo certified, you shouldn't require testing or need to meet additional certification requirements. However, if you're shopping for a processor, you should verify that it, and any equipment you obtain from it, is EMV compliant and you will be able to accept EMV immediately.
Is My Business EMV Compliant?
For most small businesses, achieving EMV compliance is simply a matter of upgrading their credit card processing hardware to an EMV-compliant terminal or card reader. If you have a point-of-sale (POS) system, you may need to replace just the terminal or you may be required to update your hardware and software as well in order to accept EMV-chipped cards. Larger systems may also require testing to obtain certification. If you need help determining what you need to do in order to become EMV compliant, you may benefit from consulting with your payment processor or an IT professional who can help you choose the best EMV-enabled processing equipment and software for your needs.
If you're required to update your equipment in order to become EMV compliant, it may be worthwhile to consider EMV terminals that can also accept payments made using near-field communication (NFC) technology, such as digital wallets like Apple Pay and Android Pay. Many EMV terminals include this technology or offer it as an upgrade, and upgrading now allows you to accept an emerging payment technology and may save you the expense of updating your equipment later as mobile wallets increase in popularity.
How Does EMV Affect My Business?
EMV regulations affect all businesses that accept credit and debit cards in person, whether your business is large or very small. By upgrading to EMV-certified equipment and attaining EMV compliance as necessary, you shield your business from the EMV liability shift that transfers the costs associated with fraud from card issuers to merchants.
Additionally, EMV technology offers your business another layer of security against credit card fraud. Because the microprocessor chips are harder to replicate than the magnetic stripe on older cards, it's more difficult for thieves to create counterfeit cards that they can use to purchase goods in-person at your business's point of sale.
What Could EMV Non-Compliance Cost My Company?
If you decide that the cost of upgrading your processing equipment to meet EMV standards is too expensive or if you think your business is too small for fraudsters to be interested in, it's important to reconsider. You need to evaluate whether your business can afford the charges and fees that you would be responsible if a fraudulent credit card were to be used at your point of sale. Because of the EMV liability shift, if you're not EMV compliant, your business is at risk for fraud liability every time a customer presents a chipped card and you swipe the magnetic stripe to initiate the transaction instead of dipping the chip.
Read more on this topic:
• Fines and Fraud Charges for Small Businesses Not Prepared for EMV
• How the EMV Shift Could Cost Your Business
What Businesses Are Exempt From the EMV Liability Shift?
All businesses that accept credit and debit cards in-person, or "card-present," are subject to the EMV liability shift. The only exceptions are for ATM machines and automated fuel dispensers, which have extended deadlines due to the challenges and expenses of upgrading unmanned equipment. MasterCard shifts liability for fraud occurring at ATM machines on October 1, 2016, with Visa following suit on October 1, 2017. Visa, MasterCard, American Express and Discover networks shift liability for fraud occurring at fuel pumps on October 1, 2017.
Read more on this topic:
• Why It Pays to Adopt New Technology
• The ATM Transition to EMV
• ATM Deadlines for Credit Unions
• NCR and Invenco Bring EMV to U.S. Gas Pumps
• EMV for Petroleum Retailers
• Why You Might Not See EMV at Pumps for a While
Does My Mobile Card Reader Need to Be EMV Compliant?
The EMV liability shift applies to transactions made using mobile card readers (mPOS) that connect to phones and tablets as well as transactions made using terminals and POS systems. Although many credit card processors continue to provide free swipers, it's in your best interest to purchase an EMV-compliant mobile card reader.
EMV Stats: U.S. Merchants' Payment Security Strategies:
- 38 percent of merchants say payment security is their top priority
- 35 percent of merchants use tokenization to secure payment data at rest
- 49 percent of merchants utilize end-to-end encryption to secure transactions
- 42 percent of merchants haven't upgraded their terminals to accept EMV chip cards
- 43 percent of merchants that have experienced data breaches within the past five years haven't updated to EMV-compliant terminal
Sources: Boston Retail Partners and CardHub
How Do EMV Chip Cards Work?
An EMV card has a small microprocessor chip embedded into it, covered with a square, metallic contact plate. When your customer inserts, or "dips," the chip card into the credit card reader, the contact plate connects the chip to the reader, which powers the chip and initiates a data exchange with the terminal. For each transaction, the chip sends a unique cryptographic key, or transaction code, to the terminal that authenticates the card.
How Do EMV Cards Prevent Fraud?
Because each transaction is uniquely encoded, any card numbers that a criminal may be able to capture from a data breach are less valuable. This data encryption is a distinct advantage over magnetic stripe cards that use a static transaction code for each transaction because the information can easily be "skimmed" and copied to blank magnetic stripe cards that anyone can cheaply purchase online.
It's important to note that EMV isn't the final answer to fraud prevention; there are still vulnerabilities to be aware of and additional security measures that you need to put into place to protect your customer's payment data. Thieves relentlessly search for new ways to circumvent security protocols, so it's important that you're vigilant in keeping up to date with security advancements. Some EMV security weaknesses to be aware of include the following issues:
- Magnetic stripes. Most EMV cards in the U.S. still have magnetic stripes to ensure functionality at older terminals, and these magnetic stripes are still vulnerable to skimming and data breaches if the card is swiped instead of dipped.
- Chip & signature. Most U.S. card issuers have deployed EMV cards that cardholders authorize with signatures instead of PINs to complete transactions. Because it's easy to fake a signature, thieves could still use stolen cards at retail stores if the cardholder hasn't yet reported the cards lost or stolen.
- Card-present only. Online purchases or other transactions made without a physical card, such as payments made over the phone, don't use the chip and therefore don't have the layer of security in place that EMV chips provide.
What Is the Difference Between Chip & Sign v. Chip & PIN?
As with magnetic-stripe cards, your customer is required to sign a receipt or enter a PIN to complete a transaction made with an EMV chip card. This secondary authentication method helps you verify that your customer is the owner of the card. Like magnetic-stripe cards, signature authentication – chip and sign – continues to be commonly used for credit card transactions, with PINs – chip and PIN – reserved for use with debit cards and at ATMs.
Chip and sign is thought to be less secure than Chip and PIN, but it's familiar to customers and is largely still in place as a means of reducing friction in the checkout line. Industry experts believe that insisting on chip and PIN would confuse and frustrate customers, thereby slowing down checkout lines, resulting in resistance to EMV acceptance in the U.S. by both merchants and consumers.
Is EMV the Same as PCI?
Like EMV standards, Payment Card Industry (PCI) data security standards (DSS) aim to reduce credit card fraud and protect your customers' payment data. However, the approaches are different. EMV technology secures the data on the card. PCI compliance ensures that you, the merchant, keep your network secure and updated and that you restrict physical access to cardholder data.
Does EMV Use P2PE and Tokenization Technology?
Point-to-point encryption (P2PE) and tokenization are advanced security technologies that work together with EMV to create a multi-layered security strategy that protects your customers' card data through the entire transaction process. Each technology performs a distinct role in preventing criminal access to card data:
- EMV. This technology authenticates physical payments cards, which protects against counterfeiting and skimming.
- P2PE. Point-to-point encryption encodes card data when it enters the terminal and keeps it encrypted as it travels to your processor. This prevents data breaches by removing multiple vulnerable points during the transaction process where the card data would otherwise be decrypted and re-encrypted.
- Tokenization. This security method replaces card data with a randomly generated, non-sensitive set of numbers called a token. The token can't be reversed back to the original card number, which means that if the data were to be stolen, it would be worthless to thieves.
Contactless credit cards use a specific subset of radio frequency technology (RF) called near-field communication (NFC) that limits the radio frequency transmission to just a few centimeters and includes a secure element that protects cardholder data. An EMV contactless credit card, also referred to as a dual interface chip card, contains both an EMV chip and an NFC chip that has an antenna. This type of card can be dipped into an EMV card reader or it can be used as a contactless card by waving or tapping it against an NFC card reader, similar to NFC-enabled mobile devices use for Apple Pay or Android Pay transactions. Radio frequency identification (RFID) typically has a long-range transmission, lacks security protocols, and is used to track inventory or animals.
Read more on this topic:
• EMV and NFC: Contactless Payments
Although adopting EMV technology requires you to upgrade or replace your existing payment processing equipment, which can be costly and time-consuming, it allows you to shift fraud liability back to the credit card companies. Additionally, EMV helps you prevent fraud by providing you with a security measure that verifies the validity of your customers' cards. For these reasons, it's a worthwhile investment for your business if you accept payment cards from your customers in person.
EMV Chip Cards: Terms You Should Know
Every industry has its own acronyms and industry-specific terms, and the payment card industry is no exception. These definitions can help you understand EMV and its role in credit card processing.
- Chip & PIN Card: Most debit cards embedded with EMV chips require your customers to complete a transaction by entering a four- or six-digit PIN. Some EMV credit cards may also have PIN as an option; however, most credit cards issued in the U.S. require a signature instead.
- Chip & Signature Card: Most credit cards embedded with EMV chips require your customer to complete the transaction by signing his or her name on the receipt or touchscreen instead of entering a PIN number. Chip-and-signature cards are considered by many payment industry experts to be less secure than Chip-and-PIN cards, but they offer your customers the convenience and familiarity of signing a receipt.
- Contactless Cards: Payment cards embedded with near-field communication (NFC) chips use radio frequency (RF) technology to communicate with payment terminals. NFC includes a security element and use short proximity transmissions that require the card to be within just a few centimeters of the terminal.
- EMV: EMV is a global, technical standard for the microprocessor chips used in payment cards. EMV stands for Europay, MasterCard and Visa; the credit card companies that founded EMVCo, the organization that established the standards. EMV standards ensure worldwide interoperability of chipped cards and payment terminals.
- EMV Chip Card: Also called a chip card, integrated circuit card (ICC) or smart card, an EMV card is a credit or debit card embedded with a secure microcontroller or secure memory chip that complies with the technical standards established by EMVCo. These chips store large amounts of data and communicate with payment terminals. EMV cards are more secure than magnetic stripe cards because the microchip generates a unique transaction code for each use that authenticates the card, making the card data less valuable to thieves.
- EMV Reader: Processing equipment that accepts credit and debit cards with embedded EMV chips are called EMV readers. They may be countertop credit card terminals, point-of-sales systems or mobile credit card readers that connect to mobile devices via a headphone jack or Bluetooth.
- EMV Liability Shift: On October 1, 2015, the credit card companies shifted the liability for fraudulent purchases to the party with the least secure payment system in place. This means that if you accept credit cards and haven't upgraded to EMV-compliant processing equipment, you are responsible for covering fraud-related costs if a fraudulent purchase is made at your business.
- ICC: An integrated circuit card (ICC) is a card embedded with a secure microcontroller or memory chip that stores large amounts of data and communicates with a card reader. Other names for this type of card include chip card and smart card.
- Magnetic Stripe: This is the small stripe made of plastic film and iron particles that is located on the back of most payment cards in the U.S. It is encoded with information about the cardholder's payment account, such as the account number, expiration date and verification code, which is then decoded when the card is swiped through a magnetic stripe card reader.
- NFC: Near-field communication (NFC) is a type of radio frequency (RF) technology that utilizes short-range radio frequencies to transmit payment data from a smartphone or contactless credit card to a terminal. The frequency's proximity is just a few centimeters, and this technology supports security protocols such as tokenization.
- P2PE: Point-to-point encryption is a PCI-certified form of end-to-end encryption (E2EE) that encrypts the card data when it enters the terminal and keeps the data encrypted until it is received and decrypted by the processor.
- PCI: The Payment Card Industry (PCI), comprised of major card brands, such as Visa, MasterCard, American Express, Discover and JCB, established the PCI Security Standards Council (PCI SSC) to establish guidelines called PCI Data Security Standards (PCI DSS) that instruct merchants on the proper handling of cardholder information in order to protect payment card data and prevent fraud.
- Smart Card: Cards embedded with microprocessor or integrated circuit chips are referred to as smart cards. They are also commonly called chip cards or integrated circuit cards (ICC). Not all smart cards are EMV payment cards; smart cards are frequently used as high-security identification cards.
- RFID: Radio frequency identification (RFID) is a form of radio frequency (RF) that lacks security protocols and uses long-range frequencies. It is frequently used to track animals or inventory. Contactless payment technologies use near field communication (NFC), a short-range frequency that requires the card or mobile device to either tap or be held just a few centimeters from the card reader. NFC supports security protocols like tokenization.
- Tokenization: This data security measure replaces your customers' payment card data with tokens, which are unique codes that can't be decrypted because they are randomly generated. The tokens are useless to hackers and can't be used to access or replicate actual payment card data. Data security experts recommend implementing tokenization in addition to point-to-point encryption (P2PE) and EMV technology in order to best secure your customers' payment data.