New EMV Credit Card Rules Start Affecting Merchants in October
Over the past few years, as data security breaches have occurred at several local and national retailers, many consumers have received replacement credit cards that now have a chip on them. This technology was first deployed in Europe in 1992. Europay, MasterCard and Visa (EMV) is a global standard for inter-operation of integrated circuit cards (IC cards or “chip cards”) and IC-card-capable point of sale (POS) terminals and ATMs, and for authenticating credit and debit card transactions.
Currently, merchant banks write off fraudulent transactions every month. According to Business Insider Intelligence estimates, the cost of U.S. payment card fraud grew by 29 percent to $7.1 billion in 2013, and the U.S. now accounts for 51 percent of global payment fraud costs. But there is a shift in the air. Fed up with absorbing the losses on European cards being used fraudulently in the U.S., Europay has pushed for an EMV liability shift from the merchant bank to the merchant. When Canada made this liability shift in 2009, the country’s payment card fraud losses declined by 73 percent over a three-year period.
Soon, if a merchant does not adopt EMV processing technology, liability for credit card breaches will shift from the merchant bank to the merchant. Fraudulent transactions will be billed to the merchants if an EMV transaction is not used. American Express, Discover, MasterCard and Visa are implementing a liability shift for point of sale terminals in October 2015. For ATMs, the liability shift for MasterCard and Visa will occur in October 2016. For pay at the pump at gas stations, the liability shift will occur in October 2017.
According to issuer preference, some EMV cards are “chip and PIN” cards that require the customer to supply a 4-to-6 digit personal identification number (PIN) when making a purchase at PIN-capable terminals. The chips in these cards feature “PIN” at the top of the list of possible cardholder verification methods (CVM), but with a fallback option to signature (or even no verification at unattended terminals). These are the most secure of transactions because they require two-factor authentication — something you have (the card) and something you know (the PIN) to generate the one-time transaction identifier.
Other EMV cards are either signature-only or prefer signature over PIN in their CVM list (i.e., signature at the POS, but PIN at unattended terminals or ATMs). These are often called “chip and signature” cards. These transactions are less secure than chip and PIN. The signature only provides a second-level control, if it is checked by the merchant at the point of sale.
By the end of 2014, the Merchant Advisory Group estimated that only 2.1 million of the approximately 13.9 million POS terminals in the U.S. were EMV compliant. According to the EMV Migration Forum, 102 million EMV-compliant chip cards — the vast majority being credit cards — had been issued in the U.S. by the end of 2014. By the end of 2015, they estimate that the U.S. will have 600 million chip cards in circulation, the majority of which will be credit, not debit.
To be secure, the point of sale devices must be properly integrated into the merchant’s systems environment. Even though the Payment Card Industry Council standards for secure card environments have been around for a while — they are now on version 3 — issues still occur. After the new systems are in place, a PCI compliance audit or review helps ensure that the EMV technology has been implemented securely.
Click here to request a PCI compliance audit, an internal vulnerability assessment and/or an external penetration test.
Schedule a meeting with Tony Munns, Partner, Advisory Services, to further discuss your PCI compliance needs.