What You Need To Know About EMV Cards
There is a lot in the news these days about the new chip cards (a.k.a. EMV). For those in the payments space, you’ve known about this impending shift for years, but many players in the ecosystem are still confused – most importantly the customers.
What changed last week? What is the liability shift?
Normally, for in-store transactions (a.k.a. card present), the card issuer owns the majority of fraud liability. Starting October 1st, the networks implemented a “weakest link” clause – now, liability ownership depends on whether each party (issuer vs. merchant) implemented the EMVCo standard.
If the card has an EMV chip, but the merchant does not accept EMV, then the merchant is responsible for any fraud related to that transaction. The liability for fraud shifts from the card issuer to the merchant.
However, if both parties are EMV-ready (or neither party is), then liability remains with the issuer. The same goes if the issuer is the weak link (i.e. does not have a chip in their card).
What does this mean for the customer?
Two things…First, the customer action is different. Now, you dip your card into the POS (point-of-sale) reader – and you have to leave it there for a few seconds. No more quick swipe. Do not expect the cashier to be intimately familiar with this either. This change is likely to catch both parties off-guard.
Second, often the customer cannot choose to still swipe. Merchants and issuers are implementing rules to force customers to use the chip if the card and terminal are EMV capable – don’t be surprised if your swipe is rejected where you can dip your card. Again, the cashier may be equally unfamiliar.
What does this mean for the merchant?
The implications for the merchant are broad. First, the merchant must decide whether they want to upgrade to accept EMV chip cards. While the intent of the liability shift is for all merchants to upgrade, it should not be assumed. For example, if a merchant operates in an industry with low fraud rates (e.g. in-person transactions in a customer’s home) or if a merchant is small enough so that fraud costs are negligible compared to the cost of upgrading, then it may not make sense.
Second, upgrading is not a non-event. If you have an out-of-the-box payments solution, it should be easy, albeit expensive. You can just buy the out-of-the-box EMV solution from your existing provider. If, however, some parts of your system are custom-built, then you must decide whether or not you want to build a custom EMV migration or whether to sacrifice some system flexibility and add a vendor for the EMV pieces. Implementing EMV requires at least 12 weeks – you have to certify with each network.
Third, the merchant must now begin to worry about fraud ownership. Today, unless a merchant broke network rules (e.g. not checking ID, not collecting signatures, etc.), they should not own the fraud. If a merchant does not upgrade to avoid the liability shift, this could have a significant impact on the bottom line.
Why did this change?
EMV chip cards took hold nearly 20 years ago as a method to combat fraud in European markets, where the real-time communications infrastructure was less developed. Using a chip created a way to somewhat validate a transaction without a real-time authorization to your bank to validate funds availability. It is now a global standard, widely considered more secure than traditional magstripe.
At a high level, EMV added two new elements to increase security. First, it embeds your information in a chip so that the data cannot simply be read off a magnetic stripe and dumped on a new dummy card. This chip also allows for a two-way communication between your card and the terminal, enabling (among other things) decisions on purchases when the terminal is offline. Second, it switches from sending mostly static data from your magstripe to instead sending an encrypted payload that contains your static card number paired with single-use dynamic data for that specific transaction.
How do mobile payments fit into this?
The new mobile wallets (e.g. Apple Pay, Android Pay, Samsung Pay) are capable of sending EMV-level data to a terminal. However, there are nuances related to specific offerings, such as Samsung Pay’s MST (Magnetic Secure Transmission) or network differences, where the exact liability ownership may not always be clear.
On another note, some felt mobile payments are a solution looking for a problem – swiping your card is easy. Why mess with a good thing? However, now customers must dip their cards and wait for the transaction to process – compared to this, mobile payments may be easier. This could lead to increased adoption of mobile payments solutions. Plus, acceptance of contactless mobile wallets is growing thanks to all the new terminals being installed (due to the liability shift).
Anything else I should know?
When you go abroad and cashiers see a chip in your card, they may expect you to have a PIN code. Most other countries have used Chip & PIN for a long time – it is almost assumed. For debit this fits, but for credit most U.S. issuers implemented Chip & Sig (Signature). There is no PIN. Be ready to explain to the cashier that you don’t have a PIN and sign like you always do.
Another thing to be aware of is offline vs. online terminals. In some areas, e.g. terminals in train stations or gas stations, the terminals may be offline and there is logic built into the chip to decide whether or not to trust the transaction without an online authorization. Not all U.S. issuers support offline mode, so be aware your card may not work at these offline terminals.