The EMV Mandate is Here: What You Need To Know
With the number of data breaches taking place in recent years, major credit card issuers set an October 1 U.S. deadline for all merchants to become compliant with Europay, MasterCard and Visa (EMV) or chip-and-pin standards and it has arrived. With the deadline passing earlier this month, merchants are now liable for any data breaches that occur as a result of not complying.
Prior to EMV introduction in the U.S. payment system, U.S. credit and debit card systems were based on magnetic stripe reader (MSR) technology which, in light of recent events (link), has proved ineffective at impeding cyber theft of consumers’ financial information. In an effort to counter these threats, EMV technology will become increasingly important in the U.S. as a preventative measure against future cyber-criminal activity.
With 600 million EMV cards expected to be in circulation by the end of the year, retailers that have yet to comply will need a quick pathway to prevent liability. On the consumer front as the EMV mandate has arrived, 59 percent of consumers have yet to receive their new, chip-enabled credit cards while 67 percent of credit card users have yet to receive information about the new chip-based credit cards, according to ACI Worldwide. Those that have received their credit cards, aren’t even sure why they did, with 68 percent of Americans unaware of what the EMV deadline is and why they need new credit cards as a result.
From the merchant perspective, 47 percent of U.S. merchant terminals will be EMV-enabled by the end of 2015 according to the Payment Security Task Force, with many of them driven by large merchants. However, 451 Research found that just 4 percent of merchants with fewer than 20 employees have implemented EMV terminals have no plan in place to implement the technology prior to the October liability shift.
So from large to small merchants there are a number of considerations and incentives to push them towards compliance and increased data protection to prevent fraud liability:
Picking the Proper EMV POS Terminal:
EMV POS Terminals have a variety of features, some required, some optional, according to a report from MasterCard Advisors. Some of these features include Offline Data Authentication (ODA) and PIN support. To ease the process of selection, terminal vendors can provide Implementation Conformance Statements (ICS), which offers retailers a breakdown of what EMV features each POS terminal provides so retailers can make a determination what works best for their business to meet customer expectations.
Installing Contactless EMV:
While smaller merchants are still hesitant to make the push for EMV due to some believing it will not result in ROI due to the costs associated with becoming EMV compliant, the EMV mandate will now push them towards implementation or be held liable. Smaller merchants will be more likely to adopt a dual interface solution given the value they place on the mobile payment acceptance offered by payment service providers. NFC (near-field communication) payment cards have made their way onto the market with Apple Pay, Google Wallet and CurrentC, providing customers with a fast and convenient payment process. On the road to EMV compliance, retailers, both big and small, should consider installing EMV contactless payments which can provide the best of both worlds with increased security and an expedited checkout.
Implementing End-to-End Encryption (E2EE):
E2EE is another component of payment security that works in tandem with EMV. While it isn’t required for EMV compliance, E2EE is quickly becoming more common to further protect credit card data and it is recommended retailers implement this encryption along with EMV, according to pymnts.com. E2EE ensures data is protected as it is in motion through the payment process.
While E2EE focuses on protecting data in transition, tokenization focuses on encrypting data at rest as retailers store customer payment card information to track purchases and to assist in refunds. Tokenization replaces card data with a unique numerical token which is utilized by processors. Retailers choosing such a solution, should consider whether it uses ‘format-preserving’ tokens, according to the above report from pymnts.com, where the token is the same format (15 or 16 digits) as the primary account number. Format preservation is essential for integrating many accounting and reporting software systems and allows retailers to confirm payment with customers by referring to the last four digits of the account number, according to the report. This helps expedite the process of EMV payments, which leads to faster transactions.
With the EMV mandate here, non-compliant merchants will need to take the necessary steps or be held liable. All of the above are top considerations as the U.S. credit card system moves forward with enhanced data protection that has already paid dividends overseas. For additional information on the onset of the EMV mandate, check out this article from Retailing Today.