How EMV Affects eCommerce

Every sector has its own language. The government, the military, and the medical field aren’t the only ones that seem to have more acronyms than actual words; now, the private sector gets to join in the esoteric fun. In this article, I’ll reveal the latest acronym that merchants need to know – EMV.

What It Is

Acronyms are meant to make complex phrases easier to communicate, but the irony is that some, like EMV, don’t communicate any useful information.

What is EMV?

EMV is the standard which governs the new credit cards that use chips to store consumer data; it also governs the POS hardware that recognizes those cards. The acronym stands for EuroPay, Mastercard, and Visa, which were the financial institutions to originally develop the standard. The EMV standard is now governed by a consortium, with control split among the global financial institutions of Visa, Mastercard, JCB, American Express, China UnionPay, and Discover. As such, you may see EMVco in communication from your merchant services, but don’t worry – it’s the same thing.

If the acronym were SCC (for Secure Chip Card) its common usage would evoke meaningful words for the hearer. But apparently the PCI is vainglorious.

What is different about EMV cards?

EMV cards, more colloquially known as Chip Cards, differ from the ubiquitous Magnetic Strip Cards in how they store the card owner’s data (namely, the credit card number, expiration date, and security codes). The chips also store apps. But don’t get too excited – you won’t be playing Angry Birds on your credit card any time soon. These apps are simple programs that help make the card so secure. They operate entirely in the background, supplying the right information in the exchange with the card reader, and they can also automatically generate special per-transaction “passwords” that prevent your card from being duplicated in any meaningful way. This is the primary way that they cut down on credit card fraud.

These cards must be “dipped” or inserted into a special card reader, rather than “swiped” through the common magnetic strip reader. This has posed somewhat of a problem, since while dipping the card is not a complex operation to learn, we have the “swipe” completely ingrained in our muscle memory. Employees may require extra training, and consumers may need time to overcome trepidation over the change. And I’m not sure what will happen in American Sign Language, which still uses a sign for “credit card” which resembles the action of using the carbon-copy credit card machines of the 1970’s. But I digress.

What It Means For Merchants

The Good News

The good news is that these chip cards are much more secure in card-present transactions, such as in-person swipes at a physical cash register. Transactions using traditional cards are susceptible to several methods of fraud, and issuing banks can only verify the identity of the user via the signature on the paper receipt. Given that merchants will accept illegible scribbles or even smiley faces as signatures, anyone in possession of your card could make purchases without your consent. Most EMV-capable terminals use a PIN to verify the identity of the cardholder. The tried-and-true method of securing your debit card at the ATM will now be used to secure your EMV card at every physical point of sale.

The Bad News

The bad news is that purchases made over the phone or Internet (referred to as card-not-present, or CNP transactions) are just as susceptible to fraudulent transactions as the magnetic strip cards are. Each issuing bank is trying out its own methods for improving CNP security, but there is currently no sufficiently elegant or efficient solution.

The other bad news is that, given this increased fraud protection in card-present transactions, the card-issuing banks have been able to successfully implement a “liability shift”. This means that merchants will now be responsible for any fraud that occurs due to non-approved hardware and procedures.

To use Visa’s vernacular, “The party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date [Oct 1, 2015, in the U.S.]. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today.” In short, this means that if you’ve updated your POS hardware and trained your employees, the issuing bank will still be responsible to reimburse fraud victims. But those merchants that are not compliant (as of October 1, 2015) will be responsible to repay fraud victims for their losses.

A few types of businesses are on a different compliance schedule. Gas stations, for instance, need to be compliant sometime in 2017.

This liability shift does not apply in CNP transactions, such as online, mobile, and over-the-phone purchases.

What It Means For Customers

Aside from increased fraud protection, very little will change for customers using their new chip cards. In fact, current chip cards also include the old familiar magnetic strip, to ensure backwards compatibility. Consumers will be able to pay securely using their chip with merchants who have updated terminals, and using their magnetic strip for the “late adopter” merchants out there. This migration to the EMV technology will likely take years to become the new norm; based on observations in the UK, which started implementing the technology a few years ago, Visa and Mastercard project that it may take until the year 2022 to reach 90% saturation.

With a change this gradual, most consumers will be comfortable and familiar with the new cards long before magnetic stripes die away entirely.

Until the market is ready to completely do away with the magnetic strip, consumers who use the “dip” method may experience slightly longer wait times at the register. This delay, only a few seconds longer than the “swipe” method, is due to processing the extra steps which make the chips so secure. As technology progresses and the EMV standard is improved, the extra transaction time will gradually disappear.

What Merchants Need To Do About It

There are two schools of thought.

Some merchants are holding out for as long as they can. They are waiting to make the shift to EMV compliance until there is a comprehensive, unified solution that covers both POS and CNP transactions. They know that prototype and Version 1.0 technology is inelegant, buggy, and liable to be the most quickly outdated, so they wait for Consumer Reports to vet their cars, phones, and toaster ovens. And now, their POS too.

Other merchants see the ability to plug a hole in the financial boat, and invest immediately.

Both schools of thought have some wisdom, so the choice is yours. Personally, I think that if a few dollars spent now can save me potentially thousands later, it’s a no-brainer. Even if a newer, better POS is released six months from now, this is the cost of doing business.

So how does the EMV shift affect eCommerce? Well, if you are doing business exclusively online, there is not much you can do at this point. Mastercard is trying out its Chip Authentication Program, and Visa has a near-identical Dynamic Passcode Authentication program. Both of these solutions are literally placed in the hands of the consumer (and not the merchant) by the use of personal handheld card readers. These readers are primarily for the peace of mind of the consumer, and neither benefit nor harm the merchant in any way.

If you’re doing any business at a physical point of sale, then there’s not a lot of reason to delay making the switch. Get the new card readers installed, get your employees familiar with their use, and get busy enjoying the same-or-better fraud protection you’ve always had. And who knows? You may even encourage customer loyalty for the mere appearance of more secure and tech-savvy transaction processing.