What is EMV Compliance?
You may have noticed that your most recent credit card looks a bit different than your last. That conspicuous computer chip embedded in the plastic represents a new security standard, EMV Compliance. The new standard is being rolled out in the United States this year and it will slightly change the way we use credit/debit cards at the cash register.
Table of Contents
Why Is This Happening?
It may not show up in most economic studies, but credit card fraud is a multi-billion dollar industry, with the United States accounting for roughly half of all credit card fraud in the world. What makes America so vulnerable? Unlike most of the rest of the world, the U.S. has relied on a combination of antiquated magnetic strip technology and handwritten signatures to process credit card transactions. To make a fraudulent, in-person transaction, all the fraudster needs to do is clone the magnetic strip and forge the signature. Banks have typically been held liable for the fraudulent charges.
In an effort to curb losses, the American government introduced a law that took effect as of October 1st, 2015. This law aims to bring the nation into something more closely resembling the EMV standards that have been used to reduce credit card fraud in other parts of the world for over a decade.
How Does EMV Compliance Affect Banks and Merchants?
Credit cards compliant with EMV standards (Europay, Visa, and Mastercard) use an embedded microchip to authenticate the credit card at the time of each transaction, assuming the terminal is also EMV compliant. This makes the card difficult to clone. To perform the authentication, the card is inserted into the EMV-compatible POS terminal or, in the case of newer contactless cards, in close proximity to a Near Field Communication-enabled EMV terminal.
The American adoption of this decade-old technology has a few quirks. The first is that this is entirely optional. That’s right, neither banks nor merchants are under any obligation to start using EMV cards. No one’s going to come and shut down your registers or stop you from processing credit cards if you don’t. The new law is actually a liability standard designed to encourage adoption of EMV cards by banks and EMV terminals by merchants.
It works likes this. If credit card fraud is committed with an EMV card at an EMV terminal, the fraudulent charges will be resolved more or less in the same way they are now. The same applies to non-EMV cards used at non-EMV POS terminals. The wrinkle comes into play during asymmetrical transactions, where either the card or the terminal is not compliant. In this case, whichever entity did not make the EMV investment will be held accountable for the fraudulent charges. Given the “soft” nature of the law, we can expect compatibility to roll out in waves as banks and merchants calculate the risk vs. cost ratios of non-compliance. It’ll likely be a few years before EMV become ubiquitous.
Pay-at-the-pump card transactions are exempted from the new liability standards until October 2017.
Is It All It’s Cracked Up To Be?
Not really. Not yet, anyway. What isn’t being adopted, to the concern of some security experts, is the PIN feature that’s used in combination with EMV in many parts of the world, and with debit transactions in the U.S. You’ll still be using your signature at the point of sale, which is widely considered a far less effective security feature than a PIN number or the biometric thumbprint used with Apple Pay. While this will help cut down on cloned credit card fraud, it will still be fairly easy to use stolen cards. In practice, signatures are more likely to be examined after a charge is disputed than as an effective security measure at POS.
Another flaw: because the first round of new cards are still tied to a credit number represented on magnetic strips (for compatibility with older terminals), it is still possible to clone the card and use it with older terminals. As this is a transitional period, expect that feature to be removed eventually. And, of course, it does little to combat online credit card fraud.
Should You Upgrade?
Is it worth it for merchants to upgrade immediately? Yes and no. Think of it like a one-time purchase of collision insurance on your automobile: you don’t need it to drive your car, and you may never get in a car accident, but if you do, you’ll be very happy you laid out that money.
Are you in an area with a lot of credit card fraud? Will having an extra layer of fraud protection make you feel more at ease when conducting your business? If you just recently purchased five non-EMV compliant POS terminals, the cost of upgrading so quickly may not be justified in the immediate future, so long as the provider still supports magnetic strip transactions.
If, on the other hand, you’re due for some new POS terminals, you should probably take the plunge. There are a couple notes of caution, however. The first is that you should make sure the new terminal is compatible with debit card EMV standards, which have been lagging behind those for credit cards. The second is to keep an eye on the early criticisms of the signature-based EMV system, as other countries that adopted the standard quickly migrated to PIN-based transactions shortly after. You’ll want to make sure you’re covered for that not-unlikely eventuality.
With all that in mind, if the thought of fraudulent charges doesn’t keep you up at night, the wisest approach at the moment is probably to wait until you need to upgrade your POS hardware anyway, then make sure what you get is up to the latest security standards.