By William McCollough, Heartland Payment Systems Prepard for GASDA, Inc.
Although there are more than 1.5 billion Europay, MasterCard and Visa (EMV) cards deployed in more than 120 countries on four continents, the United States just started the long process of implementation in 2011. Responsibility shifts from credit and debit card vendors to U.S. retailers will take place before you know it.
EMV is a set of standards designed to prevent counterfeiting of debit and credit cards that are accepted at the point-of-sale (POS), as well as ATM transactions. EMV chip-based payment cards, also known as smart cards, have an embedded microprocessor chip that contains the information needed to use the card for payment, and is protected by various security features. These security features make chip cards a more secure alternative to traditional magnetic-stripe payment cards. EMV payments add dynamic security data to the transaction stream, authenticating that the card is physically present at the POS.
EMV Mandates & the Liability Shift
There are no mandates requiring merchants to implement EMV technology. But the major card brands (Visa, MasterCard, American Express and Discover) have established mandates for acquirers to prepare their systems to process EMV transactions.
The card brands also have announced the following liability shifts that will apply to merchants who do not deploy EMV-capable terminals:
• October 2015 – Liability shift for domestic and cross-border counterfeit POS transactions excluding automated fuel dispensers (AFD).
• October 2017 – Liability shift for counterfeit transactions for AFDs.
After the liability shift dates, a merchant who has not deployed an EMV terminal will be liable for counterfeit fraud on cards that were chip issued. Additionally, there are shifts in liability related to lost and stolen cards for MasterCard, which shifts liability to the party with the least secure form of transaction.
For Visa, merchants processing more than 1 million transactions a year can skip payment card industry (PCI) reporting if 75 percent of their transactions come from dual capability (contact and contactless) EMV-enabled terminals. However, merchants should validate with their acquirer if they must still report PCI compliance to the acquirer.
Today, as long as proper acceptance procedures are followed, a retailer does not incur a chargeback for accepting a counterfeit card, as well as a lost or stolen card. After the liability shift date, however, merchants will be responsible.
For gasoline retailers that want to completely avoid the liability of counterfeit card acceptance, in-store POS and car wash payment systems need to be updated to accept EMV transactions by October 2015 and pumps updated by October 2017, but retailers should remember this is only applicable for EMV cards. Depending on the volume of EMV card issuance across the United States, gasoline retailer’s plans might vary. They may want to consider the impacts on their business and additional costs as more issuers produce EMV cards in the U.S.
Is EMV a Practical Investment for Retailers?
Gasoline retailers ranging in size from the corner grocery to large national chains are wondering whether EMV and the investment required to accept cards with this technology is right for them. Retailers should consider the liability potential of accepting counterfeit cards. Right now, not many U.S. card issuers have issued EMV cards. With the recent ruling from U.S. District Court Judge Richard Leon regarding debit fees and the Federal Reserve’s interpretation of the Durbin routing provisions up in the air, it is expected that major U.S. debit card issuers will delay EMV planning until more information is known.
For now, the major card brands have issued acquirer specifications for handling EMV credit transactions. The market is waiting for resolution on how to handle debit routing with EMV. This is now further delayed by the recent U.S. District Court ruling.
Small gasoline retailers would be well advised to wait for clear direction from the card brands and debit networks, and to work closely with their payment processor to make sure POS equipment providers will be able to accept EMV cards once all of the specifications are defined for both credit and debit.
Once debit routing solutions are clear, card issuers have resolved the debit concerns and POS providers have equipment modifications ready, small fuel retailers should work with their payment processor to review the following questions to ensure they understand the risk and opportunities for their business:
• Where are your stores located? Are they located near a border or are you operating in an area that sees a high volume of international cards? Liability will increase as more EMV cards are used at your location.
• What are current fraud trends in your business – in which stores/states do you see the most fraud? Those are most likely going to the same locations that realize a high rate of counterfeit card usage and may be the locations to consider for earlier implementation of an EMV solution.
• Who are your customers? Are you located in a small town, major metro area or near an interstate highway? Business in metro areas and near interstate highways may see a higher percentage of EMV cards, thus increasing liability.
• Can your current POS be upgraded to accept EMV transactions or will you need to replace your POS system with a new one? When will your expected losses due to counterfeit card acceptance over time be greater than the cost of installing EMV-capable terminals or a new POS system?
• What is the cost of training staff on the new equipment and the change in EMV card acceptance (insert or tap vs. swipe)? You may also want to consider that consumers with EMV cards will ask about using them when paying at the counter, making it important for your store personnel to know what they are and how they work to make purchases.
• Will your processor provide assistance during the transition? Its guidance should save retailers time, trouble and money.
Considerations for Small Operators
When a decision is made to implement EMV, small gasoline retailers should develop an EMV implementation strategy and plan for future equipment upgrades, considering the timelines set forth by the card brands. They should look to their acquirer or processor, as well as POS provider, to help plan implementation.
For example, as gasoline retailers replace current terminals, they should invest in EMV-capable terminals. They should compare terminal costs, software expenses, and training and certification costs to the liability reduction they gained by avoiding losses due to counterfeit and lost and stolen cards and possible PCI scope reduction.
Another crucial factor for consideration is whether their pumps can be retrofitted with EMV technology or if they will they require an entirely new terminal.
Additional Layers of Security Still Needed
While EMV prevents counterfeiting, it is important to note that EMV alone is not enough to secure payment transactions. However, when layered with end-to-end encryption and tokenization, added transaction security is achieved.
End-to-end encryption (E3) encrypts the cardholder information, making card data indiscernible as it enters the payment cycle. In the event of firewalls or network security being breached, hackers and criminals that gain access to the encrypted card information gain nothing of commercial value. With E3, captured and encrypted card data cannot be used to make counterfeit cards or fraudulent phone/mail/online purchases. When E3 is in use, both magnetic stripe swiped and EMV transactions are encrypted prior to leaving the terminal so the transactions and cardholder information is sent encrypted through your network, over the Internet and to your processor without being readable.
Furthermore, tokenization eliminates the need to refer to a customer card number for returns, voids, card on file and recurring transactions. Both E3 and tokenization combine with EMV to provide transaction security that is far better than magnetic stripe.
As a 30-plus year veteran of the petroleum industry, William McCollough is the executive director of petroleum at Heartland Payment Systems Inc., the second largest petroleum payments processor in the United States. More detailed information can be found at www.HeartlandPaymentSystems.com.