September 18, 2015
If you happen to be a financial service professional, you may have heard of EMV and the October 2015 switch day. But what exactly does it mean? What should your clients and customers know about EMV? The following nuggets of facts will help you prepare for a thoughtful conversation.
EMV, short for Europay, MasterCard and Visa, is a global technical standard for smart cards. A microchip (instead of magnetic stripes) is embedded in the smart cards to store data. The chip generates a unique, one-time authentication code that cannot be used again, making duplication impossible. After numerous data theft incidents in recent years, the outcry for better security was finally intensified to call for the US market to adopt EMV chip cards. The switch is scheduled for October 1, 2015.
Before the switch, card issuers are liable for fraudulent charges. After the switch, card issuers are only liable for the fraudulent charges when customers use chip cards to transact and merchants are EMV-compliant. For the merchants who do not upgrade their payment system to be EMV-ready, if fraudulent charges occur, they will have to absorb the charges. This switch is called a liability shift. It is important to know that chip cards do not prevent data breach. But the microchips make it extremely difficult to duplicate data, making criminals less incentivized to commit fraud.
If you happen to be a consumer, you would have started receiving replacement chip cards from your credit card companies. The cards will still carry magnetic stripes for backward compatibility. At the checkout, if a merchant's POS systems are EMV-ready, simply dip your card instead of swiping. If the POS is still an old type, swipe your card as before, and you can still pay with no issues. Note that, as of 2015, most EMV terminals in the US market are still at the chip-and-signature stage. That means consumers dip the cards and sign the receipts.
For merchants, although voluntary, there is a consequence if your payment system does not accept smart cards. The first and most important step is to upgrade or replace POS terminals. The cost of a new EMV terminal ranges from $500 to $1,000 depending on the number of value-added features. In addition, merchants may need to incur system and application upgrades as well as staff training. At a fraudulent rate of ~0.7% or potentially more, you can do the math if it is worthwhile to upgrade your terminals as your business priority. Merchants should consult with their acquirers or payment processors.
For issuers, the liability shift is indeed good news to help combat the increasing fraud in the US market. Counterfeit cards account for 75% of credit card fraud and an estimated $3 billion in annual loss. While issuing chip cards is expensive ($2 to $4 per card), it provides security and cost savings in the long run. When issuing chip cards, issuers need to ask whether the cards need to be contactless, what applications to store on the chips, and how to make the most of this massive upgrade in communication and usage stimulation. While EMV cards effectively fend off off-line card-present fraudsters, there are still security concerns for online and card-not-present (CNP) transactions. As mobile and online shopping continues to grow, unfortunately, EMV is not the answer yet. New payment technologies such as encryption, biometric identification or tokenization have become the driving forces for better security; leading issuers must keep themselves abreast of payment innovation and opportunities.
It is projected that about 60% of retail locations will be EMV-compliant by the end of 2015, and 75% of credit cards will be equipped with chips. The more uncertain part is with merchants. With 15 million POS terminals in the US—many highly fragmented—it will still be a long road for merchants to become ready and for the US to be considered as EMV market. The good news is consumers will be protected all around no matter who pays for the fraudulent transactions.
Sources: Javelin Research & Strategy, Aite Group, First Data, EMVCo LLC, LexisNexis Risk Solutions Report.