May 5, 2015
EMV for Small Businesses
A survey by Newtek Business Services, Inc., shows that 71% of small businesses do not know about EMV and how it applies to them. Are you included? If you run a small business, then we have a primer on what the October 2015 fraud liability shift means for you and how Shift4 is helping you reduce your fraud liability with EMV, and reduce your breach risk and PCI scope with True P2PE™ and TrueTokenization®.
What Is EMV?
EMV is a payment card technology that will soon be used in the U.S. to replace magnetic stripe credit and debit cards. EMV cards are sometimes called “chip cards” or “smart cards” because they have a computer chip on them that helps to prevent the use of counterfeit, skimmed, lost, or stolen credit or debit cards at card-present payment terminals. These cards will be inserted (dipped) into payment terminals instead of swiped, allowing the terminal to verify the card and write a security code back to the chip. If there is any unusual activity, the card will stop working. Also, EMV cards are more expensive and difficult to copy than traditional magnetic stripe cards, so EMV cards are much less likely to be duplicated by criminals.
What’s the Problem With EMV?
EMV cards issued in the U.S. will still have the magnetic stripe for a few years, until the change to EMV is completed nationwide. Note that in no countries where EMV has been previously implemented has it reached 100% adoption. Also, because EMV is a 20-year-old technology, it doesn’t account for point-to-point encryption (P2PE), so most EMV terminals still introduce clear-text card data into the merchant environment. This means that fraudsters can still steal card information from businesses that have not implemented P2PE, even after the U.S. migration to EMV is completed. This stolen card information can be used to create counterfeit magnetic stripe cards and used in-store, online, or in mail order/telephone order environments until they are identified as fraudulent and cancelled, just as they are today. This is why it is so important for merchants to ensure that their EMV terminal also supports P2PE so that while they are ensuring fraud doesn’t happen on the front-end, they are not leaving cardholder information exposed in their environment. For more detail about what EMV cards can and cannot do, please check out our EMV Web page.
EMV Is Not a Requirement by PCI
There are some rumors going around that if a merchant does not accept EMV cards by the liability shift date, then they will not be considered PCI compliant. This is false. PCI at this time has no requirements related to EMV. However, the card brands do have a binding statement about a change in how they will be handling the liability for fraud. The major credit card brands Visa, MasterCard, Discover, and American Express have been carrying a large financial burden for credit and debit card fraud. Thus, as of October 1, 2015, in the U.S., the liability for fraud may move to an issuing bank, processor, or even a merchant if a fraudulent transaction is placed and EMV was not supported. Essentially, the liability for the fraudulent transaction will fall to the “weakest link in the EMV liability chain” due to a lack of support for EMV or poor implementation.
What Small Businesses Need to Know
Large retailers who already face a high rate of chargebacks as a result of fraud and those who sell high-ticket merchandise are some of the first merchants getting ready for EMV. Jim Daly in Digital Transactions Today notes: “Big-box retailers and national restaurant chains are much further along than small merchants.” But, what does this mean for small merchants?
Fraud has a way of moving to those areas that are less protected. This could mean not only e-commerce, where there will be no EMV, but also merchant locations that do not support EMV after the liability shift deadline. Newtek estimates 80% of U.S. merchants are expected to be EMV ready by October, but we think this estimate is very high – the card brands are saying 50% of U.S. merchants will be EMV compliant by 2020. In the meantime, merchants who are not ready for EMV may face higher fraud liability than they have before. This is why it’s very important that every merchant – both large and small – evaluate their previous fraud and chargeback levels, and potential risk level, and weigh it against their investment in new EMV-capable payment terminals.
If you aren’t ready for EMV but want to start preparing, you can find the steps you need to take here. If you have some questions about EMV and want a better understanding, please reach out to our 24/7/365 Customer Support team, who are here to help you at [email protected] or 702.597.2480 (option 2).
Shift4 Makes EMV Simple
Again, EMV cards help prevent fraud – not breaches. But, don’t worry. Shift4 makes it easy for you to prepare for EMV and ensure that you have True P2PE and TrueTokenization in place. We currently have 7 payment devices that are being certified for EMV – and more on the way. The best part is that every device Shift4 is certifying will already have Shift4’s encryption keys injected to support True P2PE when purchased from one of our authorized vendors. Plus, combined with TrueTokenization, you can ensure you’re not only prepared for EMV, but also that you will never store, process, or transmit sensitive cardholder data in your environment, reducing your PCI scope and leaving nothing for hackers to steal. Support for True P2PE and TrueTokenization is already included with DOLLARS ON THE NET®, so if you don’t have these features set up, then you should!
We’re always here to answer any questions you may have about EMV and about Shift4’s secure payment solutions. Contact our 24/7/365 Las Vegas-based Customer Support team at [email protected] or call 702.597.2480 (option 2).