EMV Cards
From NewHaven Software Wiki
Russ horton (Talk | contribs) (→What is my exposure to PCI fines?) |
Russ horton (Talk | contribs) (→I want it already, what's the ETA?) |
||
(3 intermediate revisions not shown) | |||
Line 8: | Line 8: | ||
When a card is swiped, the terminal performs an initial communication to the processor to see if the card was issued with an EMV chip or not. If so you'll be prompted to insert the card into the terminal instead. This addresses the scenario where a thief has picked up your card data by NFC and created a fake mag stripe version of the card. | When a card is swiped, the terminal performs an initial communication to the processor to see if the card was issued with an EMV chip or not. If so you'll be prompted to insert the card into the terminal instead. This addresses the scenario where a thief has picked up your card data by NFC and created a fake mag stripe version of the card. | ||
+ | |||
+ | [http://info.mercurypay.com/rs/772-ISK-107/images/Nov_10_Messenger_Article2_EMVtransaction.pdf Article explaining the details of an EMV transaction] | ||
MPS has outlined the Benefits of EMV to include: | MPS has outlined the Benefits of EMV to include: | ||
Line 17: | Line 19: | ||
That said, it offers no additional security for card use online or by phone (CNP - card not present transactions). It's worth noting that these cards still have a mag stripe on them to be used with traditional/current card swipe solutions since it is expected that it will take retailers a few years to implement chip card readers. | That said, it offers no additional security for card use online or by phone (CNP - card not present transactions). It's worth noting that these cards still have a mag stripe on them to be used with traditional/current card swipe solutions since it is expected that it will take retailers a few years to implement chip card readers. | ||
- | + | Statement from Square on the topic (Sept 2015): | |
''Here’s some data we’ve seen: about 17 percent of the cards swiped on Square Stand or Reader now contain a chip, up from roughly 3.5 percent in January 2014. For now, the majority of the cards are still being processed as magnetic-stripe transactions (all chip cards also have a magnetic stripe on the back). But as sellers upgrade to EMV technology, more and more of these transactions will be processed via the chip on the card instead of the magnetic stripe. A big milestone here is the liability shift, which, as we mentioned, happens in October. At the current pace of chip card issuance, we expect roughly 35-40 percent of cards to be chip-enabled by the time the liability shift hits (though this may change if issuers speed up or slow down their pace). - See more at: http://paymentsjournal.com/Content/Featured_Stories/26769/#sthash.XSpykLlN.dpuf'' | ''Here’s some data we’ve seen: about 17 percent of the cards swiped on Square Stand or Reader now contain a chip, up from roughly 3.5 percent in January 2014. For now, the majority of the cards are still being processed as magnetic-stripe transactions (all chip cards also have a magnetic stripe on the back). But as sellers upgrade to EMV technology, more and more of these transactions will be processed via the chip on the card instead of the magnetic stripe. A big milestone here is the liability shift, which, as we mentioned, happens in October. At the current pace of chip card issuance, we expect roughly 35-40 percent of cards to be chip-enabled by the time the liability shift hits (though this may change if issuers speed up or slow down their pace). - See more at: http://paymentsjournal.com/Content/Featured_Stories/26769/#sthash.XSpykLlN.dpuf'' | ||
Line 36: | Line 38: | ||
=What is my exposure to PCI fines?= | =What is my exposure to PCI fines?= | ||
- | This is not about PCI, breaches or the crippling fines that go with them. If a fraudulent transaction occurs with an EMV card, the merchant is responsible for the cost of that fraudulent transaction. See this | + | This is not about PCI, breaches or the crippling fines that go with them. If a fraudulent transaction occurs with an EMV card, the merchant is responsible for the cost of that fraudulent transaction. See this [http://www.discovernetwork.com/chip-card/images/Merchant%20Store%20Owner_Fraud%20Liability%20Shift%20Overview.pdf pdf/graphic from Discover] which, on page 2, does a nice job of illustrating which scenarios impact the merchant. It is not a data breach that would incur PCI fines. Here is an article from the PCI Council that explains their stance: |
*https://www.pcisecuritystandards.org/news_events/quick_resources/increasing_security_with_emv_chip_and_pci.php | *https://www.pcisecuritystandards.org/news_events/quick_resources/increasing_security_with_emv_chip_and_pci.php | ||
Line 67: | Line 69: | ||
=I want it already, what's the ETA?= | =I want it already, what's the ETA?= | ||
- | To clarify, these EMV readers are not just another input device to feed the card data to CMS for processing like the mag stripe readers have been. This is a new paradigm where the card reader device MUST handle the processing. As such each device must be individually certified (which is rigorous) and thus we expect to only offer support for a small number of devices. CMS will also have to be modified to support feeding transaction data to the device, have the device process the transaction, and CMS be updated with the results of that processing. This is not a trivial project and must be executed carefully to ensure a trouble-free and PCI compliant implementation | + | To clarify, these EMV readers are not just another input device to feed the card data to CMS for processing like the mag stripe readers have been. This is a new paradigm where the card reader device MUST handle the processing. As such each device must be individually certified (which is rigorous) and thus we expect to only offer support for a small number of devices. CMS will also have to be modified to support feeding transaction data to the device, have the device process the transaction, and CMS be updated with the results of that processing. This is not a trivial project and must be executed carefully to ensure a trouble-free and PCI compliant implementation. |
=Will it work with my merchant account?= | =Will it work with my merchant account?= |
Current revision as of 15:29, 26 June 2020
Some background information on EMV cards, clarification on the industry's roll-out plans, requirements, and frequently asked questions.
Contents |
What is EMV?
The above title is a link to an informative article from one of our payment processing partners, Mercury Payment Systems (MPS) and is worth the read. EMV cards are also referred to as "chip card" (because they have a chip embedded in the card) or "smart cards". Another type of chip card is NFC which is Near Field Communications chip. The new retail devices that support EMV will have you insert the card, chip first into a slot on the front, instead of swiping the mag stripe. For NFC cards/readers you'd merely wave the chip over the reader. New smartphone enabled payment applications like Apple Pay use this NFC technology as well.
Why chips?
The chip is used in lieu of the magnetic stripe to communicate the card number, expiration date, and card holder's name (but not the CVC) to the device you insert it into. The use of EMV is prevalent worldwide (we're late to the game in the U.S.A.) and helps to reduce fraudulent "card-present" transactions since the chips are not easily duplicated. The magnetic (mag) stripes, by comparison, are easily swiped by fake readers and then duplicated.
When a card is swiped, the terminal performs an initial communication to the processor to see if the card was issued with an EMV chip or not. If so you'll be prompted to insert the card into the terminal instead. This addresses the scenario where a thief has picked up your card data by NFC and created a fake mag stripe version of the card.
Article explaining the details of an EMV transaction
MPS has outlined the Benefits of EMV to include:
- Reduced risk of accepting counterfeit cards
- Reduced risk of card skimming at the POS terminal
- Accepting foreign cards which are already EMV enabled
- Modernized POS with support for EMV and contactless payment technologies (NFC)
That said, it offers no additional security for card use online or by phone (CNP - card not present transactions). It's worth noting that these cards still have a mag stripe on them to be used with traditional/current card swipe solutions since it is expected that it will take retailers a few years to implement chip card readers.
Statement from Square on the topic (Sept 2015):
Here’s some data we’ve seen: about 17 percent of the cards swiped on Square Stand or Reader now contain a chip, up from roughly 3.5 percent in January 2014. For now, the majority of the cards are still being processed as magnetic-stripe transactions (all chip cards also have a magnetic stripe on the back). But as sellers upgrade to EMV technology, more and more of these transactions will be processed via the chip on the card instead of the magnetic stripe. A big milestone here is the liability shift, which, as we mentioned, happens in October. At the current pace of chip card issuance, we expect roughly 35-40 percent of cards to be chip-enabled by the time the liability shift hits (though this may change if issuers speed up or slow down their pace). - See more at: http://paymentsjournal.com/Content/Featured_Stories/26769/#sthash.XSpykLlN.dpuf
Should I care?
If you do all of your business by phone and/or online (card not present), no need to worry about the change. It is something you'll want to consider if you accept physical cards (card present). At this stage accepting EMV cards does not impact your processing rates and we've not heard plans to do so.
As a consumer you'll start receiving new chip cards from your credit card providers and be instructed on how to use them as merchants begin adopting the hardware needed to process them.
Do I have to accept EMV in my store?
"U.S. merchants are not required to implement EMV by October 2015"
Supporting EMV is not a requirement, see the link above or the following article from Visa:
Be aware that if you accept an EMV card by using its mag stripe instead, and the charge turns out to be fraudulent, you will be responsible for the fraudulent transaction costs.
What is my exposure to PCI fines?
This is not about PCI, breaches or the crippling fines that go with them. If a fraudulent transaction occurs with an EMV card, the merchant is responsible for the cost of that fraudulent transaction. See this pdf/graphic from Discover which, on page 2, does a nice job of illustrating which scenarios impact the merchant. It is not a data breach that would incur PCI fines. Here is an article from the PCI Council that explains their stance:
It does help to reduce fraudulent card-present transactions. While not a requirement, you may find it is worth the expense/effort to implement an EMV card reader.
There is an additional scenario where if the card was swiped in your store and then a duplicate card was created by someone obtaining the mag stripe data from your system, you would then also be liable for any transactions made with the duplicated card. CMS does not, however, store the mag stripe data (per our adherence to PA-DSS 3.1 regulations) so this should not be a concern for CMS users unless your mag stripe reader itself was replaced/spoofed.
Is EMV required?
The first phase of the EMV roll-out is October 1, 2015 but even then it is not required. These articles confirm it is a liability shift, not a requirement:
- http://merchant.mercurypay.com/secure-my-business/getting-ready-emv/do-i-need-emv/
- http://usa.visa.com/merchants/grow-your-business/payment-technologies/credit-card-chip/liability-shift.jsp
- http://www.mercurypay.com/article/emv-chip-card-technology
Our primary payment partner MPS recently announced their EMV solution in April 2015 and we are a now researching how we can support it. The only solution for EMV is to integrate with one of their certified input devices. We can't say yet when we will be able to support EMV but it's possible/likely that it will not be by October.
Adoption of EMV appears to be slow thus far as reported in a recent article found in the Payments Journal where it said:
“The poll finds that roughly one in 10 Americans have received the new chip-enabled credit cards. Of those who have received the cards, only one-third say they've actually used the cards as intended in new specialized credit card readers.” - See more at: http://www.paymentsjournal.com/Content/Featured_Stories/26874/#sthash.Ld8IaeAz.dpuf
When is the Right Time to Implement EMV?
Typically clients of NewHaven Software are not at high risk for fraud from counterfeit cards, which is what EMV is targeting. Here is a statement from Mercury on the topic:
Criminals who commit counterfeit card fraud typically focus on the purchase of “fenceable” goods (merchandise that can be purchased fraudulently and then turned easily for a healthy profit on the black market), or merchandise that can easily be converted to cash, such as gift cards...(e.g.high-end boutiques, grocers, and drug stores.)
If you were to assess the number of card present fraudulent charges you've received in the past and then further reduce that by the fraction of future charges that will be made with cards that are EMV (noting this liability doesn't apply to non-EMV cards), in most cases the resulting risk/liability for not accepting EMV cards in October should be low.
Good article reviewing some reasons why now may not be the time for your company to implement EMV - http://blog.solupay.com/top-7-reasons-not-to-adopt-emv
I want it already, what's the ETA?
To clarify, these EMV readers are not just another input device to feed the card data to CMS for processing like the mag stripe readers have been. This is a new paradigm where the card reader device MUST handle the processing. As such each device must be individually certified (which is rigorous) and thus we expect to only offer support for a small number of devices. CMS will also have to be modified to support feeding transaction data to the device, have the device process the transaction, and CMS be updated with the results of that processing. This is not a trivial project and must be executed carefully to ensure a trouble-free and PCI compliant implementation.
Will it work with my merchant account?
Our first implementation of EMV will be with our payment partner MPS. If your merchant account is not with MPS, please contact us so we can arrange to have a quote prepared for you.
Again, this has no effect on card not present (CNP) transaction, only card-present.
Any more good news?
Indeed. The devices we're examining appear to also be conducive to working with other payment solutions like PIN Debit, Apple Pay and other NFC payment solutions which we'll also examine as an enhancement to CMS's POS Module.