From NewHaven Software Wiki

Revision as of 23:32, 10 July 2015

What is EMV

The above title link is an informative article from our primary payment processing partner, Mercury Payment Systems (MPS). The cards are also referred to as "chip card" (because they have a chip embedded in the card) or NFC which is near field communications chip. Most new devices will have you insert the card chip first into a slot, instead of swiping the mag stripe, where others will use the NFC technology where you'd merely wave the chip over the reader.

Why chips?

The chip is used in lieu of the magnetic stripe to communicate the card number, expiration date, and name to the device you plug it into (no more swiping.) These chip cards are much more difficult to copy/duplicate. This technology used is prevalent worldwide (we're late to the game in the U.S.A.) and helps to reduce fraudulent "card-present" transactions. It offers no additional security for card use online or by phone (CNP - card not present transactions). It's worth noting that these cards still have a mag stripe on them so can be used with traditional/current card swipe solutions since it is expected that it will take retailers a few years to implement chip card readers.

Should I care?

If you do all of your business by phone and/or online, no need to worry about the change. It is something you should consider if you have a retail store front or other scenario where you accept physical cards.

As a consumer you'll start receiving new chip cards from your credit card providers and be instructed on how to use them as merchants start adopting the hardware needed to process them.

Do I have to accept EMV in my store?

"EMV is not a mandate in October 2015"

Supporting EMV is not a requirement, see the link about or the following article from Visa:

• http://usa.visa.com/merchants/grow-your-business/payment-technologies/credit-card-chip/liability-shift.jsp

The rub is that if you do not, and you accept an EMV card by using its mag stripe instead, and the charge turns out to be fraudulent, you will be responsible for the fraudulent transaction costs.

What about the PCI fines?!

This is not about PCI, breaches or the crippling fines that go with them. If a fraudulent transaction occurs with an EMV card, the merchant is responsible for the cost of that fraudulent transaction. It appears to be the same as losing a chargeback dispute. It is not a data breach that would incur PCI fines. Here is an article from the PCI Council that explains their stance:

• https://www.pcisecuritystandards.org/news_events/quick_resources/increasing_security_with_emv_chip_and_pci.php

It does help to reduce fraudulent card-present transactions so, while not a requirement, you may find it is worth the expense/effort to implement an EMV card reader.

There is an additional scenario where if the card was swiped in your store and then a duplicate card was created by someone obtaining the mag stripe data from your system, you would then also be liable for any transactions made with the duplicated card. CMS does not, however, store the mag stripe data (per our adherence to PA-DSS 3.1 regulations) so this should not be a concern for CMS users unless your mag stripe reader itself was replaced/spoofed.

When or is it required?

The first phase of the EMV roll-out is October 1, 2015 but even then it is not required. These articles confirm it is a liability shift, not a requirement:

• http://merchant.mercurypay.com/secure-my-business/getting-ready-emv/do-i-need-emv/
• http://usa.visa.com/merchants/grow-your-business/payment-technologies/credit-card-chip/liability-shift.jsp
• http://www.mercurypay.com/article/emv-chip-card-technology

Our primary payment partner MPS just announced their EMV solution in April and we are a now researching how we can support it. The only solution for EMV is to integrate with one of their certified input devices. We can't say yet when we will be able to support EMV but it's possible/likely that it will not be by October.

I want it already, what's the ETA?

To clarify, these EMV readers are not just another input device to feed the card data to CMS for processing like the mag stripe readers have been. This is a new paradigm where the card reader device MUST handle the processing. As such each device must be individually certified (which is rigorous) and thus we expect to only offer support for a small number of devices. CMS will also have to be modified to support feeding transaction data to the device, have the device process the transaction, and CMS be updated with the results of that processing. This is not a trivial project and must be executed carefully to ensure a trouble-free and PCI compliant implementation. Bottom line, it's going to take some time.

Will it work with my merchant account?

Our only solution for EMV will be with MPS and some of their devices. If your merchant account is not with MPS, please contact us so we can get arrange to have a quote prepared for you.

Again, this has no effect on card not present (CNP) transaction, only card-present.

If you were to assess the number of card present fraudulent charges you've received in the past, and then further reduce that by the fraction of future charges that will be made with cards that are EMV (noting this liability doesn't apply to non-EMV cards), in most cases the resulting risk should figure to be quite low. As explained in this article, the corresponding liability risk should also be quite low.

Any more good news?

Indeed. The devices we're examining may prove to also be conducive to working with other payment solutions like ApplyPay.