What's up with EMV? Prepare your business for credit card compliance

The United States is joining more than 80 countries around the world in upgrading its payment card security to embrace the EMV standard. EMV, which stands for Europay, MasterCard and Visa, is the technology behind the microchip now appearing on new credit and debit cards.

This tiny chip has huge benefits when protecting against fraud for card-present transactions. It offers better data security than magnetic stripe transactions and makes counterfeiting a card nearly impossible, by creating a one-time code unique to each transaction rather than using the same code for each transaction.

There are three ways to accept EMV. Contact EMV payments require customers to put their EMV card into the slot of an EMV terminal. Contactless EMV payments allow customers to tap their card against the EMV terminal. Mobile EMV payments allow customers to upload their EMV card credentials onto their mobile phone. Then, when it’s time for payment, customers can tap their phone against the terminal.

Since Oct. 1, 2015, if a fraudulent transaction occurs, the liability belongs to whichever party has not yet adopted EMV chip technology. This means that issuing banks or merchants could end up being financially responsible for the fraudulent transaction if they are not EMV-ready.

The transition toward EMV technology and the liability shift only affects merchants who process card-present transactions. Online transactions, on the other hand, aren’t directly affected by EMV technology or the liability shift since the EMV chip is not making contact with the processing solution. The liability shift won’t apply for card-not-present transactions.

Why EMV?

The migration to EMV technology in the U.S. will enhance compatibility on a global level and enable U.S. cardholders to use their secure chip payment cards anywhere in the world. It will ensure that only the rightful card owner can use the chip card, protecting against lost and stolen card fraud. It will also protect data on the chip against unauthorized charges, shielding against counterfeit fraud.

Many countries have proven that there is a positive impact in reducing fraud. Some, like Malaysia, have seen up to an 84 percent decrease in fraud after adopting EMV technology. Brazil was close behind with an 80 percent decrease in fraud since adopting EMV technology and the United Kingdom, Europe, Canada and Australia also saw significant decreases.

What about me?

Since EMV chip card transactions improve security and reduce fraud, banks and credit card issuers are allowed to push through a “liability shift.” This means that the liability for any fraud or counterfeit that results from card-present transactions on EMV-capable systems will now shift away from the merchants and will instead transition to the issuing banks.

As a merchant this means if you don’t provide an EMV solution and there’s counterfeit associated with an EMV card, you’ll be held financially liable for any resulting losses. The liability shift has been in place in other countries since 2006.

How can I best prepare my business?

First, achieve PCI Compliance. This refers to the responsibility of all card-accepting business owners to ensure they’re accepting and storing debit or credit card data in the most secure environment.

The PCI Compliance process can help uncover vulnerabilities or areas of concern and help prevent data breaches. It will still apply after the U.S. EMV adoption. The PCI council requires all business owners who accept debit or credit payments to complete an annual self-assessment questionnaire to ensure they’re taking the correct measures and steps to securely accept these payments. Self-assessment questionnaires increase in level of difficulty, depending on the credit card processing method.

If you’re a retail-type company or you take a majority of credit cards in person, you must update terminals to add EMV-compatible peripherals (contactless scanners and pin pads). Credit card terminals usually cost around $200 and can prevent costly chargebacks.

If you don’t see many people in person, embrace tokenization. Tokenization removes the account number on the payment card from merchants’ databases and replaces it with a string of letters and numbers that serve as a proxy for the true cardholder data.

In light of the current threat environment, you have to assume that the bad guys are going to get into your systems sooner or later. The best way to stay out of the headlines is to make sure that when they do get in, they don’t get any valuable data.

Shannon Walcott is a specialist at Basys Processing, a credit card company in Kansas City specializing in solutions for the ready mix, aggregate materials, construction, propane and asphalt industries across the U.S. For more information about Basys, PCI, EMV or how to lower the cost of taking credit cards, contact her at (913) 214-5021 or swalcott@basyspro.com.