The chip. Chip cards. EMV. If you’re a merchant, you’ve heard these terms already.
You may even be accepting payment cards with chips. Do you know what it really does or what impacts it is going to have on your business? Here’s a quick overview of what the chip does, why it’s important to the credit card industry, and more importantly how it can hurt your business if you are a card-present merchant.
Chip Cards – The Back Story
The United States is the last major payment card marketplace to implement the chip. The chip has been used for years in Europe and Canada with dramatic results in fraud reduction.
The chip, also known as a “smart card” or the “EMV chip” is designed to try to eliminate counterfeit cards and to render the cardholder information acquired illegally from data breaches less usable. Given that credit card fraud in the US has doubled in the past seven years, one can understand why the switch to EMV is now being mandated.
The EMV chip standards were originally created by Europay, MasterCard, and Visa (hence EMV). The standard is now managed by EMVco which is a consortium with control evenly divided among American Express, China UnionPay, Discover, JCB (a Japanese Issuer ), MasterCard and Visa.
Here’s why: as technology became cheaper and cheaper it became easier and easier for thieves to steal a card, swipe the magnetic strip using a relatively inexpensive device, obtain all of the cardholder information, and then reproduce the magnetic strip on a blank or counterfeited card.
Swipe-only card information, before the chip, could be compromised in other ways as well:
- Large-scale data breaches would make cardholders’ information available to anyone on the dark side of the internet who would pay for it. Once the data was acquired, the thieves would produce counterfeit cards.
- Card skimmers, which are devices installed over existing credit card terminals and ATM card slots, extract all of the magnetic strip information and send it to thieves who…(you guessed it) use the data to produce counterfeit cards.
It became almost an everyday occurrence for local police somewhere to arrest a crew of thieves who would travel from city to city with a computer, a magnetic card stripe reader/printer and a supply of blank or counterfeit cards. In theory, full implementation of the chip will stop those types of fraud.
How Chip Cards Work
When an EMV card is inserted (“dipped”) into an EMV-ready terminal, the chip in the card talks directly to the payment card issuer that issued the card to the cardholder. The issuer’s system verifies the authenticity of the card, authorizes the transaction, and a unique transaction number which can’t be used again is created. Even if a hacker or employee stole the chip information from that sale, they couldn’t create a duplicate card because the transaction number would no longer be valid. This communication between the chip and the issuer, along with the creation of the transaction number takes a little bit longer than the traditional swipe. The length of time can vary from merchant to merchant depending on their equipment.
Now before we go into more details about the chip system like deadlines, pin versus signature, and costs, there is one elephant hiding in the tall grass that you need to be aware of because it could hurt your business badly. I encourage you to read this post all the way through before you try to jump on the chip train.
The Elephant in the Tall Grass
For decades there has been a battle raging between the payment card issuers and the merchants along with the acquirers. The issuers claimed that fraud was the largely the merchants’ fault because sales clerks didn’t compare signatures, didn’t look at the cards closely, etc. and that all the merchants cared about was making the sale. The merchants would respond that fraud was the issuers’ problem because credit cards were not secure enough.
Up until now, the credit card associations (Visa, MasterCard, Discover, etc) have made the issuers responsible for fraud. That meant that the issuers basically wrote off any bad (fraudulent) charges. The EMV card is considered so much more secure that the burden of fraud has been shifted away from the payment card issuers.
Read this carefully:
As of October 1, 2015 U.S. credit card issuers American Express, Discover, MasterCard and Visa have shifted the liability for “card-present” chip card fraud to whichever party is the least EMV-compliant in a fraudulent transaction.
If an issuer has issued a chip card to a cardholder and a thief uses a card with a magnetic strip copied from that chip card at a merchant that doesn’t have a chip ready terminal, the liability for the fraud will fall back onto the merchant – to YOU. Not only would you lose the merchandise and the money for it, you’ll also face a retrieval fee, a chargeback fee, and probably additional fines and fees.
As more and more merchants switch to chip reader terminals, the thieves will no doubt switch their focus to merchants who still have magnetic-swipe-only terminals or to online merchants where the chip isn’t a factor yet. Obviously, this means that merchants who don’t switch to chip readers are placing themselves INCREASINGLY in a higher risk category.
Chip-and-Sign vs Chip-and-Pin
Because of the size of the U.S. market and the thousands of merchants, processors, and financial institutions involved, most payment card issuers are issuing only chip cards that require a signature, and not a PIN, to indicate cardholder acceptance of the transaction.
Most of Europe is already using the “chip-and-pin” cards where a pin is required for customer acceptance. These cards are considered even more secure than plain chip cards as plain chip cards can be stolen and quickly used before being reported stolen. Most US processors and smaller issuers don’t have the technology to handle chip-and-pin cards so it will probably be awhile before that technology is mandated.
Just to confuse things a little more, some US issuers are already issuing chip-and-pin cards, but the equipment and software to use chip-and-pin technology is not generally available in the US, so the chip-and-pin technology on those cards is usable where chip-and-pin is supported, mainly in Europe. In the US, the cardholder just has to sign instead of using a pin. Since chip-and-pin transactions are considered to have less risk, the credit card associations have assigned those transactions a lower interchange rate than the plain chip cards with a signature. Several merchant associations are already lobbying the credit card associations for faster implementation of the chip-and-pin cards to get the lower rate.
When Do You Need to Make the Switch?
So the question is this: if you haven’t already done so, how soon should you switch to a chip reader?
Here’s the tricky part: there are no laws requiring chip readers, and the credit card associations haven’t instituted a deadline for most merchants for switching. The October 1, 2015 liability shift was intended as an implied deadline, but so many organizations missed it that it proved ineffectual. Deadlines have been set for gas pumps and ATMs as they are easy and frequent targets of counterfeit cards.
Depending on your needs, an EMV terminal can cost you in the neighborhood of $150 and up to purchase. If somebody offers you one for a ridiculous low rate, be sure to check for inflated processing fees or other hidden fees like volume minimums before you grab it. Before you run out and buy one though, check with your processor and see if they are willing to program it to work with their system and how much they would charge to reprogram it – or see if they have one already programmed that they can sell or lease you. Working with your current processor would always be the best path.
Also, don’t just accept an upgrade from your leasing company or lease a new terminal at all without checking with your processor first. This is critically important! (We got a call from a customer recently who got royally ripped off by a leasing company – but that’s a story for another post.)
There are also a couple of other considerations you should make before you rush into getting a new terminal. There are basic EMV terminals and then there are ones that will accept Near Field Communication (NFC). NFC is the technology used by the electronic wallet payment services like Apple Pay. While high volume in-and-out retail stores may consider NFC a necessity, most small merchants really don’t need it. NFC compatibility will add a chunk to the cost of your terminal. If you do discover later that NFC is important to your business you should be able to add on a separate NFC reader later.
There is also the question of chip-and-pin compatibility to look at. Most industry commentators seem to feel that chip-and-pin will take a couple more years than just the basic EMV chip and signature. That means that while it may reduce your transaction fees on a very few transactions now, it won’t have a major impact for probably at least three to five years. By the time the chip-and-pin will have a significant impact on your transaction rate you may be ready to sign a new lease or purchase an upgraded terminal anyway.
A lot of the how soon you should switch depends on your type of business. Fraudsters are after high dollar items that are in demand and can be sold quickly on the internet or at a venue like a flea market. If you personally know your customer – for example, if you’re a doctor, house painter, a custom stationery store or lawn service, you are probably not at a high risk to incur fraud. After all, you know where your customers live. Similarly, if you are a merchant with mainly small transactions like a donut shop, a DVD rental store, or a pizzeria, your fraud risk could be minimal.
If, on the other hand, you sell highly desirable, bigger ticket items like televisions, laptops, designer purses, tires and custom rims, jewelry, high end power tools, etc., you are at an elevated risk for fraudulent purchases. The same holds true if you sell things like prepaid payment cards, cases of alcohol or cigarettes, or telephones. If your business is one of these types of businesses you should probably be reaching for your telephone now to call your processor.
Remember, your business may be held liable for the costs of a fraud. One large chargeback for fraud could cost you more than any costs you’ll incur to handle EMV chips today.