Security Corner – EMV Update

Liability Shift and the New Terminals: A Tale of the Swipe vs. the Dip

By Joe Thomas, Director of Network Security, VPS

October 1, 2015. The deadline for merchants to be able to accept chip-based EMV cards using new POS card-readers.

9 months later, how are we doing?

Card-issuers (American Express, Discover, MasterCard and Visa) have blanketed the U.S. with more chip-cards than any country in the world. Visa alone has accounted for more than 265 million enabled credit and debit cards in the US, making it the biggest market for EMV technology. (betanews.com) And MasterCard has announced that it has increased EMV credit cards from 30% of all cards in October 2015 to 67% in June 2016. (businessinsider.com)

Still swiping…?

If you’re one of the millions out there carrying at least an EMV chip debit card and one chip credit card, you’ve probably tried inserting both into a terminal that appears ready to take your card—only to be told by a store clerk: We don’t take chip-cards. You’ll have to swipe. (No dipping allowed—inserting your card into a terminal slot and waiting for it to process.)

In some instances, you might even get a decidedly low-tech warning—in the form of a post-it stuck above the chip-card insert slot: Please swipe.

And this may be at Walgreens or Whole Foods—high-volume, “Tier One” merchants. In other words, you see a lot more chip readers than you can actually use.

Some figures

Over 750,000 merchant locations have EMV-enabled POS card-readers. But that represents, as of June this year, only about 8.5% of major retailers that enabled EMV in 2015. About 2% of all US transactions were EMV chip transactions. (In January 2016 it was estimated that 37% of US merchant locations were EMV-capable, with that number growing to an expected 50% in June, and reaching as high as 72% in December.)

Why the lag?

Initially, one of the reasons for merchants not adopting EMV was the cost of the new POS terminals, which runs about $500 for each checkout line. (Chip-cards can still be read by non-EMV-enabled card readers—in swipe mode—allowing merchants to get along OK, without being in compliance.)

At the moment, some large retailers are pushing back on the chip-and-signature option versus the more secure chip-and-pin. According to ZDNet, “Home Depot also contends that Visa and MasterCard chose to enforce the less-secure chip-and-signature standard because the networks collect higher merchant fees for routing signature-based card transactions as opposed to PIN.”

“Home Depot’s case against Visa and MasterCard is similar to one Walmart recently filed against Visa. In that case, Walmart says that Visa is precluding the retailer from requiring PINs on all debit card transactions. As a result, Walmart is forced to pay the fees associated with signature-based networks. For the world’s largest retailer, that figure is in the billions… Interestingly, Walmart did not file charges against MasterCard.” (ZDNet)

What the Card Associations are doing

To allow more time for EMV adoption, the card associations are offering Chargeback Reductions and Accelerated EMV Certifications.

[span8][span6] From July 22, 2016 until April 2018 VISA is blocking all chargebacks under $25 for U.S. counterfeit chip- card fraud. Visa will also cap the number of chargebacks per counterfeit card to 10 for any transactions $25 or more starting October 15, 2016 until April 2018.

Visa estimates that this will reduce the number of counterfeit card chargebacks by 40%.

Visa and MasterCard are also streamlining the EMV certification process by simplifying the testing requirements, allowing acquirers to “self-certify” (giving acquirers greater discretion in determining the appropriate level of testing of a merchant’s EMV solution), and providing funds to acquirers to develop pre-certified EMV software.

[/span8]


[span4]

“The Liability Shift”

45% of card fraud in the U.S. (2014) was online.

37% was card-present fraud—using a stolen or counterfeit card.

Because of the associated fraud reduction with the use of EMV chip cards, US merchants who use EMV-enabled terminals are no longer financially liable for fraudulent transactions that occur at the merchant’s premises.

A new liability shift will occur On October 1, 2016: automated teller machines (ATM) that accept MasterCard branded cards must be EMV operational. ATMs that accept Visa-branded cards have an additional year to be operational.

Important to note is that chip card technology does not address online fraud. It addresses card-present fraud.

[/span4]


Acquirers and other merchant organizations, like VPS, have communicated the significant issues merchants are experiencing with the EMV chip- card launch. The card associations have recognized the challenges with this process and are providing assistance to ease the transition.

VPS Implements EMV

Nearly all VPS terminals supplied to clients (i.e. in the field) are physically ready for EMV cards. But they require a software update to activate this feature.

VPS is currently working with our processors to ensure that EMV-capability is added to existing point-of-sale terminals in the most secure and reliable manner possible.

Once EMV is ready for deployment, a simple software download and restart of the terminal will allow it to accept chip-cards.

Card-present fraud is very uncommon among the merchants VPS supports: government (tax payments), educational institutions (tuition and fees), utility companies (water, gas, electric bills), etc. These payment types are not easily monetized by criminals who are much more likely to use fraudulent cards at businesses where they can walk away with merchandise.