Down with EMV? Yeah, You Know Me.

October 27, 2016 LOGAN CULOTTA

Originally published at www.paymentsjournal.com

comic-01.png

Here we go again, you walk up to the register at your local grocery store, heart rate increasing, palms sweating as you approach that mysterious Point of Sale device, just hoping not to embarrass yourself when you try to insert your chip into the card reader and learn the machine is not compatible yet. Does this sound all too familiar? What is really going on with EMV chips in the United States?

What was wrong with the magnetic-stripe? Those were the days.

As we know, before the EMV chip was introduced, traditional credit and debit cards used magnetic stripes which were swiped at POS devices to make purchases. Along with this magnetic-stripe swipe came the issue of storing static sensitive data. This meant that whoever was able to access that data on your card, could then use that information to make purchases repeatedly, until the card was deactivated. This static data includes but is not limited to: the Primary Account Number (PAN), Expiration Date, and Service Code, as well as other sensitive authentication data used to validate the card. With the security concerns around magnetic stripes, the U.S. has been moving, slowly, towards the EMV chip.

So what does EMV even stand for and why is it better?

Europay, MasterCard, Visa (EMV), is a joint effort between Europay, MasterCard and Visa to ensure security and global acceptance for cards with computer chips and the technology used for chip authentication. Due to the many data breaches and increased rates of credit card fraud, card issuers in the U.S are moving to this technology to protect their customers and reduce fraud. What these chips do to counteract the risk of repeated use of unchanging stripe data, is turn the static card data to dynamic card data.

Whenever an EMV chip is used for payment, it is “dipped” into the POS device and the chip creates a unique code for the transaction. This code cannot be used again. For example, your code that is generated at a grocery store today will be different from the code generated at a restaurant tomorrow. This code includes all data from the magnetic-stripe but also cannot be traced back to your card. If someone were to intercept this code from a transaction, it would be useless as it cannot be used more than once. Let’s be clear though, these chips will not completely prevent credit card fraud, but will make it much more difficult for card thieves to create counterfeit cards from the card data on a magnetic stripe.

Sounds great but what is taking so long for everyone to make the move to accepting the EMV chips?

October 1, 2015 was the date that was given for merchants to switch to chip enabled point of sale machines (excluding automated fuel dispensers and ATMs). After this date, merchants were responsible for any fraudulent transactions if they were not EMV compliant. That seems like quite the incentive to get complaint but due to the following, some merchants are not in a hurry:

  • Two Year Grace Period: Visa and American Express (not MasterCard) have set a minimum of $25 for counterfeit chargebacks for merchant liability. This means that Visa and American Express will still cover any counterfeit purchases made that are under $25, until April 2018. This may not incentivize most fast food chains, or other merchants with small transactions, to switch any time soon as most transactions at these types of restaurants are under this $25 minimum.

  • Hardware and Software Changes: It was first thought that the issue with the transition was purchasing new hardware as these new chip reading devices are estimated at $500 each. That may have been an issue a year ago but you may be seeing many merchants with a chip reader, yet you are still asked to swipe. This is due to the software changes that need to take place. Merchants need to find a way to load and/or integrate new software into their back office systems to allow their POS terminal to accept EMV transactions. Merchants and their payment gateways and processors and acquiring institutions also need to correctly interoperate for EMV transaction acceptance. Additionally, the new terminals and the merchant need to undergo a certification process with each of the card brands. With a number of merchants trying to make the switch to EMV simultaneously, getting this certification is taking a while, causing a bottleneck.

The above are not a complete list of reasons for the slow changes but are definitely factors in the delay of the transition. Other snafus that have been mentioned include: the time it takes to process the EMV transaction at the register and the transition to accepting mobile payments at the same time.

Ultimately, many consumers have not seen the effects of these issues and merchants have not received many complaints for these transactions. With that being said, the outlook of getting everyone switched over to accepting EMV looks rocky and until then, we will have to conquer our fear of not knowing if we need to swipe or dip.

Previous Article
Reaching Across the Waters: Tips for Using Your Credit Card Internationally
Reaching Across the Waters: Tips for Using Your Credit Card Internationally

As busy season approaches for many auditors and some personal travel during the holidays, our Ch...

Next Article
PCI DSS 3.1: 442 Days to Remove SSL 3.0 and Other Updates
PCI DSS 3.1: 442 Days to Remove SSL 3.0 and Other Updates

Today, the PCI SSC released version 3.1 of PCI DSS. The headline objective of 3.1 is to address weaknesses ...