ALEXANDRIA, Va. -- As the date for needing EMV equipment in stores draws closer, retailers concerned about assuming liability for fraudulent credit-card use are becoming more familiar with the Europay MasterCard and Visa standards, as many did during a Conexxus-sponsored webinar on February 19.
Participants on the call learned the specifics of an EMV transaction and asked questions about deadline dates, how much longer a payment may take at a register and what effect the new process could have on loyalty and rollback programs.
"There isn't an effective date that retailers need to have the equipment in; it's a liability shift," said Phil Schwartz, manager of information systems for Valero Energy Corp., San Antonio. "The liability shift [ties to] the least secure piece of the transaction chain. For merchants, if a card that is EMV enabled is used at your device that's not EMV and there's a fraud, you'll be liable."
So while there's no penalties and no real mandates, the risk falls to the retailer if they are the weak link in the chain. When asked about dealers that don't comply, Schwartz said they will be subject to that liability shift.
Walking participants through the transaction, Bruce Murray of B2 Processing Solutions, Toronto, explained how a chip in the card activates upon insertion into a reader at the point of sale (POS). Murray, whose firm also has an office in Atlanta, has had experience implementing EMV programs in Canada.
He said encrypted keys in the card and the reader react and initiate the authorization process. The chip is actually a mini computer powered upon contact with the reader and ultimately decides whether or not to allow the purchase.
During a question-and-answer period, Murray said the process may force retailers to make technical changes to their price-rollback loyalty programs. In order for the EMV transaction to work, the program must know the final price as the transaction starts. Currently, many programs add the discount after the transaction starts, so they do not know the final amount at the beginning of the payment process.
The process will also take more time. A well-designed card and POS solution adds about two seconds to the normal mag-stripe authorization time.
"Poor application development by the card issuer and poor POS software that calls for excess data not needed for the transaction can add to the time," he said.
The card also has to stay in the reader for a longer period so the encryption process can properly occur between the card and issuing bank.
Ultimately, EMV is part of what Murray recommends as a "layered" approach. "EMV doesn't look at protecting data," he said, emphasizing that payment card industry (PCI) standards, end-to-end solutions for data in transit and tokenization for data while it's in the stores are all important elements to overall data security.
"EMV is a method for authenticating and preventing the use of counterfeit cards," he said.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.