As the October 2015 date for buying and installing new in-store equipment draws near, time is marching on for retailers undecided about moving on EMV. Those concerned about assuming liability for fraudulent credit-card use are taking the time to become more familiar with the Europay MasterCard Visa standards, understanding the logistics behind the transaction, reviewing equipment options and developing action plans.
Common questions include: Will the deadline date hold? How much longer will a payment take at a register? And what effect could the new process have on loyalty and rollback programs?
“There isn’t an effective date that retailers need to have the equipment in; it’s a liability shift,” said Phil Schwartz, manager of information systems for Valero Energy Corp., San Antonio, during a webcast sponsored earlier this year by Alexandria, Va.-based Conexxus, the technology arm of NACS. “The liability shift [ties to] the least secure piece of the transaction chain. For merchants, if a card that is EMV-enabled is used at your device that’s not EMV and there’s a fraud, you’ll be liable.”
So while there are no penalties and no real mandates, the risk falls to the retailer if it is the weak link in the chain. When asked about dealers who don’t comply, Schwartz said they’ll be subject to that liability shift.
Also during the webcast, Bruce Murray of B2 Processing Solutions, Toronto, explained a typical EMV transaction, saying how a chip in the card activates upon insertion into a reader at the point of sale (POS). Encrypted keys in the card and the reader react and initiate the authorization process. The chip is actually a mini-computer powered upon contact with the reader; it ultimately decides whether or not to allow the purchase.
The chip gets its power from the card reader and POS terminal, Murray said. A contact point on the card connects to the reader, which provides power and initiates an exchange of communication codes. The cards last as long as any mag-stripe credit card, with issuers often replacing them in three- or four-year cycles, Murray said, because they tend to become shabby in people’s wallets.
The process may force retailers to make technical changes to their price-rollback loyalty programs, Murray said. For the EMV transaction to work, the final price must be known as the transaction starts. With many programs now, the discount is added after the transaction starts, so the final amount is not known at the beginning of the payment process.
The process will also take more time. With a well-designed card and POS solution, about 2 seconds gets added to the normal mag-stripe authorization time.
“Poor application development by the card issuer and poor POS software that calls for excess data not needed for the transaction can add to the time,” Murray said. The card also has to stay in the reader for a longer period so the encryption process can properly occur between the card and issuing bank.
Another nuance is with preapproval amounts. Some acquirers want $1, some $100. A retailer needs to make sure its preapproval terms match those of its payment processors.
Yet another concern is with dial-up, which many operators still use for transactions. The incremental data needed for an EMV transaction is small—60 to 80 extra bytes of data—so dial-up lines will work as easily as more robust broadband setups.
One of the stranger points that Murray mentioned was how static electricity may damage EMV cards. In some areas in northern Canada, dry indoor environments caused static to build up in people, creating an electrical charge that damaged the card as the person inserted it into the reader. But Murray said card makers have taken steps to minimize that scenario.
Ultimately, EMV is part of what Murray recommends as a “layered” approach. “EMV doesn’t look at protecting data,” he said, emphasizing that payment card industry (PCI) standards, end-to-end solutions for data in transit and tokenization for data while it’s in the stores are all important elements of overall data security. “EMV is a method for authenticating and preventing the use of counterfeit cards.”
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.