It seems that everywhere I go these days, people are talking about the new-ish EMV standard for credit card payments. This tells me two things. One, that there’s a lot of confusion about the new authentication technology behind credit payments. And, two, that my life is very boring and I need to find new places to hang out. The second item is a personal issue, and I won’t bring you into that. But the first: this is something we can work through together, and there’s no better place to do that than right here, in a blog about issues surrounding retail operations. I’ll try and answer some infrequently asked questions (what I call the iFAQ: deal with it, Apple).
Just what the heck is EMV, anyway?
EMV is an acronym, which stands for Europay, Mastercard, and Visa. These are the three companies behind the initiative, which aimed to increase security and decrease fraud associated with credit payments. It’s also been in use for quite a few years all throughout Europe and, frankly, most of the world except for the United States.
That doesn’t really answer my question. Can you elaborate on what EMV entails?
Yes. Yes, I can.
OK, will you?
Sure. Basically, EMV adds another layer of security before your requested purchase is authorized. It does this by embedding an Integrated Circuit (IC) chip to the card. The chip itself stores information about the card much like the old-school magnetic stripe does—stuff like your account number and name. The biggest difference is in the dynamic capabilities of the chip versus the static information contained in a magstripe. Because the magstripe’s data is unchanging, if it ever gets intercepted it can be easily be programmed onto a new card with its own magstripe. With EMV, on the other hand, the data stored is a combination of that pesky unchanging data that’s on the magstripe, along with something new. It’s a transaction code generated by the chip, and it’s unique for every transaction—it can’t be used again. That means one key part of the data a hacker might intercept is unusable in the future, rendering the entire data intercept moot. And because all this technical stuff is boring me as I write it, I’ll break the proverbial fourth wall and ask if you’re still paying attention? Yes? OK, good. All other things being equal between the EMV transaction and a magstripe one—swipe the card, transaction approved, sign your name—this added layer of security makes EMV preferable to the old way of doing things.
The EMV standard can go a bit further than that, though, with something called a Chip-and-PIN card. In this case, the IC chip also stores a 4 to 6 digit PIN that you use to authorize purchases. The advantage here is that because the PIN is stored on the chip, the first step in the authentication process happens locally, right at the point of sale. This has the effect of rendering your card useless if it’s lost or stolen. With Chip-and-PIN, you’ve got the double layer of protection: first, at the point of sale, and then again when the data’s transmitted (as described above).
That was a very thorough answer. Thank you.
You’re welcome. And, really, you’re too kind, even if you are just another voice in my own head.
But, so, that’s great. All of our credit card fraud issues have been solved. Hooray, EMV!
Not so fast there, friend. Here’s the thing you have to remember: if there’s someone out there smart enough to create a technology like Chip-and-PIN, then there is also someone out there smart enough to find a way around it. The important thing here isn’t that EMV is going to save the world from credit card or identity theft, it’s just that it’s the best technology available to prevent it. At least, that’s what Europay, Mastercard, and Visa are saying, and if you’re going to insist on doing things the old way—with magstripes—then any fraud that occurs on your watch is your fault. It’s what’s called a liability shift.
“Liability Shift.” That’s a funny term.
Isn’t it, though? That’s because corporate lawyers are funny people. See, the credit companies basically came up with a much improved way of securing credit transactions, and you just know it was the lawyers who brainstormed all kinds of worst-case scenarios that could happen and who would be at fault. And the result of this brainstorming session was, clearly, the Liability Shift Date—the deadline by which any operation that accepts credit cards has to make the switch to EMV hardware and software or assume liability for fraud that happens in their store. For most of the world, this date has already passed. Check out Wikipedia’s list of locales and their implementation status here to see where you stand.
Well, that’s all well and good, but I’m an American. We don’t use EMV.
You will. That’s why you’re asking me these questions. Besides, as of October, 2015 you’ll have to. Or, more precisely, you’ll want to, unless you’re comfortable assuming liability for any credit fraud. You can continue to use your existing equipment and process credit as you always have. The new cards being issued will have mag stripes on them, as well, to maintain that backwards compatibility. Just remember that it’s the cards that are compatible, and you are backwards.
So what do I do? Where do I go? Who do I talk to?
Shhhh. It’s ok. Remember, I said we’d work through this together? I’ve got your back. So, listen. To begin taking EMV, you’ll need to do some upgrades to your Point of Sale. The first part is easy: replacing all your existing card readers (or terminals) with EMV-capable hardware. The next part could get complicated. You’ll need to find out if the software you’re using at the POS supports the EMV standard and works with the new hardware (or, at least, that the developers are actively working towards the October deadline). It’s a bit of a mad scramble among U.S. based software companies to bring their products up to speed. If you’re using a cloud-based POS, chances are likely that if your developer won’t have its act together in time you can easily cancel the service and migrate to another one. You might want to look at a POS that is already fully EMV compliant as the standard. But those of you who are still using legacy POS systems (the ones that run on a server in your store) may find yourselves in a tighter spot.
I’m getting there. Really it all depends on where you are in your service/support contract. If you’ve got a boatload of time left that you’ve prepaid for, it may be too much of a financial burden to eat the cost of that and move to another platform if your POS won’t be ready in time. But now is a good time to start asking the questions, because—and this is especially true if you’re a small business—taking the fall for a fraudulent purchase come October (or worse, a massive data breach like the one experienced by Target) definitely will be too much of a burden. And with the low cost of a cloud-based POS-as-a-service, there’s a good chance that just biting the bullet and accepting that the future is now will be the safest and most cost efficient option for you in the long run.
Understood. So, any recommendations for a POS I should look at?
Funny you should ask. It just so happens that the host of this blog, Kounta, is also the purveyor of a fully EMV compliant Point of Sale. And the Kounta POS goes a bit further than just supporting the hardware. It’s been designed to be “Out of Scope” as far as EMV payments are concerned. This means that no part of the transaction goes through the POS. PIN authentication happens between the card and the terminal, a transaction code is generated, and all the information is sent directly from the EMV device to the card processor for approval.
Um, cool? Why does this matter?
Remember the funny lawyers we discussed earlier? Well, when a security breach does happen, they’re going to look for any place other than their card processing clients to point the finger at. By being Out of Scope, they won’t be able to blame the POS. And since you, the merchant, were smart enough to choose a fully compliant and ultra-secure platform to ring up your credit sales, you’re off the hook, too. Nice, right? I’m glad we had this chat.
You do realize you’ve written both parts of this dialogue, yes?
I didn’t. The meds haven’t kicked in yet.