EMV and Shifting Liability
Posted in Customer Support, Industry News.
EMV and Shifting Liability from Issuer to Merchant
As a merchant who accepts credit cards in a card present (bricks-and-mortar) environment, no doubt you have seen or heard this acronym for Europay, Mastercard and Visa, which is coming soon. This payment acceptance method is the prevailing one currently used in Europe, which reads a computer chip imbedded in a credit card in lieu of a magnetic stripe, which is the common form here in the US. This change is taking place due to the vulnerability of magnetic stripe cards that can easily be programmed with a stolen card number/expiration date for fraudulent use at merchants’ existing point of sale systems. Until now, the cardholder’s issuing banks have taken the loss for this type of fraud, but beginning October 15, there will be a shift of liability from the issuer to the merchant if the merchant does not have an EMV (chip card)-enabled terminal. After 10/15, even if a merchant accepts a magnetic stripe credit card that proves to be fraudulent, as long as their terminal is EMV enabled, the merchant will not be liable.
The bottom line is that merchants are not required to purchase new terminals, but they will be liable for losses due to chargebacks for fraudulent sales. The distinction is important for another reason: we have heard of merchants being solicited by untrustworthy merchant service providers who are telling them that they are “out of compliance” with their mag-stripe equipment and they need to switch providers, which of course is completely untrue. So, with the impending changes in fraud liability, Dharma is urging all card-present merchants to upgrade. Please contact us if you haven’t already done so. The following Q & A may be helpful in further understanding this program.
Q: Chip card, EMV card, smart chip card…what’s the difference?
A: These are all just different terms for the same technology. The technology used in these credit cards is commonly known as EMV-enabled, which stands for Europay, Mastercard and Visa, which uphold the chip technology. These cards are a global standard for processing credit and debit card payments. Various credit card companies may refer to chip cards slightly differently, but they all function to help keep cards more secure. Dharma has chosen the term “Chip Card” here to answer questions we have been receiving lately.
Q: How do my customers use one of these cards to make a purchase?
A: Just like magnetic-stripe cards, chip cards are processed for payment in two steps, (1) card reading and (2) transaction verification.
However, with chip cards you no longer have to master a quick, fluid card swipe through your terminal. Chip cards are read in a different way, using an electronic “chip” which is far more secure than the magnetic stripe. These chips are almost impossible to duplicate, which makes it much more challenging for a fraudster to successfully steal and copy a consumer’s credit card.
Instead of swiping your customer’s card, you are going to do what is called ”card-dipping” instead, which means inserting the card into a specific terminal slot and waiting for it to process. When a chip card is ”dipped,” data flows between the card chip and the issuing financial institution to verify the card’s legitimacy and create the unique transaction data. This process isn’t as quick as a magnetic-stripe swipe, but is much more secure.
It will typically take slightly longer for that transmission of data to happen; most chip transactions take roughly 10-15 seconds to process. If you stick the card in and immediately pull it out, the transaction will likely be denied; you must insert and leave the card “dipped” as the transaction processes. A little bit of patience will be involved with both the merchant and the customer for each transaction.
Q: Will my customers still have to sign or enter a PIN for their card transactions?
A: Yes, they will. Your customers will still have to perform one of those verification methods, but it depends on the verification method tied to the customers’ card, just the way it currently is. The same way that they either sign or enter their PIN now will remain – PIN debit cards will still require a PIN number for authorization, and credit/signature-debit cards will still require a signature. The new chip card technology only changes the security of the underlying transaction, not the way your customers authorize their purchase.
From the customer’s perspective, any credit/debit card will continue to operate just like it always has. Debit/check cards will still require the customer’s input of a PIN, and credit cards will always require a signature. The only difference is that instead of swiping, you’ll insert, or “dip” the card for an authorization.
Q: What if my customers want to use their chip-card and I don’t support chip card technology yet, can I still take their card?
A: Yes. The first round of US bank-issued chip cards – many of which are already in consumers’ hands – will be equipped with both the new chip technology and magnetic-stripe functions, so your customer is not disrupted, and the merchant can adjust to the new technology. So until you have chip acceptance, you’ll still be able to swipe cards with magnetic-stripe functions.
If you find yourself at a POS terminal and are not sure whether to dip or swipe the card, have no fear! The terminal will self-validate the process. For example, if the customer enters their card into the chip reader slot, but your reader isn’t activated yet, an error message will appear and they will be prompted to swipe the card in order to use it. And vice-versa, if the customer tries to swipe a chip card instead of inserting or dipping it, an error message will appear and they will be prompted to insert the card for chip processing instead.
Important note: Starting in October, merchants will begin to bear liability for fraudulent sales if they aren’t accepting chip cards yet. Visa/Mastercard have given merchants until October 2015 to be able to start accepting chip cards. Come October, should you take a fraudulent sale on a transaction that was swiped, although the card had chip technology, the merchant will be liable for any fraud. This is VERY important, since no merchant wants to be on the hook for fraud! Please be sure to reach out to Dharma for assistance in ensuring that you have an EMV terminal that’s certified to take EMV (aka chip card) payments.
Q: How do I accept chip cards if I only take online or card-not-present payments?
A: You don’t need to worry about chip card acceptance if you never physically touch the card. Since chip card acceptance is dependent on the merchant physically inserting or dipping the card into a terminal, chip card acceptance simply can’t happen in a card-not-present environment. Online and phone-order merchants will continue to accept cards as they currently do, by entering card numbers, expiration dates, and other AVS information along with the sale, to gain an authorization.