EMV: How will it affect Nonprofits?

Posted in Industry News, Nonprofit and tagged with , , .

Image of a padlock with an EMV chip on it

EMV – What is it?

EMV stands for Euro – MasterCard – Visa. EMV is a set of standards designed by the credit card associations to help increase security and reduce fraud in the world of credit card transactions. EMV was initially adopted in Europe, over a decade ago (hence the name). It’s become the standard method of processing throughout the world, due to the much lower rate of in-person fraud associated with EMV.

How does it work?

Most Americans are used to the magnetic stripes on the back of their credit cards. They’re comfortable “swiping” a card, as that’s been our technology of choice for decades! EMV replaces “swiping” – instead, merchants will now “dip” an EMV card. The technology is totally different, and more secure. Magnetic stripes on credit cards hold sensitive cardholder data – such as the billing address, name, and card information. Unfortunately – magnetic strip cards are easy to copy. As such – fraud is much more rampant in the states!

EMV works differently. Instead of keeping your cardholder data on an easily replicable magnetic stripe, the data lives inside of a computer chip in the credit card. This is why EMV cards are also referred to as “chip” cards – the data on the card physically resides in a secure computer chip.

Due to this change, EMV/Chip cards are far more secure. You can’t simply “copy” a chip from one card to another, since they’re fully encrypted. This means that chip cards aren’t subject to card skimming where a customer’s credit card is copied without their knowledge. This happens regularly in the US with older magnetic swipe cards – but it’s much more difficult with EMV.

When you physically accept a Chip/EMV card, you’ll actually take different steps! Due to the way EMV works, the card has to remain physically inserted within the terminal for the entire sale duration. Sales will process like this:

  1. First, you’ll enter the sale/transaction amount into the terminal
  2. Then, you’ll “dip” or insert the chip card into the terminal
  3. The card remains “dipped” in the terminal for the entire authorization
  4. EMV sales sometimes take slightly longer to process, up to 15 seconds
  5. After approval, THEN you can remove the card, and prompt your customer for a signature, like normal.

So… who does this impact?

At this point, you’re probably asking yourself, “So, what does my organization have to worry about?” Well, the answer depends! One thing to keep in mind is that EMV only impacts in-person transactions. This is incredibly important for most nonprofits to consider, since many nonprofits don’t take in-person donations/sales very often. EMV only adds security to card-present sales, since EMV technology is only utilized at the point-of-sale, in-person. This means that if you don’t take in-person sales, EMV will NOT affect your organization.

Why doesn’t EMV impact online/keyed sales?

Fundamentally, fraud happens at far greater rates in a “card-not-present” environment, simply because there is more opportunity for fraudsters. As the merchant – you can’t verify someone’s signature, you can’t look at a driver’s license, and you can’t physically see the person to assure they are who they say they are! So no matter what – a “card-not-present” sale is ALWAYS considered risker for the merchant. This fact doesn’t change for EMV.

When you take an online/keyed sale, you’ll have no new steps to take, since you’ll be asking for the same info you always do – the credit card number, expiration date, and cardholder information. The addition of the EMV chip to a credit card only enhances in-person security and reduces in-person fraud. It doesn’t change a thing about card-not-present sales.

My organization accepts in-person sales – how does EMV affect us?

The EMV shift will impact each merchant differently, and most nonprofits will be the “least affected” of all merchant types. Starting October 1, 2015, liability shifts from issuing banks to merchants for fraudulent, in-person sales for which EMV could have been used. This means that if you swipe (instead of dip) an EMV card, and that card was fraudulent, YOU ARE RESPONSIBLE FOR THE LOSSES. This is different than before – it used to be that if you accepted a fraudulent card, it was the issuing bank who took the responsibility most of the time. Now, if you could have taken the sale via EMV but didn’t, the fraud is your responsibility. 

This is what would have to happen for your organization to bear liability:

  1. First, one of your customers’ cards would need to be compromised. Their EMV card would have to be “skimmed” and the fraudster would copy the magnetic stripe of their EMV card onto a fake, fraudulent card.
  2. THEN, that fraudster would have to arrive, in-person, at your location and process a sale. If you “dipped” this sale via EMV, the fraud would be immediately stopped, as the sale wouldn’t process. But, if you just “swiped” the card, the sale would process, and the fraudster would leave, goods in hand. The real cardholder’s card would be charged by your organization.
  3. Later, the real cardholder would call their bank, report the fraud, and contest the sale. You’d lose the dispute, since the fraud could have been prevented, had you utilized EMV.

So… should we worry?

If you are a merchant who is likely to be targeted for in-person fraud, then EMV is very important in protecting yourself from fraudulent sales. Merchants selling high-ticket goods or easily re-sellable items are at high risk – because a fraudster could copy someone’s card, use it at your organization to purchase expensive goods, then turn around and immediately sell those goods on the open market. The real cardholder would simply dispute the sale with their bank, and they’d WIN – leaving YOU on the hook for fraud.

Should I upgrade to EMV?

Long term, the answer is YES, you’ll need to upgrade to EMV hardware if you take in-person sales. Over the next year or so, all of your customers will start having EMV cards in their wallets, and will expect to be able to pay with them. It won’t happen overnight, but long-term, EVERYONE will have an EMV card, and magnetic swipes will be a thing of the past.

You’ve got time, though. For the next few years, every card issued will have BOTH a chip AND magnetic stripe – so you’ll be able to accept any card. Ultimately though, issuing banks will stop putting the magnetic stripe on the back, and only EMV will remain.

Conversely – if you only accept donations and small goods sales, chances are that fraudsters aren’t targeting you, and EMV isn’t as big of a deal. Stealing cards is a risk, and fraudsters won’t take that risk if they don’t see a worthy reward.

When should I upgrade?

Although an upgrade will ultimately be required, you don’t have to do it today. Many organizations are choosing to, but you can wait as long as you’d like. Ultimately, it’s your organization’s decision to determine how much risk of fraud you’re willing to withstand before investing in new hardware. There are plenty of merchants waiting, particularly those in low-risk businesses.

Due to large demand for EMV hardware, there are very limited EMV solutions on the market today. As such, many nonprofits are opting to wait until 2016 to invest in new solutions. Ultimately, it’s up to your organization to determine if an investment in new hardware outweighs the risks of potential fraud.

How does Dharma support EMV?

Dharma currently has multiple different terminal offerings, and is in the process of upgrading all current merchants to accept EMV. We’re doing our best to educate our merchants, offer low-priced hardware, and help dispel any confusion around EMV. See the below links for additional information about the EMV shift and how it affects you.