The Small Business Guide to EMV

by Julie Knudson

Here comes EMV, a new payment card technology that promises better security, but shifts credit card fraud liability onto merchants. Is your small business ready? Here's what you need to know NOW.

Credit card technology is about to change beginning in October 2015, and small businesses that accept credit card payments need to take steps now or risk expensive consequences. In the upcoming switch to EMV technology, credit cards will become more secure. But the pending transition means merchants will see a shift—in how cards are processed and in the way credit card fraud gets handled. Being ready for the next evolution in payment card technology will take preparation for both small businesses and consumers alike.

What is EMV?

The EMV moniker stands for Europay, MasterCard and Visa, the organizations that initially developed the new standard. Already in use in numerous other countries, EMV technology essentially replaces the magnetic stripes the backs of U.S. consumer credit and debit cards with computer chips embedded directly in the cards. Rather than quickly swiping the magnetic strip through the card reader, you insert the new EMV card into a reader that reads the information embedded chip.

There will be two different versions of the EMV technology: a contact version and a contactless version. "With the contact version, you stick the card in and you put your PIN in while you dip your card into the reader," says Eric Cernak, vice president for reinsurer Munich Re America. "The contactless version lets you wave the card by the reader, which uses near field communications (NFC) to obtain what is essentially a token, or a one-time-use number."

Businesses planning to switch out their equipment to support the new EMV technology will need to determine if they want to support one or both versions. Customer preference may sway their decision, as some segments of consumers will likely favor one over the other.

EVM credit card chip technology

EMV chip technology embedded in a credit card.

But the switch to EMV technology will affect small business in more ways than choosing the type of hardware reader. The liability for fraudulent charges will also change when EMV becomes the standard.

"Basically, the banks have decided that, rather than accept the liability for fraudulently presented credit cards, they're going to shift that liability to merchants," said Norm Merritt, president and CEO of ShopKeep, a point-of-sale system provider. "If merchants haven't upgraded to the newest chip-enabled technology—similar to what they have in Europe and in Canada—by October 2015, basically have 100 percent of the liability for a fraudulently presented a credit card."

A small business that might spend 2 percent on interchange fees to take credit cards could see a 100 percent charge for fraudulent transactions that occur after October 2015—if they don't have an EMV-compliant card reader.

Each of the credit card brands has issued its own timeline for the transition to EMV in the U.S., but the milestone dates for each are roughly the same. Processors were required to support EMV back in 2013. In October 2015, the liability for counterfeit transactions shifts to the party that has implemented the lowest level of security, which roughly translates to the merchant being liable if they haven't deployed EMV card readers.

The liability shift for ATM transactions is scheduled for October 2016. And in October 2017, gas pumps—known as automated fuel dispensers (AFDs) in EMV roadmap lingo—will come into the liability-shift fold.

Of course, timing on the consumer side may not be as cut and dried. Eventually everyone will be on chip-embedded cards, but Jim Salmon, vice president of business services at Navy Federal Credit Union, which has a significant small business membership, says it won't happen overnight.

"Everyone will have the cards, but not everyone is going to get them by October. The card issuers will probably start phasing them in as people's cards either expire or as people lose them," said Salmon.

He anticipates that it could take a couple of years to complete the process. This could result in a consumer presenting a non-EMV card to an EMV-compliant merchant. Salmon believes this situation would leave the liability as it is now. "It's kind of hard for the card companies to hold a merchant liable if the customer uses a non-EMV card," he says.

Chip-and-PIN Versus Chip-and-Signature

While other countries have already standardized on chip-and-PIN, the current plan has the U.S. transitioning to a chip-and-signature scheme, at least for the October 2015 deadline. Shopkeep's Merritt says banks expressed concerns that the switch to chip-and-PIN asked too much of consumers. "Not only do they have to know to put the card in and leave it in the machine—which is different than just swiping it through—but they also need to remember a PIN number," he said.

The stopgap compromise entails transitioning to EMV in two stages. The first step will make a chip-and-signature process available. "You put the chip card in the reader—you have to leave it in; you have to learn that new behavior—but you just sign it like you always have," said Merritt.

In this two-stage scenario, consumers don't need to worry about remembering a new PIN. "Ultimately, banks will require people to actually have a PIN. It's a second level of authentication, and it makes it that much more secure," Merritt said. He added that banks will accept chip-and-signature after October 2015. "As long as a merchant follows that protocol, they will have card present rates, and they won't have to pay for fraudulently presented credit cards."

Benefits and Concerns of the EMV Payment Process

The transition to EMV technology will bring benefits and a handful of potential concerns. For small business owners, the liability shift is a priority issue. "Previously, they didn't really bear any of that exposure for fraudulent charges," Cernak said. Costs associated with counterfeit transactions were pushed back to the card issuer. That changes after October 2015.

"Now if merchants don't make the switch, they'll be held liable for some of that," Cernak said. Because the liability will in large part reside with the entity with the least-secure technology deployed, Cernak said, "It's going to act as an incentive for small business owners to upgrade their point of sale systems to ensure they're not left holding the bag at the end of the day."

But Salmon says there are benefits to the EMV shift, too, for small businesses as well as for the customers they serve. The reduced risk of fraud and cyber crime should provide consumers and merchants with the peace of mind they've been missing.

"Basically, information is being sent from the card over the network and back to validate the process, and it's a one-time validation specific to that transaction. The information that's being moved is never stored anywhere on the terminal or within the merchant's infrastructure," Salmon said.

The new system significantly reduces the ability of malware or other cyber threats to pick up any pertinent information and then reuse or clone it for future transactions. Customer concerns about having their card information stolen should diminish. It's also good news for small business owners who have watched headline after headline trumpet the latest retail data breach.

Merchants won't need to worry as much, because "credit card information will not be stored on any of their machines or in their network," said Salmon.

How SMBs Should Prepare for EMV

Merchants who want to avoid the liability associated with less-secure technology should examine their retail transaction equipment and talk with their providers about upgrade options. "For small businesses that use a solution like Square, it's just a matter of getting a new dongle to put on your phone or iPad," said Salmon.

Many of those mobile platforms are putting the final touches on the new equipment that merchants will need for the October 2015 deadline, and small businesses can typically pre-order the accessories they'll need if the hardware isn't available yet. Providers of traditional POS terminals may already have new machines in their inventory—many of which have dual readers capable of processing existing magnetic stripe cards as well as the new EMV cards—and some small businesses have already switched over.

EMV Resources for Small Business Merchants

If you'd like additional information on the switch to EMV technology or on the associated liability shift, check out these resources.

Julie Knudson is a freelance writer whose articles have appeared in technology magazines including BizTech, Processor, and For The Record. She has covered technology issues for publications in other industries, from foodservice to insurance, and she also writes a recurring column in Integrated Systems Contractor magazine.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Monday Apr 20th 2015
Mobile Site | Full Site