Credit card technology is about to change beginning in October 2015, and small businesses that accept credit card payments need to take steps now or risk expensive consequences. In the upcoming switch to EMV technology, credit cards will become more secure. But the pending transition means merchants will see a shift—in how cards are processed and in the way credit card fraud gets handled. Being ready for the next evolution in payment card technology will take preparation for both small businesses and consumers alike.
What is EMV?
The EMV moniker stands for Europay, MasterCard and Visa, the organizations that initially developed the new standard. Already in use in numerous other countries, EMV technology essentially replaces the magnetic stripes the backs of U.S. consumer credit and debit cards with computer chips embedded directly in the cards. Rather than quickly swiping the magnetic strip through the card reader, you insert the new EMV card into a reader that reads the information embedded chip.
There will be two different versions of the EMV technology: a contact version and a contactless version. "With the contact version, you stick the card in and you put your PIN in while you dip your card into the reader," says Eric Cernak, vice president for reinsurer Munich Re America. "The contactless version lets you wave the card by the reader, which uses near field communications (NFC) to obtain what is essentially a token, or a one-time-use number."
Businesses planning to switch out their equipment to support the new EMV technology will need to determine if they want to support one or both versions. Customer preference may sway their decision, as some segments of consumers will likely favor one over the other.
EMV chip technology embedded in a credit card.
But the switch to EMV technology will affect small business in more ways than choosing the type of hardware reader. The liability for fraudulent charges will also change when EMV becomes the standard.
"Basically, the banks have decided that, rather than accept the liability for fraudulently presented credit cards, they're going to shift that liability to merchants," said Norm Merritt, president and CEO of ShopKeep, a point-of-sale system provider. "If merchants haven't upgraded to the newest chip-enabled technology—similar to what they have in Europe and in Canada—by October 2015, basically have 100 percent of the liability for a fraudulently presented a credit card."
A small business that might spend 2 percent on interchange fees to take credit cards could see a 100 percent charge for fraudulent transactions that occur after October 2015—if they don't have an EMV-compliant card reader.
Each of the credit card brands has issued its own timeline for the transition to EMV in the U.S., but the milestone dates for each are roughly the same. Processors were required to support EMV back in 2013. In October 2015, the liability for counterfeit transactions shifts to the party that has implemented the lowest level of security, which roughly translates to the merchant being liable if they haven't deployed EMV card readers.
The liability shift for ATM transactions is scheduled for October 2016. And in October 2017, gas pumps—known as automated fuel dispensers (AFDs) in EMV roadmap lingo—will come into the liability-shift fold.
Of course, timing on the consumer side may not be as cut and dried. Eventually everyone will be on chip-embedded cards, but Jim Salmon, vice president of business services at Navy Federal Credit Union, which has a significant small business membership, says it won't happen overnight.
"Everyone will have the cards, but not everyone is going to get them by October. The card issuers will probably start phasing them in as people's cards either expire or as people lose them," said Salmon.
He anticipates that it could take a couple of years to complete the process. This could result in a consumer presenting a non-EMV card to an EMV-compliant merchant. Salmon believes this situation would leave the liability as it is now. "It's kind of hard for the card companies to hold a merchant liable if the customer uses a non-EMV card," he says.
Chip-and-PIN Versus Chip-and-Signature
While other countries have already standardized on chip-and-PIN, the current plan has the U.S. transitioning to a chip-and-signature scheme, at least for the October 2015 deadline. Shopkeep's Merritt says banks expressed concerns that the switch to chip-and-PIN asked too much of consumers. "Not only do they have to know to put the card in and leave it in the machine—which is different than just swiping it through—but they also need to remember a PIN number," he said.
The stopgap compromise entails transitioning to EMV in two stages. The first step will make a chip-and-signature process available. "You put the chip card in the reader—you have to leave it in; you have to learn that new behavior—but you just sign it like you always have," said Merritt.
In this two-stage scenario, consumers don't need to worry about remembering a new PIN. "Ultimately, banks will require people to actually have a PIN. It's a second level of authentication, and it makes it that much more secure," Merritt said. He added that banks will accept chip-and-signature after October 2015. "As long as a merchant follows that protocol, they will have card present rates, and they won't have to pay for fraudulently presented credit cards."