Article: The EMV Impact to Kiosk Operators
TITLE: EMV’s Impact on Kiosk Owners
WRITTEN BY: Kisha Wilson Young
PUBLICATION DATE: Part 1 - May 1, 2017/Part 2 – May 8, 2017
(KioskMarketplace.com)
How will kiosk owners be affected by EMV compliance? Will kiosk operators and possibly even
manufacturers be adversely affected if they do not ensure their kiosks are EMV-enabled? To
answer this, we need to take a step back and analyze exactly what being EMV-enabled means
and what happens if a kiosk isn't upgraded to ensure that it is compliant.
WHAT IS EMV?
EMV is a global payment standard that was established by the major international credit card
companies. The acronym stands for EuroPay, MasterCard and Visa. The standard relies on
modern credit card manufacture that utilizes an embedded microprocessor chip. It replaces
other card options that use the more commonly known magstripe or magnetic strip that stores
data on the band of magnetic material found on the back of older cards. The magstripe cards
have been proven to be less secure, as information on the magstripe can easily be retrieved and
replicated, leaving the cardholder vulnerable to fraud.
WHY IT MATTERS
EMV technology was introduced as an option that, along with other security measures, could
decrease fraudulent credit card activity. Some of the benefits of the implementation of EMV
technology include:
Fraud prevention – EMV cards have been proven to prevent fraudulent transactions.
EMV is nearly impossible to clone because the chip is tamper-proof, making counterfeit
card fraud extremely difficult. This, along with other security features, are a huge
deterrent to would-be fraudsters.
Highly effective security features – There are several security benefits of chip card
technology.
-
It uses a unique card authentication process that makes it more secure. This process
includes a one-time cryptographic transaction code (cryptogram) for each
transaction that is never replicated or reused. Because the cryptogram is
dynamically created by the chip card on each transaction, the data cannot be copied
to use on other card transactions.
-
Chip cards have built-in, sophisticated encryption that allows cardholder verification.
There are four cardholder verification methods supported by EMV: offline PIN,
online PIN, signature or no CVM.
-
Issuer-defined rules can be used to provide transaction authorization. The
transaction can be authorized either online or offline (if offline authorization is
supported by both the card and the POS. Card brand support in the U.S. varies.)
These security features complement other payment security standards such as point-to-point
encryption or tokenization, providing an additional layer of protection for users.
IS IT WORTH IT?
How do we know EMV isn't more trouble than it's worth and that it's effective?
It is now a "choice" in name only. Most merchants who do not implement it are now liable for
fraudulent transactions. Its effectiveness is already being seen in other countries such as the
United Kingdom and Australia, that have already introduced it. Here are the facts and figures:
1.62 billion cards, 45 percent of the world's payment cards, have EMV chips. This does
not include the US.
23.8 million terminals, 76 percent of the world's payment terminals, can accept EMV
cards.
As the European Union completed its migration to EMV in 2013, the region saw an 80
percent reduction in credit card fraud. During the same period, the US witnessed a 47
percent increase in credit card fraud.
In Canada, "ebit" losses fell from a high of $142 million in 2009 to $38.5 million in 2012
– a 73 percent drop.
In France, when EMV was implemented in 2005, counterfeit card fraud dropped by 91
percent while fraud from card theft fell by 98 percent.
Just imagine what effect it could have on the credit card fraud in the US.
A study conducted by Javelin Strategy and Research reported that the number of in-store credit
card fraud victims reached 5.6 million in 2015, up from 5.4 million in 2014. Online/mobile fraud
or "card not present" fraud reached 6 million in the US in 2015, up from 4.8 million in 2014.
Unfortunately, the present year doesn't look too promising for card fraud either. It is estimated
that credit card fraud in the US reached $4 billion in 2016, up 12.5 percent from the prior year.
This estimate could increase to as much as $10 billion between now and 2020 as fraudsters
attempt to "cash in" before chip card technology becomes standard.
The study estimated that most of this fraud will be a result of stolen credit card numbers online
and via mobile channels.
The other types of fraud could include application fraud — stolen/hacked information used to
open new credit card accounts and thirdly, account takeover, where hackers use compromised
data to log into consumer and business accounts online and siphon funds from them.
When broken down by transaction, Javelin's study stated that the average loss for existing cards
was $980 in 2015, while the average for new account fraud — which accounts for 20 percent of
all fraud losses — was $2,379.
WILL IT MAKE A DIFFERENCE?
It is hoped that EMV implementation will reduce these figures. However, implementation has
been a slow process so far, with approximately one third of the nation's retailers completing
implementation as of December. This is a stark contrast to the amount of chip cards being
issued – 65 percent of all US credit cards and 33 percent of US debit cards were issued with
chips as of June, according to creditcards.com.
However, experts expect that once the majority of merchants (84 percent, according to Javelin)
make the switch in the next three to four years, card security problems typically associated with
magnetic swipe cards will greatly diminish.
But wait, three to four years? Wasn't the deadline October 2015?
WHAT IF YOU'RE NOT COMPLIANT?
The deadline, or the EMV liability shift date, was October 1, 2015, just over one year ago. It was
the date selected by the card brands for merchants to upgrade their payment infrastructure to
accept EMV chip cards to avoid liability for fraud from counterfeit cards made from EMV chip
cards.
The liability, which prior to the deadline was borne by the issuer of the card (i.e., the bank or
credit union) now shifts to the merchant or operator, who will now be responsible for paying
any chargebacks resulting from fraudulent activity.
This is quite a huge change that could have great financial implications.
Last summer, merchants handling low-value payment card transactions caught a break when
card issuers agreed to postpone the EMV liability for transactions under $25. This includes
many kiosks and vending machines.
However, when the liability grace period ends, merchants that have not deployed EMVcompliant systems will once again face chargebacks.
Compliance with EMV is no longer a choice for businesses that accept credit cards. Card issuers
will hold businesses liable for fraudulent credit card charges if their payment equipment is not
EMV compliant.
But because of the difficulty that many businesses have faced trying to implement EMV, the
card issuing companies have postponed enforcing the liability shift to give businesses more
time to comply.
EMV’s goal is to help reduce counterfeit fraud costs for merchants who have not yet upgraded
their POS terminals to accept EMV chip cards.
CARD ISSUERS HOLD OFF ON CHARGEBACKS
Visa and American Express announced policies last year to limit chargebacks for fraudulent
credit card purchases under $25 – through April 2018. An analysis by American Express found
that more than 40 percent of its counterfeit fraud chargebacks in the U.S. were for transactions
under $25.
Visa said it would block all counterfeit-card chargebacks under $25 in July of 2016, and by
October would allow banks to charge back only 10 counterfeit transactions per account, and
will require them to assume liability for all transactions thereafter.
American Express announced that at the end of August 2016, merchants will not be held liable
for chargebacks for counterfeit fraud for transactions under $25. In addition, by the end of
2016, the company planned to limit the number of counterfeit fraud chargebacks to a total of
10 per card account. The card issuer – not the merchant – will bear the financial liability for any
additional counterfeit fraud transaction that is disputed on a card after 10 chargebacks. This
limit does not prevent a card member from disputing additional fraudulent transactions.
The changes announced by both Visa and American Express will remain in effect until April
2018.
Mastercard, for its part, updated its fraud rules to minimize the cost to merchants that have not
yet transitioned to EMV. The policies were designed to limit merchant exposure to excessive
chargebacks on fraudulent accounts.
Mastercard does not systematically block chargebacks under $25. The company reported that
its data indicated that card issuers were not actively submitting chargebacks under this
threshold, given the operational costs of low-dollar chargebacks.
EMV TRANSITION CHALLENGES RETAILERS
The credit card companies clearly want to support merchants in their efforts to reduce credit
card fraud.
The transition to EMV, however, has taken longer than many people expected due to the cost
and complexity of integrating the equipment with the software.
The State of Retail Payments 2016 Study by the National Retail Federation and Forrester
Research reported that 57 percent of merchants have installed EMV equipment, but cannot
enable it because they still are awaiting system certification. Of those, 60 percent have been
waiting six months or longer.
Smaller merchants – which include most kiosk operators – have been slower to comply than the
larger companies. Seventy-six percent of the 200 largest merchants are able to accept cards
with EMV chips.
Merchants and kiosk operators shouldn’t be disheartened or overwhelmed. Changes to current
hardware and software may be needed to support a new system.
Payment equipment manufacturers have introduced a number of EMV-compliant devices.
However, not all of the devices are able to interface with the card processors' software. EMV
hardware uses more advanced encryption technology, which is more complex than magstripe
technology.
The installation process could take as long as four to five months for setup, including staff
training and beta testing.
HOW RETAILERS CAN COMPLY
The Ingenico Group, a payment equipment manufacturer, has cited the following steps needed
for a business to accepting credit cards to become EMV-compliant:
Invest in EMV-enabled smart payment terminals, mPOS solutions or kiosks. Consideration
should be given to current hardware deployment, store count, POS capability and sales volume.
Become EMV certified by EMVCo, the company that owns the EMV standard, and the card
issuers from which the merchant will accept payments. The certification process could take
several weeks to several months, depending on the business’s size and complexity.
The certification process takes merchants through three levels.
Levels 1 and 2 focus on certifying payment equipment – both hardware and software.
Level 3, completed by the acquirer for some smaller businesses, involves end-to-end
certification and covers conduct between the merchant and card brand.
The easiest way for businesses to begin the compliance process is to find a technology partner
or expert they trust. The Ingenico Group’s unattended partner program works with kiosk
providers, system integrators, value-added solution providers and gateway providers to enable
acceptance of all payment methods while delivering secure, EMV- and NFC-enabled unattended
service solutions.
KIOSK PROVIDERS OFFER OPTIONS
Many kiosk providers are now building EMV-compliant kiosks, making EMV compliance easier
for operators. Businesses interested in purchasing a kiosk can also stipulate EMV compliance as
a requirement to their kiosk provider.
Chip card technology is by no means a panacea for credit card fraud, as it certainly does not
address the fraud that occurs when credit card transactions are done by phone or online. This is
why it is important to check credit card statements for fraudulent activity each month.
Many technology partners recommend added security measures like tokenization – a
technology that eliminates the need for retailers to store sensitive data on their network. Apple
Pay and Android Pay use this technology. Some credit card companies also offer their own
versions.
Some experts believe two-factor verification or possibly an online form of EMV could be the
solution for online sales checkout.
For the time being, we have seen what EMV technology can do, and it will become more
effective if it is widely adopted. It is a step in the right direction that everyone must take.
EMV is being used successfully in many countries, including the UK, Europe, Canada and
Australia. The US is the last developed major country to adopt the technology.