Frequently Asked Questions About EMV and Merchant Liability
This FAQ is intended provide useful and organized information on EMV chip card technology.
Understanding EMV
What is EMV?
EMV is a new way of securing credit and debit transactions created by and in conjunction with Europay, Mastercard, and Visa, hence the name EMV. To increase data security, it utilizes an embedded microprocessor chip that allows for dynamic authentication in place of the static authentication used by traditional magnetic stripe technology. This new technology is also commonly referred to as "chip and pin" or "chip and signature".
What makes EMV different than traditional magnetic stripe payment?
Traditional credit and debit cards contain all of their data on the magnetic stripe on the back of the card. The information contained there never changes. With an EMV card, the chip can change certain information, which it does for security purposes. This allows the point of sale device, combined with the EMV card, to use a stronger type of dynamic authentication than was previously available.
Am I required to utilize EMV technology?
As of the date this document was published, merchants in the United States are not required by government or card brand mandate to convert to EMV capable systems.
Are magnetic stripe readers still viable?
As of April 2014, Visa has stated that the magnetic stripe will remain on their cards for the foreseeable future. With the large number of merchants in the U.S. and around the world accepting magnetic stripe, traditional magnetic stripe readers are likely to persist for quite some time before the EMV technology becomes ubiquitous.
Will EMV require any hardware changes?
At the present time, all EMV cards retain the traditional magnetic stripe and can be read and processed by existing card reader hardware without utilizing the EMV chip technology. This means that cards with EMV will be able to use non-EMV terminals and EMV-capable terminals will still be able to process traditional cards.
Latest News Regarding EMV
Update 8/5/2016
The U.S. continues to see a slow rollout and implementation of EMV. We are now well beyond the start date of October 2015, and most merchants at this point realize there was no need to panic. In fact, only 17% of small to medium businesses using an integrated POS have upgraded to EMV.
The card brands have also taken a step back to evaluate the EMV rollout with both Visa and American Express recently modifying their chargeback policies for merchants who are not yet ready to accept chip cards. Those changes include a decision to block all US counterfeit fraud chargebacks under $25, effective July 22, 2016. According to their own research in the U.S., American Express discovered that 40% of counterfeit fraud chargebacks occur on transactions that are below the $25 threshold.
In addition, beginning October 2016, VISA and American Express issuers will be limited to charging back 10 fraudulent counterfeit transactions per merchant account, and will assume liability for all fraudulent transactions after the limit has been reached on an account. Both of these changes will remain in effect until April 2018. These changes to the EMV chargeback policies are designed to give merchants more time to upgrade their systems for chip cards while limiting merchant fraud losses.
Liability and Merchant Compliance
What is the Liability Shift and who will be responsible for a fraudulent charge once it occurs?
The major card brands, Visa, MasterCard, Discover, and American Express, have announced that liability for counterfeit transactions will shift to the party that has not implemented EMV capabilities. Additionally, MasterCard, Discover, and American Express have announced a shift as it relates to lost and stolen chip cards. Liability falls to the party that supports the less secure form of cardholder verification, with PIN being considered the highest form of cardholder verification. Visa has also announced a shift of lost/stolen liability to the issuer for chip card transactions completed at unattended chip capable terminals that support no cardholder verification.
How does EMV affect my PCI compliance?
PCI compliance is a separate issue from EMV. Merchants are still responsible for maintaining PCI compliance irrespective of EMV acceptance. At this time, Fascard is not PCI-SCC approved.
How will the Liability Shift impact my business?
Laundry merchants today generally see a very low number of chargebacks and very little benefit in disputing them- the cost of contesting a chargeback typically far exceeds the the cost of the chargeback itself. Since chargebacks today account for less than one-tenth of one percent (0.1%) of laundry credit charges, the Liability Shift is likely to have very little impact on the small ticket laundry market.
If I'm not using EMV, is my system vulnerable to hackers?
Our system is designed to move responsibility for accepting, transmitting, authorizing, settling and storing card holder data away from laundry operators and onto CCI. We maintain PCI compliant data centers and employ the latest in encryption and tokenization. Using encrypting magnetic stripe read heads and employing prepaid customer cards and accounts, we shield the store customer's card information from hackers by encrypting that information and removing any hacker's ability to access clear text data that could be monetized. Before the transaction leaves the FasCard system, it is again encrypted before it is sent for authorization. This results in a two factor security system that makes unauthorized access very difficult, if not impossible, to achieve.
EMV Facts and Figures
EMV is the standard governing interoperability of chip cards and payment devices accepting these cards. Chip card acceptance is coming to the United States, which is the last major country in the world to begin migration.
EMVCo statistics show that 45% of the cards issued worldwide, excluding the US, are chip cards. (Source: EMVCo Worldwide EMV Deployment and Adoption as of Q4 2016, 2017, and 2018 excluding United States)
As issuers in the US start providing credit EMV cards, these cards will also include a magnetic stripe. In conversations with the card manufacturers that service card issuers, the majority of cards to be issued will have an EMV contact chip and magnetic stripe. Only 5 to 7% of cards to be issued will be dual interface – EMV contact and contactless, including a magnetic stripe.
Merchants that do not have a terminal or POS system capable of processing chip cards will be responsible for chargebacks related to counterfeit and lost & stolen fraud acceptance, beginning in October 2015. This applies only when an EMV card is presented at a non-EMV POS device; otherwise the current liability (chargeback protections) remains. This is commonly referred to as the liability shift, which moves responsibility for chargebacks to the party which has not implemented EMV technology.
EMV card acceptance is not a government or card brand mandate for merchants or card issuers.
The driving force of EMV card acceptance is improved security with card chip technology. EMV makes it difficult or nearly impossible to skim an EMV card for monetization. However, EMV does not protect sensitive cardholder data, such as the card number or expiration date when transmitted for authorization. EMV is only one step in a layered security approach.
With the announcement of the Target breach as well as other breaches, issuers have increased their orders for EMV cards
Visa recommends implementing chip capable terminals that support contact chip, contactless chip, and magnetic stripe capabilities. (Source: Visa Chip Advisory #20, Updated July 11, 2012: Visa Recommended Practices for EMV Chip Implementation in the U.S. page 3)
Visa specifically requires magnetic stripe as the underlying card-reading format – and that it be supported on all cards. (Source: Visa Chip Advisory #20, Updated July 11, 2012: Visa Recommended Practices for EMV Chip Implementation in the U.S. page 7)
In fact, Visa’s rules require EMV accepting devices to support magnetic stripe. (Source: Visa International Operating Regulations (Public version), 15 April 2013, page 421, reference ID#: 150413-010410-0004832) Visa estimates that mag stripes will be on credit and debit cards for a minimum of 10 years and more likely over 20 years.
Additional Resources
EMVCo - The official source for information on EMV specifications.