As merchants and schools alike continue to prepare for the October 1 EMV liability shift date, we’ve heard many great questions from our campus partners. Because we can appreciate how confusing this can be with all of the information and misinformation in the market, earlier this year we shared some insight regarding EMV and how it relates to the higher education industry in the “What’s This About EMV?” blog post. Now, in this three-part EMV series, we will share greater insight about the EMV certification process for service providers, adopting an EMV strategy, and training and getting stakeholders on board.
First, let’s take a look behind the curtain. As a quick reminder, EMV’s intent is to prevent card-present, point of sale fraud. It does this by leveraging a dynamic data element on a smart chip in the card. EMV cards exist, and have existed for some time, in many other markets around the world.
This technology is finally making its way to the United States, which has one of the more complex payments ecosystems in the world—a fact the card brands (the entities driving the change) recognize and appreciate. As such, they’ve stopped short of a mandate in order to give people time to make the necessary arrangements to adopt this new technology. Let us emphasize that: THERE IS NO MANDATE. This is one of the most common misconceptions we hear in the market. Merchants think that if they don’t have their equipment in place by October 1, they will have to pay fines and/or won’t be able to process credit cards. Neither is true. What it does mean is that after October 1, if the merchant cannot process EMV cards, it assumes the liability for fraud, should that transaction be fraudulent.
With no mandate, we’ll be operating in a bit of a hybrid environment for the foreseeable future; payers will be using both EMV cards as well as magnetic stripe cards. EMV has been in place in Canada for a dozen years, and today 83% of transactions are EMV.
One of the largest changes for merchants is the hardware required to process an EMV transaction. To this end, we’d like to make sure you understand the difference between hardware that is EMV Ready vs. EMV Certified.
EMV cards are “dipped” into the POS device rather than swiped (what most of us are used to). The next time you’re at a store, check out the POS device at the cashier. You’ll probably see a slit at the bottom of the device where a payer can insert their EMV card. Ask the cashier if the EMV reader on the device is operational. With a few exceptions, you’ll either get a blank stare or an explanation that it hasn’t been turned on yet. A device that has the ability to process an EMV card but can’t yet do so is called an EMV Ready device. If the cashier says you can use your EMV card, the device is considered EMV Certified.
Now, what does this mean? Why would the merchant install new devices but not turn their capabilities on? The answer actually has little to do with the merchant. It’s more about the process by which a device is certified. The certification process must be done for each combination of device and processor. On top of that, MasterCard, Visa and American Express all have unique certification evaluations. If a device is NFC capable (which many EMV devices are), there is an additional certification process for each of the aforementioned card brands. Therefore, a device/processor combination could go through up to six different certification evaluations before being deemed EMV Certified.
As you can imagine, with all of the devices and processors trying to achieve certification all at once, there is a bit of a bottleneck in the certification line, so it will take time for all of the certifications to be achieved.
Investing in new hardware can be an expensive proposition for any merchant. Javelin Strategy and Research estimates that new EMV POS devices will cost merchants $6.75 billion. And one must consider the cost of the hardware (and all of the fun accessories that come with them), as well as the cost of the encryption (which varies).
Cost is an important factor for a merchant to consider when determining its EMV strategy. Ultimately, the cost of the devices should be compared to the dollar volume of card-present fraud at the POS for the merchant. If you are a merchant with a considerable amount of card-present fraud, it would probably be in your best interest to move quickly to convert. If you have a very low amount of card-present fraud, you may have the luxury of choosing a time that works best for you and your business.
Most college campuses have very little card-present fraud, and therefore are in the latter category, but again, each campus is different and you should work with your processor and/or payments software provider to outline your EMV strategy.
There are a number of things a merchant can do to mitigate card-present fraud at the POS that does not rely upon EMV cards. For example, a merchant can check the payer’s ID to ensure it matches the information on the credit card. The merchant can also input additional information from the front of the card for the purpose of comparing the information from the front of the card to the data on the card’s magnetic stripe (most commonly the CVV2). These changes have both proven to be effective means of fighting card-present fraud.
According to a recent survey of merchants by ACI Worldwide, just 30–40% of tier 1 retailers may have solid EMV structures in place by October 1. In addition, a Payments.com survey revealed that nearly 40% of small businesses are not convinced they need to make the upgrade at all!
All of this speaks to the importance of developing your EMV strategy, as it will be unique to your campus. CASHNet is here to help you think your strategy through, and can help you answer questions you may be getting from internal stakeholders. We recognize that this is a complicated implementation, so we are happy to help!
Stay tuned for additional articles with more information related to EMV!