image path: /content/dam/www_worldpay_com/en/images/header_us-en_image1_5067.jpg

EMV basics for merchants

EMV. These three letters have consumed the payments industry for over half a decade. While the fraud liability shift for point of sale terminals is slowly fading in the rear view mirror and the migration to chip card processing is edging toward business as usual, implementing chip card processing still remains a significant challenge for merchants.

Many merchants, having initially deferred implementing support for EMV chip cards, are now taking their first steps into the chip certification process. Even for merchants who have rolled out their initial contact chip card processing solutions, new challenges such as contactless and mobile, “quick chip,” the liability shift for automated fuel dispenser, and evolving fraud attack vectors, have heaped on additional complexity to an already complex chip implementation process.

Let’s take another look at EMV and why it’s still relevant.

What is EMV?

While most people think of EMV as the chip on their payment card, EMVCo defines “EMV” as the superset of all specifications the organization manages including their tokenization, 3D Secure and Secure Remote Commerce specifications as well as the venerable contact and contactless chip specifications. For our purposes, however, we will stick to EMV chip card processing.

EMV was and is one of the biggest changes to happen in the payments world. Defining a more secure method of payment, the specification was developed jointly by Europay, MasterCard and Visa in the mid-1990s, and has been widely used throughout Europe and around the globe for several years.

EMV is a proprietary standard used by the global payment networks to combat card-present counterfeit fraud. For merchants to process chip cards, their payment card processing devices and solutions must be certified to the card brands’ chip card processing requirements.

Why was the US late in adopting EMV?

There are many reasons why the US was late in the migration toward EMV. The first is the sheer scale and complexity of the US market. The inherent challenge in aligning the interests of thousands of retailers, financial institutions, the credit card associations, and consumers has hindered adoption.

Secondly, disagreements over who will pay for the transition to EMV and how to educate and persuade merchants and consumers to adopt the new technology have added to the delay.

Additionally, there has been an underlying sentiment in the US of, “If it’s not broke, don’t fix it.” While security concerns have driven EMV adoption around the globe, the US has historically had strong fraud and legal systems that have kept fraud rates low in comparison to other countries. America’s robust credit card system has offered real-time transactions for years, while older systems and greater lag time in sending transactions in other countries has led to more vulnerability to fraudsters.  

Lastly, some experts have pointed to the physical separation between the US and Europe being a major factor in delaying EMV adoption.

How does EMV secure the transaction?

EMV introduces a small computer or "chip" to each payments device. The chip stores information, performs processing, and contains secure keys that generate cryptographic data. Each chip card transaction generates dynamic data, making it nearly impossible to use counterfeit cards at POS devices or replay intercepted transactions. This is in contrast to traditional magnetic stripe cards, which contain static data in the magnetic stripe.

EMV chip card technology secures the transaction with enhanced functionality in three main ways:

  1.      Card authentication – EMV protects against counterfeit cards by creating unique transaction data so that any data that fraudsters may intercept could not be used in subsequent transactions.
  2.      Cardholder verification – EMV authenticates the cardholder and protects against lost and stolen cards by ensuring the person making the transaction is the legitimate cardholder. Usually, EMV requires the customer enter a pre-set PIN before the transaction will initiate.
  3.      Transaction authorization – EMV authorizes transactions using issuer-defined rules either online or offline.

When an individual steals data from the stripe on a traditional magnetic stripe card, they are able to re-use it again and again because the information on the stripe never changes. With chip cards, the data is different every time it’s used, which prevents it from being replicated. While EMV cannot do away with data breaches, it can limit the value thieves get from the stolen customer data.

What happens during a chip card transaction?

 A chip card transaction has a five step process:

 

  1.      The cardholder inserts their chip card into a device attached to the POS system.
  2.      The chip embedded in the card contains a unique key that is accessed by the device reader.
  3.      The chip sends a unique cryptogram to the processor’s host with the approval transaction.
  4.      For chip and PIN, the cardholder is asked for their PIN number; for chip and signature, the cardholder is asked to sign the device screen.
  5.      The cardholder is prompted to remove their card once the transaction is complete.

 

What are the benefits of chip card acceptance?

Chip cards are designed to protect against counterfeit fraud through authentication of dynamic data generated by chip cards, smart phones and other EMV-compliant devices. The cards provide risk management parameters at the card level and, when used with PIN, can offer protection against counterfeit, lost, and stolen card fraud.

Since the widespread adoption of EMV in the US, counterfeit fraud rates have decreased significantly according to Mastercard and Visa. In March 2018, Visa reported a 76% decrease from December 2015 to December 2017 in counterfeit fraud costs for US merchants that have adopted chip technology in their stores.

Additionally, enabling EMV at the POS allows merchants to accept contactless payments eWallets, like Apple Pay.

[callout]

  1.      Consumers dip their chip cards 75% of the time, versus swiping 25%
  2.      76% of consumers are somewhat or extremely knowledgeable about chip cards
  3.      72% of users rate chip cards as more secure than magnetic stripe cards
  4.      82% of chip card users and 73% of chip debit card users report positive experiences
  5.      74% of users say they haven’t had any difficulties using chip cards in the past year

How does EMV affect merchants?

Prior to the liability shift in October 2015, merchants were not usually held responsible for fraudulent transactions that occurred through no fault of their own. Card issuers (e.g. financial institutions) covered the cost of that fraud.

After the shift, liability for losses related to counterfeit fraud shifted to the party that has not invested in chip technology. Card networks, issuing banks, and payment processors are generally ahead of the curve, leaving businesses who haven’t upgraded to EMV the weak link in the chain.

There are exceptions for cases of lost/stolen card fraud and fallback transactions, and liability rules often depend on the card-issuing network, the type of card, and the type of terminal used to process it.

“Fallback” is an established backup process for failed EMV transactions. Fallback happens when the chip card or terminal is malfunctioning and the transaction is completed using magnetic stripe or is key entered. The card issuer assumes liability for properly formatted and approved fallback transactions.

Navigating the EMV liability shift

Understanding fraud liability can be confusing, but the “Navigating the EMV Liability Shift” flowchart below offers some insight. Additionally, merchants should talk with their payments partner and refer to the card acceptance guidelines and merchant service agreements for details.  Below are some examples of Q&A and how liability might be reached:

Was a counterfeit copy of a chip card used?

YES

Did the transaction take place using an EMV chip card terminal?

YES

Was the chip read?

YES

Chip card, chip terminal, ISSUER LIABLE for transaction

 

Was a counterfeit copy of a chip card used?

NO

No chargeback rights available under the EMV liability shift

 

Was a counterfeit copy of a chip card used?

YES

Did the transaction take place using an EMV chip card terminal?

NO

Chip card, non-chip terminal, MERCHANT LIABLE for counterfeit transaction

 

Was a counterfeit copy of a chip card used?

YES

Did the transaction take place using an EMV chip card terminal?

YES

Was the chip read?

NO

Was the authorization approved?

NO

MERCHANT LIABLE for counterfeit transaction

 

Was a counterfeit copy of a chip card used?

YES

Did the transaction take place using an EMV chip card terminal?

YES

Was the chip read?

NO

Was the authorization approved?

YES

Did the authorization include valid fallback indicators?

YES

ISSUER LIABLE for transactions

 

Was a counterfeit copy of a chip card used?

YES

Did the transaction take place using an EMV chip card terminal?

YES

Was the chip read?

NO

Was the authorization approved?

YES

Did the authorization include valid fallback indicators?

NO

If the issuer would have declined the transaction had the authorization contained valid feedback data, THE ISSUER MAY INITIATE A CHARGEBACK for invalid authorization data.

How does a chip-enabled terminal change the checkout process?

Using a chip card at checkout isn’t that much different than a traditional magnetic swipe card. At the point of sale, there are two main changes:

  •   Instead of swiping the card, the customer inserts, or “dips” their card into the reader
  •   With standard EMV processing, the card will remain in the reader for the duration of the transaction (this is not required for “quick chip” solutions, see section below)

During the “dip,” the card and terminal conduct a dialog to identify processing restrictions, perform risk analysis and generate the dynamic data. If the transaction is to be authorized online, the data is sent to the issuer who verifies the legitimacy of the card and generates a transaction response. The response may then be validated by the card.

The dip process can take a bit more time than a swipe, so most EMV enabled devices prompt the customer to remove their card when the process is complete. With quick chip implementations, much of this time lag can be eliminated.

Will “dipping” replace swiping altogether?

Not necessarily. Chip-enabled terminals are backwards compatible with mag-swipe processing, so cards from issuers that have not converted to chip yet can still be supported. Likewise, chip cards will continue to have a magnetic stripe on the back of them so they can be used with magnetic-swipe only terminals.

In addition, some chip cards come equipped with near field communication (NFC) compatibility, which is the same technology used for mobile payment systems like Apple Pay and Google Pay. Instead of dipping, these cards can be tapped at POS terminals.

Chip cards that support both dipping and tapping are referred to as “dual interface cards.” Internationally, contactless has gained significant momentum over the last several years with dual interface cards responsible for a large percentage of the transaction volume. Issuers in the US are just beginning to provide cardholders with dual interface cards, but given the speed and convenience of tapping, merchants and customers can both expect to see more NFC-enabled cards in the not too distant future.

How can the customer experience be improved at the terminal?

Consumers who are unfamiliar with the EMV chip card process may insert their card and then immediately try to remove it from the reader, or they may forget that their card is in the reader and leave it behind. Merchants should be prepared for a potential increase in the number of cards left behind by customers.

Cardholder prompting on the terminal is key to ensuring a smooth checkout experience. A clean display layout with simple prompts can help guide the cardholder through the experience. Eliminate unnecessary prompts where possible.

One way to reduce the number of cards left in terminals is to not print the receipt until after the card has been removed from the card reader. Another option is to have the terminal to produce an audible beep when the card should be removed. Training employees on new chip processes is perhaps the most critical element to ensuring a smooth customer experience.

Will the magnetic stripe reader eventually be removed from chip terminals?

For the foreseeable future, magnetic stripe readers will continue to be a feature on chip-enabled terminals. This allows the terminals to continue processing transactions from the existing base of magnetic stripe cards in the market and also support fallback transactions.

Do chip transactions take longer to authorize than magnetic stripe transactions?

As mentioned above, consumers and merchants may perceive standard chip transactions as more time-consuming than traditional swipe transactions. The actual transaction time is dependent on factors such as how the issuer personalized the card and how the terminal is configured. However, techniques like quick chip can improve both the perceived and actual speed of the transaction.

What is “Quick Chip” and how can it benefit my business?

Quick Chip (known as M/Chip Fast for Mastercard) is an approach to processing chip transactions that reduces the amount of time the card is in the terminal. The brands’ Quick Chip solutions employ two key functions to accomplish this reduction:

  •   A “placeholder” or pseudo transaction amount is provided to the card as soon as it is inserted into the terminal. This allows the card to create the dynamic data for the transaction without having to wait for the actual amount of the transaction to be known. For the cardholder, this means that the card does not have to sit in the terminal while their items are being rung up, or that the cardholder is held captive by the terminal waiting for the prompt to insert their card.
  •   Once the card has created the dynamic data, the second function is invoked in which the terminal requests the card to “complete” the transaction so the card can be removed. In a typical online contact transaction, this is done after the response comes back from the issuer.

By using the Quick Chip technique, which is the same process used for contactless transactions, the card can be removed from the reader before the response comes back from the issuer. Solutions that are implemented using the Quick Chip process are able to reduce the time the card is in the terminal to less than a second in some cases. Merchants should be aware that PIN entry and prompting for features like cashback can impact the process and the time the card is in the terminal.

Does EMV chip processing require a PIN be entered on credit as well as debit transactions?

While PIN is now an option for credit as well as debit, none of the brands currently require PIN on credit transactions. The issuer will determine if a PIN is issued or not.

How does chip affect card payment acceptance fees?

Interchange, which represents the largest percentage of the fees paid for accepting card payments, is not affected by EMV chip processing.

Does enabling chip card acceptance eliminate the need for end-to-end encryption or tokenization?

No. Chip cards do not encrypt the transaction data (including the account number), so encryption and tokenization are still valuable tools in securing payment data.

Does EMV apply to online payments?

Online payments are currently not within the scope of EMV chip processing. Since there is no card-terminal interaction, no dynamic data is created. However, as mentioned earlier, EMVCo initiatives also include the next generation of 3D Secure and tokenization as well as newer concepts like Secure Remote Commerce to help secure online transactions. For now, cardholders are able to use their chip cards for online payments as they do today.

How do chip cards work with tablet-based POS systems?

To make chip cards work on tablet-based POS systems, a wired or wireless PIN pad (WPP) that can read chip cards is required. Additionally, Near Field Communication (NFC) for wireless will need to be activated on the tablet.

Are there different rules for ATMs and gas stations?

Yes. Because of the cost of upgrades and other factors, dates for the liability shift were extended for automated fuel dispensers (AFD) and ATM machines.

The Mastercard ATM EMV liability shift took place in October 2016, while Visa and the other major card brands gave ATM operators until October 2017 to become EMV compliant. The liability shift for Automated Fuel Dispensers was also originally set for October, 2017. In response to industry feedback about the challenges of EMV upgrade/replacement efforts, the liability shift for AFDs was moved to October 1, 2020.

Will chargebacks increase if I don’t upgrade to EMV?

Very likely, yes. Without EMV technology, fraud chargebacks are going to increase over the coming years. The reason is fairly simple to understand: fraud is a booming business.

Fraud brings big costs to small businesses. If you haven’t upgraded to EMV-compliant terminals and a counterfeit card is used fraudulently, first you must refund the charges to the cardholder. Then there’s the chargeback fee. Add the loss of the item that went out the door with the fraudster. Don’t forget the time, expense and hassle of managing chargebacks. It all adds up.

Implementing an EMV capable terminal or POS system is a great way to avoid the coming influx of chargebacks. There is a variety of EMV solutions on the market today and more to come as POS developers continue to innovate to provide enhanced solutions with added value like built in encryption and tokenization.

Is EMV implementation mandatory?

No, but the benefits are great for most merchants. When determining the best timing for implementing an EMV solution, merchants should consider the following:

  •   How will EMV impact line speed?
  •   What is the total cost of implementation?
  •   What's the business’ current fraud chargeback liability?
  •   Does moving to EMV make sense in light of the potential business impact?
  •   Are there other security solutions available that can meet the business’ needs?
  •   How will payment transactions be protected without EMV?

 

Merchants should meet with their payments partner to learn about the EMV solutions available for their POS, as well as additional payment security measures. Whether it happens now or in the future, the goal should be to implement a secure, effective, and customer-friendly EMV chip acceptance experience.

 

 ©2015 - 2019 Worldpay, LLC and/or its affiliates. All rights reserved. Worldpay, the logo and any associated brand names are trademarks or registered trademarks of Worldpay, LLC and/or its affiliates in the US, UK or other countries. All other trademarks are the property of their respective owners.