Navigate the EMV Liability Shift Shift your POS payment system into high gear to improve customer experience and reduce payment risk. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2015 Info-Tech Research Group
ANALYST PERSPECTIVE The future is here! Is your merchant POS payment system ready for the transition to EMV? EMV is here to stay. With fraud on the rise, and new issuer contract terms coming into play, it is time for organizations to embrace change. What is EMV? EMV is a global standard for credit and debit payment cards based on chip card technology. Direct fraud is on the rise. Along with it, the indirect costs associated with these issues are skyrocketing. Thus, as of October 1st 2015, acquirers have instituted new rules that stipulate that merchants will be responsible for any theft that results from non-EMV-enabled terminals interacting with EMV-enabled cards. With compliance, contactless payment trends, and fraud pushing organizations to change, now is the perfect opportunity to update your POS systems and take advantage of new payment technology trends. Larry Fretz, Practice Lead, Gaming & Hospitality Info-Tech Research Group
This research will guide you through the process of converting to an EMV-compliant payment environment CIO, VP IT Understand Europay, MasterCard, and Visa (EMV) Understand the ancillary benefits of EMV Reduce on-going PCI-DSS compliance scope and costs Reduce risk, complexity, cost, and time-to- market during your EMV migration project Implement EMV within your organization General Managers/VPs CFO/VP Finance COO CSO/CISO VP of Regulatory Compliance Protect your business from credit card fraud liability Modernize payment methods Improve the customer experience
Executive Summary As a CIO of a hotel, restaurant, or casino, you have to find an EMV solution for new liability rules that take effect on October 1st, 2015. This “liability shift” makes the non-EMV compliant party responsible for losses in the event of a compromise at the point of sale. As industries focus on customer service, it’s important to ensure that customers have a positive experience with payment technologies. Money that has been stolen from U.S. issuers, merchants, and consumers is on the rise. However, indirect costs are rising just as drastically. Moreover, reissuance costs are not factored into these statistics: the real cost of fraud may be 5 to 6 times greater. EMV provides a foundation for mobile contactless payments. EMV does not address Card Not Present (CNP) fraud. Take additional measures during implementation to strengthen your online and over-the- phone purchasing process. Integrate PCI-compliant solutions, end- to-end encryption/point-to-point encryption, and tokenization for a more secure transaction. Check your existing contract with your card issuer; if you have a pre-existing plan, your card issuer may not legally be able to force you to change. EMV is not a mandate – it’s a liability shift specific to counterfeit fraud and lost/stolen cards set by the card issuers. EMV impacts foreign travelers from countries who have already implemented EMV. Evaluate your customer base to gauge the impact. EMV is the first step to a multi-layered approach to protecting cardholder data upon swiping and then processing. Preparing for NFC payments (i.e.: Apple Pay and Google Wallet) is a part of selecting your EMV solution. Make a solid business case for your EMV project by articulating and supporting the value it creates to the organization. Define the organizational context for your EMV deployment and make sure your technical requirements can satisfy your business requirements. Carefully plan your project prior to deployment to reduce any roadblocks and issues associated with implementation.
CASE STUDY Executive Brief Case Study Industry Source Retail Mercator Advisory Group National U.S. Retailer This national retailer operates a number of business units. It also acts as an issuer of credit cards. EMV Initiative This organization partnered with its existing acquirer, Moneris Solutions, to customize a payment integration solution, and merge card networks, retail operations, and card operations for an enterprise-wide strategy. Through the process, the retailer upgraded 1,000 terminals across its businesses. Results The EMV Initiative led to a 70% reduction in charge-backs within the first year. Additionally, its security environment became easier to navigate and manage in order to maintain PCI compliance. The EMV Initiative Included: EMV-compliant and contactless POS terminals Payment Management System compatible with EMV-enabled terminals End-to-End Encryption (E2EE) Tokenization PCI-compliant systems Clerk Retraining Card-Not-Present Securitization
Update to an EMV-compliant payment system to avoid liability issues caused by market forces Compared to other G20 countries, the U.S. is a laggard in EMV deployment and contactless payments. Thus far, major merchants are the predominant U.S. users of EMV-compliant payment systems. 2012 2015 2013 2016-2017 Before 2012 1990 – EMV first developed to mitigate card-present fraud. 2005 – EU institutes EMV. 2011 – Canada begins integrating EMV. Oct. 1 – Merchant Relief for early POS adoption. April 1 – Acquirers’ and sub-processors’ deadline to process EMV payments. Dec. 15 – U.S. market begins considering higher payment security amid Target data breach. While other major economies transferred to EMV, the U.S. banking industry decided to embrace PCI DSS to secure magnetic stripe, a cheaper and altogether weaker solution. Oct. 15 – Liability shift for most merchants. Merchants who accept in-store payments may be liable for fraudulent transactions if an EMV card is presented but the merchant chooses to process the payment using the magnetic stripe. Dec. – Expected that 58% of general purpose credit cards are EMV compliant while only 10% - 15% of debit cards will be compliant. Oct. 1, 2016 – Liability shift for ATM owners & domestic cards. Oct. 15, 2017 – Liability shift for gasoline retailers.
Your liability risk exposure rises by 78% from 2015 to 2016 due to the difference in EMV terminals vs EMV-enabled cards Increased Risk Source: Mercator Advisory Group Info-Tech Insight Any transaction wherein an EMV-enabled card is used with a non-EMV-capable terminal results in the merchant being liable for fraud associated with that transaction.
Learn the difference between EMV and Magnetic Stripe transactions to gain deeper insight into EMV’s importance Chip and Choice Refers to four types of cardholder verification methods: Online PIN, Offline PIN, Signature, and None EMV Based on strong symmetric and asymmetric chip cryptography and elaborate key management. An important aspect of EMV is its use of dynamic data. Each transaction carries a unique “stamp” which prevents the transaction data from being fraudulently reused, even if it is stolen from a merchant’s or processor’s database. Dynamic data is only useful for the transaction it represents. EMV-compliant transactions are often referred to as "Chip and PIN" because it’s the method in use throughout the world and PIN entry is required to verify the customer is the genuine cardholder. EMV vs Magnetic Stripe Transactions Magnetic stripe cards typically track two pieces of data containing the card number and expiry date. Every chip card transaction exchanges dozens of pieces of information. This requires the terminal to perform many stages of processing that is more complex than stripe technology. Info-Tech Insight As gaming and hospitality industries focus on customer service, it becomes increasingly important to ensure that customers have a positive experience with payment technologies, regardless of the country they are in or from.
Understand your new acquirer contract terms to gain insight into the liability shift changes EMV card issuance has largely been driven by larger banks because cards cost approximately $3.50 to make and issue combined with the software preparation required to accept the new cards. October 1st, 2015: The party that is the cause of a contact chip transaction not occurring will be financially liable for any resulting card present counterfeit fraud losses. Does not include automated fuel dispensers (AFD). October 1st, 2015: MC ADC relief takes effect (100%). If at least 95% of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100% of ADC penalties. MC liability hierarchy takes effect (excluding AFD). October 16th, 2015: American Express will institute a fraud liability shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. October 1st, 2015: Discover will institute an FLS. This FLS policy will be a risk-based payments hierarchy that benefits the party that leverages the highest level of available payment security. Info-Tech Insight The earlier you leverage contact chip transactions, the likelier you are to reduce fraud charge issues, and to mitigate problems associated with debugging and testing that could increase the likelihood of liability charges. However, check your contract with the issuer; if there are no terms regarding a liability shift, it cannot legally enforce any liability charges.
Make sure you understand under what circumstances you will be liable under the new acquirer contract terms The Merchant will convert to Chip acceptance OR accept liability for fraud. This shifts risk and liability from the Issuer to the Merchant. Current Magnetic Stripe Card Magnetic Stripe Terminal Issuer Liable 1234 5678 9032 5432 Info-Tech Insight If a guest or customer uses a faulty chip and PIN card with your chip terminal, you as the merchant bear the liability burden under the new contract terms if you choose to allow the customer to pay with a magnetic stripe and signature. Therefore, you have to choose between customer service and risk tolerance. Chip Card Magnetic Stripe Terminal Merchant Liable 1234 5678 9032 5432 1234 5678 9032 5432 October 1st, 2015 and Beyond Chip Card Chip Terminal Issuer Liable 1234 5678 9032 5432 Chip Card Card Not Present Merchant Liable
Increase your security by instituting the EMV-enabled chip and signature terminals Transaction Speed Up-Front Costs Operating Costs Magnetic Stripe and Signature Chip and PIN Chip and Signature Chip and PIN with Fallback Contactless Low High Medium Fast Slow Very Slow Info-Tech Insight Chip and PIN enabled cards protect against counterfeit cards, as well as lost and stolen cards. On the other hand, chip and signature cards do not protect against lost or stolen cards. Unfortunately, the higher security and speed comes with higher upfront costs, which may be balanced out by lower operating costs.
Info-Tech Research Group Helps IT Professionals To: Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department Sign up for free trial membership to get practical solutions for your IT challenges “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889 www.infotech.com