Commentary
EMV’s impact on kiosk owners, part 1
The US trails other markets in converting to the more secure EMV protocol for equipment that accepts credit cards. Credit card brands have issued cards with electronic chips, but adoption of EMV compliant equipment has not kept pace with consumers.
May 1, 2017 by Kisha Wilson — Marketing Manager, SlabbKiosks
(Editor's Note: Credit card devices are required to have EMV-compliant systems that allow a reader to accept an electronic chip in order to prevent credit card fraud. This 2-part series explores the status of EMV compliance.)
How will kiosk owners be affected by EMV compliance? Will kiosk operators and possibly even manufacturers be adversely affected if they do not ensure their kiosks are EMV-enabled? To answer this, we need to take a step back and analyze exactly what being EMV-enabled means and what happens if a kiosk isn't upgraded to ensure that it is compliant.
What is EMV?
EMV is a global payment standard that was established by the major international credit card companies. The acronym stands for EuroPay, MasterCard and Visa. The standard relies on modern credit card manufacture that utilizes an embedded microprocessor chip. It replaces other card options that use the more commonly known magstripe or magnetic strip that stores data on the band of magnetic material found on the back of older cards. The magstripe cards have been proven to be less secure, as information on the magstripe can easily be retrieved and replicated, leaving the cardholder vulnerable to fraud.
Why it matters
EMV technology was introduced as an option that, along with other security measures, could decrease fraudulent credit card activity. Some of the benefits of the implementation of EMV technology include:
- Fraud prevention – EMV cards have been proven to prevent fraudulent transactions. EMV is nearly impossible to clone because the chip is tamper-proof, making counterfeit card fraud extremely difficult. This, along with other security features, are a huge deterrent to would-be fraudsters.
- Highly effective security features – There are several security benefits of chip card technology.
It uses a unique card authentication process that makes it more secure. This process includes a one-time cryptographic transaction code (cryptogram) for each transaction that is never replicated or reused. Because the cryptogram is dynamically created by the chip card on each transaction, the data cannot be copied to use on other card transactions.
Chip cards have built-in, sophisticated encryption that allows cardholder verification. There are four cardholder verification methods supported by EMV: offline PIN, online PIN, signature or no CVM.
Issuer-defined rules can be used to provide transaction authorization. The transaction can be authorized either online or offline (if offline authorization is supported by both the card and the POS. Card brand support in the U.S. varies.)
These security features complement other payment security standards such as point-to-point encryption or tokenization, providing an additional layer of protection for users.
Is it worth it?
How do we know EMV isn't more trouble than it's worth and that it's effective?
It is now a "choice" in name only. Most merchants who do not implement it are now liable for fraudulent transactions. Its effectiveness is already being seen in other countries such as the United Kingdom and Australia, that have already introduced it. Here are the facts and figures:
- 1.62 billion cards, 45 percent of the world's payment cards, have EMV chips. This does not include the US.
- 23.8 million terminals, 76 percent of the world's payment terminals, can accept EMV cards.
- As the European Union completed its migration to EMV in 2013, the region saw an 80 percent reduction in credit card fraud. During the same period, the US witnessed a 47 percent increase in credit card fraud.
- In Canada, "ebit" losses fell from a high of $142 million in 2009 to $38.5 million in 2012 – a 73 percent drop.
- In France, when EMV was implemented in 2005, counterfeit card fraud dropped by 91 percent while fraud from card theft fell by 98 percent.
Just imagine what effect it could have on the credit card fraud in the US.
A study conducted by Javelin Strategy and Research reported that the number of in-store credit card fraud victims reached 5.6 million in 2015, up from 5.4 million in 2014. Online/mobile fraud or "card not present" fraud reached 6 million in the US in 2015, up from 4.8 million in 2014.
Unfortunately, the present year doesn't look too promising for card fraud either. It is estimated that credit card fraud in the US reached $4 billion in 2016, up 12.5 percent from the prior year. This estimate could increase to as much as $10 billion between now and 2020 as fraudsters attempt to "cash in" before chip card technology becomes standard.
The study estimated that most of this fraud will be a result of stolen credit card numbers online and via mobile channels.
The other types of fraud could include application fraud — stolen/hacked information used to open new credit card accounts and thirdly, account takeover, where hackers use compromised data to log into consumer and business accounts online and siphon funds from them.
When broken down by transaction, Javelin's study stated that the average loss for existing cards was $980 in 2015, while the average for new account fraud — which accounts for 20 percent of all fraud losses — was $2,379.
Will it make a difference?
It is hoped that EMV implementation will reduce these figures. However, implementation has been a slow process so far, with approximately one third of the nation's retailers completing implementation as of December. This is a stark contrast to the amount of chip cards being issued – 65 percent of all US credit cards and 33 percent of US debit cards were issued with chips as of June, according to creditcards.com.
However, experts expect that once the majority of merchants (84 percent, according to Javelin) make the switch in the next three to four years, card security problems typically associated with magnetic swipe cards will greatly diminish.
But wait, three to four years? Wasn't the deadline October 2015?
What if you're not compliant?
The deadline, or the EMV liability shift date, was October 1, 2015, just over one year ago. It was the date selected by the card brands for merchants to upgrade their payment infrastructure to accept EMV chip cards to avoid liability for fraud from counterfeit cards made from EMV chip cards.
The liability, which prior to the deadline was borne by the issuer of the card (i.e., the bank or credit union) now shifts to the merchant or operator, who will now be responsible for paying any chargebacks resulting from fraudulent activity.
This is quite a huge change that could have great financial implications.
Last summer, merchants handling low-value payment card transactions caught a break when card issuers agreed to postpone the EMV liability for transactions under $25. This includes many kiosks and vending machines.
However, when the liability grace period ends, merchants that have not deployed EMV-compliant systems will once again face chargebacks.
Part 2 will address what you need to do as a business owner, kiosk operator or manufacturer.
