According to a 2015 poll conducted by Newteck Business Services Corp in February, 71% of business owners were not aware that Visa and MasterCard will hold the merchant responsible for credit card fraud if they do not have EMV (Europay, MasterCard, and Visa) implemented by October 2015. The poll also shows that 81% have not yet upgraded their POS terminals to accept EMV or Apple Pay. Merchants who are unaware of the details pertaining to the liability shift and EMV transition will get caught in the cross-fire, in the event of a data-breach, if they find themselves unprepared after October.
1. Lack of awareness
These surprising poll results can be blamed on a lack of awareness. In the United States, there hasn’t been a large push to educate merchants about the EMV transition. Many smaller merchants don’t even know what EMV is.
The EMV transition means implementing card readers that process EMV enabled credit and debit cards. Once merchants understand this, they’re often not enthused due to the fact that the EMV transition requires the purchase of new hardware. However, the purchase of new hardware is vastly less expensive than the weighty cost of data breach consequences— after October—if you haven’t implemented EMV card-reading technology.
2. EMV protects against card counterfeiting
EMV cards have a smart chip that stores cardholder data and makes it more of a battle for counterfeiters to forge copies.
3. Tokenization protects stored data used for future or repeating payments.
When processed, card data is sent to the POS system’s processor to become tokenized. What’s stored is the token, not the actual data, for future transactions. What’s critical is that tokens are unique to each merchant and each processor, rendering them useless to anyone else should a breach occur.
4. P2PE protects data while in the merchant’s system.
What is P2PE? Point-to-Point Encryption ensures that cardholder data is encrypted from when a customer taps or inserts their card all the way to the payment gateway. This makes access by criminal means pointless as all the hacker will have gleaned is encrypted data that cannot be read, thus protecting the customer and merchant from attack.
5. It’s not mandatory, but it will have costly consequences.
Once the liability shift happens and the EMV transition is complete in October of this year, merchants who are still using “swipe and signature” methods—without the EMV card option available at terminals—will be responsible for any data breaches that occur.
If the merchant has implemented EMV card readers, but the customers’ bank has not issued an EMV card, the bank will be liable for any breach in data. If the merchant uses EMV card readers and the customer uses an EMV chipped card in the transaction and fraud still takes place, the card issuing bank will again shoulder the liability.
It’s critical for merchants, large and small to educate themselves on what they need to do to prepare themselves for the EMV transition. The liability shift is coming whether merchants are prepared for it or not and the best defense is a great offense.
