By Mark E. Battersby / Published July 2015
There is a potential storm cloud on the horizon for many pressure cleaning contractors and businesses that either accept credit or debit card payments or who use those cards for purchases. Ahead lies a so-called “liability shift,” where banks and card issuers plan to shift liability for fraudulent card transactions to those who are not ready for a new, more secure card.
Today, if a credit card transaction is conducted using a counterfeit, stolen, or otherwise compromised card, losses from that transaction usually fall back on the payment processor or issuing bank. After October 1, 2015, any business that doesn’t have an EMV processing device will find the banks will no longer be liable.
Although it is estimated that 40 percent of debit cards and more than 70 percent of credit cards that will be issued before the end of the year will employ the EMV technology, many pressure cleaning businesses, especially those with a relatively low volume of card transactions, may find the cost of upgrading to accept EMV cards could outstrip the potential future costs of fraud.
EMV—which stands for Europay, MasterCard, and Visa—is a global standard for cards equipped with a small, integrated circuit (or “chip”) that, along with the appropriate technology, is used to authenticate transactions. The EMV technology, often referred to as Chip and PIN, is widely used elsewhere in the world. Now U.S. card issuers are moving to this new technology both to protect consumers and reduce the cost of fraud.
For consumers, the switch means activating the new EMV cards and learning new payment processes. For contractors and businesses, those so-called “merchants” and the financial institutions that process card transactions, it means adding new point-of-sale (POS) terminals, in-store technology, and internal processing systems.
The magnetic stripes on traditional credit and debit cards contain unchanging data making traditional cards prime targets for counterfeiting. Whoever accesses the data on traditional cards has all of the sensitive card and cardholder information necessary to make a purchase. Setting apart the new generation of cards is a small, metallic square on new cards.
Unlike the traditional, magnetic-stripe cards, every time an EMV card is used for payment, the card’s chip creates a unique transaction code that cannot be used again. As with magnetic-stripe cards, EMV cards are processed for payment in two steps: card reading and transaction verification. With EMV cards however, it is no longer necessary to master a quick, fluid card swipe in the right direction. Chip cards are read in a different way.
Instead of going to a register and swiping an EMV card, customers perform “card dipping” inserting the card into a terminal slot. When an EMV card is dipped, data flows between the card chip and the issuing financial institution to verify the card’s legitimacy and create the unique transaction data. This process isn’t as quick as a magnetic-stripe swipe.
Signatures or entering a PIN for card transaction will still be required but which one will depend on the verification method tied to the EMV card, not if the card is debit or credit. Fortunately, card dipping is not the only option.
A pressure cleaning business can continue processing cards with the magnetic stripe and ignore the EMV technology. No business will be lost since most cards will still have a magnetic stripe as backup. The only difference, an extremely important difference, is that starting in October 2015 the pressure washing business may be liable for any counterfeit or fraudulent card transactions, the so-called “liability shift.”
According to at least one expert, if a hacker stole the chip information from one specific point of sale, typical card duplication would never work because the stolen transaction number created in that instance wouldn’t be usable again and the card would just get denied.
EMV cards can also support contactless card reading, often referred to as “near field communication” (NFC). Instead of dipping or swiping, NFC equipped cards are tapped against a terminal scanner that picks up the card data from the embedded computer chip. Unfortunately, dual-interface cards and the equipment needed to scan them are expensive. So, currently, the emphasis is on successfully integrating EMV cards into the shopping process. Dual interface will arrive later.
Where no card is present, such as with online transactions, programs such as MasterCard’s Chip Authentication Program (CAP) and Visa’s Dynamic Passcode Authentication (DPA), allow EMV cards to be used for authentication. For an online transaction, the user inserts the EMV credit or debit card into a handheld reader. Once the user enters the PIN, the reader displays a one-time password, which can be used to validate the user’s identity. The user enters the password in the appropriate field on the pressure cleaning operation’s checkout page (or online banking site), and the password is passed back to the issuer for authentication.
An EMV-based payments infrastructure for mobile contact-less payments has already been introduced in Europe. However, while continued growth is predicted for NFC-enabled mobile devices for contact-less payments and other mobile applications in the U.S., as with duel-interface equipment, it will be a while.
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that everyone handling branded credit cards from the major credit card companies such as Visa, MasterCard, American Express, Dis-cover, etc. and all merchants, whether large or small, must comply with. The credit card companies have collectively adopted PCI DSS as a requirement for everyone processing, storing, or transmitting cardholder data.
Rather than focusing on a specific category of fraud, the PCI DSS was designed to protect cardholder and sensitive authentication data anywhere this data is present within the payment process, thus limiting the potential for hacking and fraud. When used together, EMV chip and PCI DSS will substantially reduce fraud and enhance payment security.
A key consideration for any pressure cleaning contractor or business adopting EMV cards is the so-called “liability shift.” Liability shift means that issuers (banks, credit unions, and any other financial institution issuing credit or debit cards) and merchants continuing to use non-EMV compliant devices and accept transactions made with EMV-compliant cards, will assume liability for any and all fraudulent transactions.
After the liability shift, if a pressure washing business is still using the “swipe and signature” methodology and the customer has a smartcard, the merchant is liable. If the business/merchant has the new EMV Chip and PIN technology, but the bank hasn’t issued the customer a Chip and PIN card, the bank is liable. If a merchant uses Chip and PIN technology on a customer’s smartcard and fraud still takes place, the credit card company bears the liability, as is the case today.
In other words, after the October 1, 2015, deadline created by major U.S. credit card companies, the liability for card-present fraud will shift to whichever party is the least EMV-compliant in the fraudulent transaction. Naturally, the capabilities of a business’s point-of-sale (POS) system will play a pivotal role in the success of the EMV card. Issuers can distribute EMV cards, but EMV’s fraud reduction benefits won’t be realized if merchants can’t accept the cards.
The upcoming liability shift means every pressure cleaning contractor and business will have to review their point-of-sale systems, including in-store hardware and software. The transition could prove easier for small operations, which may be able to move to EMV by simply adding a new, external pin pad. But larger operations will, in all likelihood, have to invest heavily as they look to upgrade thousands of terminals and systems.
Although the upcoming deadline should be enough encouragement for all parties involved in the payment processing process to become EMV compliant as soon as possible, it is increasingly obvious that not everyone will comply by that date. While EMV compliance is required for credit card acquirers and processors, it is not mandated for merchants and processors. Of course, any contractor or business that is not in compliance by October 2015 will assume liability for any fraudulent purchases—a shift that is poised to drive many to adopt the new standards and avoid the risk.
As the new EMV card strategy was developing, many experts were saying that the only merchants who should think about getting EMV-compatible credit card terminals were those who are already needed a new terminal. The consensus seemed to be, as with the case for computers, the best time to get a new credit card machine may be tomorrow. The technology will only improve with time making it less important unless the business is already encountering a large number of chip cards.
But, tomorrow may be today. Expert opinions withstanding, every contractor and business owner should protect themselves from fraud liability. The relatively small price of a new terminal may be worth the peace of mind it brings. Naturally, there is always the chance that no one will ever attempt to use a counterfeit chip card in your pressure cleaning business, but can you afford to gamble?