The Impending EMV Deadline
Today's post comes to us from Dennis Hoyt, President of Hoyt Treasury Services, LLC, a BDO Alliance firm that provides treasury consulting services to companies in the retail, restaurant, grocery and e-commerce sectors, among other industries. Dennis can be reached at DHoyt@HoytTreasury.com or 616-656-7770.
Earlier this year, I wrote a blog post
discussing Europay, MasterCard and Visa (EMV), the new method for issuing and accepting face-to-face card transactions that aims to reduce credit card fraud. While the technology and its many benefits should be top of mind for businesses, perhaps even more important is the approaching deadline that U.S. retailers and restaurants face regarding their payment systems.
Beginning October 1, 2015
, when any credit card fraud takes place, the liability for fraud will fall on the least EMV-compliant party (be it the merchant or card issuer). Therefore, to avoid a potentially significant increase in their liability, face-to-face retailers and restaurants will need to have payment terminals and systems in place that are capable of reading and processing EMV card transactions.
Why the new standard for liability? Essentially, the EMV process is considered the new gold standard of payment technology. Not only does it involve cards with a more secure computer chip, it also utilizes more robustly protected terminals and processing systems. Unlike magstripe cards, the new chip card contains data that are updated at check-out, when the card is inserted into an EMV terminal. With this secure system in place, the process will be more difficult to interrupt, and the card will be more difficult to counterfeit.
Along with reduced instances of card fraud, fewer data breaches and an increased sense of security for customers, the technology brings other benefits. For restaurants with EMV terminals capable of accepting both
contact and contactless payments, if 75 percent of their card transactions originate from EMV terminals, they will be exempt from PCI DSS validation requirements each year (though they must still be PCI-compliant).
Additionally, virtually all new EMV platforms provide retailers and restaurants with the ability to accept contactless payments, which allow customers to pay via smartphone with Apple Pay and other similar payment methods. This is attractive to customers and allows businesses to stay ahead of this increasingly popular payment method.
The transition period begins this October and ends when all terminals and cards will be EMV-only—likely several years from now. During this period, terminals will accept both magstripe and chip cards, and cards will be issued with both magstripes and chips, which is referred to as “backwards compatibility.” And even though retailers and restaurants with EMV terminals that accept magstripe-only cards can still be victims of fraud, they will not be liable for the costs of fraud because of their EMV compliance. That being the case, we recommend businesses update their terminals sooner rather than later.
Still, even as magstripe cards are completely phased out, we don’t expect fraudsters to give up; in the near term, they’ll likely continue to use fraudulent magstripe cards at storefronts, while in the long-term, they may shift more of their nefarious activity to the internet—a trend we’ve already seen in other countries.
A version of this post originally appeared on the Consumer Business Compass, the blog of BDO's Consumer Business practice.