In October 2015, U.S. banks began integrating EMV, or Chip cards, into the credit/debit card system. EMV, or “Europay, MasterCard, Visa,” is a standard developed for chip cards that includes safety protocols to protect data. Now, over a year after the initial EMV integration, magnetic stripe cards are being phased out, and businesses are being pushed to switch to the new technology. Logically, this switch raises security as well as fiscal concerns for small business owners.
However, like many other technologies, EMV chip cards are an improvement on their predecessor. The cards offer better data security, more control over offline purchases, and actually reduce risks in most cases. However, there are considerations and potential risks that you must keep in mind and safeguard against as well.
The Difference Between EMV Chip Cards and magnetic stripe Cards
Most of us are accustomed to magnetic stripe cards, commonly called Magstripe cards. We’ve been using them for decades, but these cards are very simple and full of security risks. Magnetic stripe use the same technology used to put music on cassette tapes, which means that data on the card can only be updated once, and means the card is very easy to copy or counterfeit. Stealing credit card data from magnetic stripe cards is easy and extremely common, as thieves only have to swipe the card in order to steal it.
EMV cards feature a small metal square on the front of the card. This square is a contact plate, which connects to a small microprocessor chip with an RFID (Radio Frequency Identification) tag. When the contact plate touches an EMV compatible reader, the reader transfers power to the card, allowing the microprocessor to communicate data, including accessing bank information, making payments, checking a balance, or making a purchase. In some cases, this will also include an NFC (Near Frequency Communication) chip, which allows for contactless payment. More importantly, because the chip communicates with the bank, it can more easily verify that the card is legitimate, preventing easy copying and reproduction of the card.
Benefits of EMV
EMV cards offer a number of advantages over magnetic stripe cards including security, speed, and point to point encryption.
- Security Protocols – EMV chip cards store security protocols which protect data from theft. The most important of these protocols is the creation of unique transaction codes that are only valid once. This means that the common technique of stealing data using a card skimmer in an ATM or fake ATM does not work, because transaction data only works for that purchase. This process is known as Dynamic Data Authentication (DDA), which uses paired authentication keys for every transaction. Because this data is on the card and never shared, a hacker can never steal it.
- P2PE – EMV cards use P2PE, or Point-to-point encryption, which is a PCI-certified form of end-to-end encryption (also known as E2EE). Data is encrypted as it enters the Point of Sale terminal and decrypted by the payment processor. This reduces cybersecurity risks for business owners, because in the event of a breach, any data that is stolen by hackers will be encrypted and difficult to use.
- Pin – While Magstripe relies on the consumer’s signature to verify identity, EMV cards often use a pin code which is more difficult to emulate, and prevents the card from being used if it is not correct. Chip and signature cards are also popular, but are less secure.
- Tokenization – In some cases, chip and pin cards also use tokenization, or two-step identification, for online purchases. This reduces the risk of data being stolen online, and ensures that stolen data is less usable.
- Speed – RFID is about 53% faster than Magstripe, allowing you to process payments more quickly.
Overall, EMV offers significant advantages over Magstripe in that it is more difficult to steal data, and more difficult to use data when breaches do occur. In October 2016, a year after integration began, merchants saw a 43-54% reduction in counterfeit fraud costs, thanks to the difficulty of stealing chip cards. Because more than 70% of all credit card fraud involves counterfeit cards, and MasterCard has historically seen a 77% increase in fraud year over year, this drop is unprecedented.
The Challenges of EMV Chip Technology
While EMV cards offer more data security and reduce the risk of fraud, many small business owners do have concerns over integration.
- New Readers – The primary concern for many small businesses is the cost of integration. You must invest in new Point of Sale devices or readers to become EMV compliant and, for a small business with a tight budget, this can be daunting. However, readers are a relatively low-cost investment, typically starting in the double digits. For more complex, integrated systems, the cost can range in the thousands of dollars. It pays to do some research to find the system that fits your operation and your budget.
- Testing and Certification – Integrating EMV means meeting standards, which requires testing. EMV certification includes three levels of testing, the first two of which are typically performed by the Point of Sale or reader manufacturer. The third will be your financial responsibility and requires that the Point of Sale be tested for every type of purchase and security issue. This approval can take 4 to 8 weeks, and will likely cost $500 or more. However, you can speed up the process using the U.S. EMV VAR Qualification Program, which helps you pre-qualify your business before you get started with the certification program.
- Liability Shift – The primary concern for small business owners should be the cost of not having EMV, rather than the costs involved with integrating it. In fact, by not integrating EMV technology, you are putting yourself at risk, and are making yourself liable for card fraud. While the impact of stolen funds typically falls on the payment processor, changes on October 1,st 2015, make the least EMV-compliant party liable for the fraudulent transaction. This means that if someone with an EMV card uses it at your business and their data is stolen through magnetic stripe because you are not EMV compliant, you are liable for the stolen funds. While this liability shift is important, many retailers remain unaware of it, and continue to maintain magnetic stripe-only point of sale systems. One important note. Importantly, you are not liable for any fraud relating to online purchases.
The Payments Security Task Force estimates that 98% of all cards in the United States will be chip enabled by the end of 2017. This makes EMV integration even more important, as cards with dual Magstripe and chip and pin capabilities are now being phased out as well. By not integrating EMV, you make your business liable for related fraud and reduce the security of your Point of Sale transactions.
If you are concerned about the security of your credit card transactions and data storage, or want to know more about how EMV will impact the security of your business, a Threat Sketch risk assessment can help. Visit our site to learn more about your business security risks and what you can do to prevent them.
About the Author: Brandy Cross is a freelance writer specializing in technology and marketing solutions for SMBs, with experience writing for everyone from startups to Fortune 500s.