What You Need to Know about the Switch to EMV Payment Cards
The time-honored tradition of swiping a credit or debit card is being replaced by the “chip and dip” as the U.S. prepares to shift from magnetic strip payment cards to Europay, MasterCard and Visa (EMV) cards. EMV cards with small computer chips are “dipped” into payment terminals and removed when the transaction is complete. The deadline to switch to EMV cards is October 1, 2015. Although the transition began years ago, there has been a greater sense of urgency to speed up the process due to the rash of high profile security breaches.
EMV cards use transaction authentication technology to protect consumers against fraud. Traditional cards store data in magnetic strips. This data can be stolen, copied and used to make purchases or sold to the highest bidder. However, the computer chip in an EMV card creates a one-time, random code for each transaction. If someone stole the code and tried to make another purchase, the card would be denied. While most security mechanisms focus on preventing unauthorized access, EMV cards focus on making sure criminals have nothing of value to steal.
Although October 1 is less than two months away, a report from Javelin Strategy and Research estimates that up to three-quarters of merchants won’t make the deadline. When the study was conducted, most small merchants hadn’t even heard of EMV. That is expected to change as consumer awareness increases and credit card companies begin to apply pressure on merchants to make the switch. However, most merchants will not be ready by October 1, and the consequences could prove costly.
Beginning in October, if someone tries to make a fraudulent purchase with an EMV card, and that purchase goes through because the merchant doesn’t have an EMV card reader that’s capable of denying the card, the merchant will be liable. Technically, switching to EMV cards isn’t mandatory, but the liability shift is being used as a strong incentive. Also, the absence of EMV card readers could be viewed as a red flag to consumers who are well aware of widespread payment card security issues.
Merchants need to prepare by replacing traditional magnetic strip readers with EMV readers. Prices for EMV readers typically range from $30-$300, depending on the level of functionality you want. Your point-of-sale system may need to be upgrade, and employees will need to be trained to follow a new process for accepting card payments.
Despite the fraud protection delivered by EMV cards, merchants still need focus on staying compliant with Payment Card Industry (PCI) standards. EMV won’t protect a network infrastructure that uses unsupported Windows XP operating systems and outdated antimalware, fails to isolate cardholder data from the rest of the network, and allows unauthorized users to remotely access these systems. Employees who fail to follow best practices also put their employers and customers at risk. While EMV adds an important layer of authentication at the point of sale, PCI compliance on the actual point-of-sale devices and across the back end of the network is essential to protecting cardholder data throughout the transaction process.
Experts are predicting that attackers will ratchet up their efforts prior to the October deadline and look to exploit other vulnerabilities during the transition to EMV. For example, EMV cards offer no additional protection for online transactions. Let ICG help you manage this change, keep your network secure and PCI compliant, and minimize the risk of fraud.