What is EMV?

What is EMV?

Posted on 07.26.2016 by Brian Sweet under Compliance, Security

While still relatively new to the United States, Europay, MasterCard and Visa – more commonly known as EMV – is an important worldwide security standard for credit cards.

The History of EMV

EMV was first standardized in the early 90’s, but has seen several revisions since then. Its initial goal was to create a payment method that combats the many security issues that plagued the traditional magnetic stripe method. One of these issues included card skimming, where someone with a card skimmer can quickly swipe the card to immediately gain access to the card’s sensitive information. This information could then be transferred to a blank credit card, and used at will by a thief until the bank shuts down the credit card number.

How EMV Works

Compared to traditional magnetic stripe transactions, EMV works by storing encrypted financial card data within a microchip that’s integrated right into the credit card. This means that the card must be inserted into compatible payment terminals, as the terminal itself contains additional security that’s needed to successfully go through with a transaction. In addition to being inserted into a payment terminal, EMV transactions often require a PIN code or signature for authorizing a payment.

Where It’s Used

EMV-capable payment terminals are found around the world for many years, including retail stores, restaurants, collection agencies, and many other types of locations, but only over the past few years have been seen in the United States; driven by the liability shift that occurred on October 1, 2015. Since this change, merchants not using EMV payment terminals accept the risk and higher costs of any security breaches due to the lack of using the more secure terminals.

There are still some places in the United States that won’t be supporting EMV payments for another year or two. For example, fuel dispensers have until 2017 until their liability shifts. ATMs have until October of 2016. Until then, they are allowed to follow existing liability rules and regulations.

The Issues of EMV

It’s clear that the security benefits make shifting to EMV worthwhile, with more than 75% of US cardholders agreeing that the heightened security of chip cards can greatly reduce in-person fraud. However, consumers still see their downsides.

The most popular issue is that EMV transactions take additional time versus standard magnetic stripe swiping. In busy shopping seasons, this could mean longer lines. Fortunately, speed of EMV transactions have been increasing as more people continue to become aware of what it is so that they’re ready to insert their card into a reader. Alternatively, tap-to-pay payments via mobile phones with NFC could continue gaining momentum because of EMV cards.

A concern for merchants is that security breach liability now shifts to the party that is the least compliant. If your payment terminals aren’t EMV-ready, you would be considered the least compliant, and would therefore be liable for the security breach.

Because of the security benefits of EMV, thieves have been making online transactions their primary target, thus increasing card-not-present (CNP) fraud. Europe is a prime example of this, as after their EMV liability shift in early 2005 and 2006, card-not-present fraud increased by 79%.

Merchant Liability

As previously mentioned, the liability shift for US merchants occurred on October 1, 2015. If you are a merchant and still do not have EMV-capable payment terminals, you are currently at risk for very high damages should a data breach occur. It’s still not too late to equip your business with these terminals. Your merchant payment processor should be more than willing to get you what you need. Additionally, it’s possible to go straight to the maker of the payment terminals.

Merchants can also take advantage of payment processors that feature tokenization and hosted tokenization technology, allowing you to offset the shift in fraud. This works by replacing sensitive financial data with a random string of characters, called a token. The token is only useful to the merchant for transaction storage and during transmission. To a thief, the token is completely useless. Merchants who use hosted tokenization within their existing software can do so without the cost, time, or resources associated with PCI-DSS compliance and regulations. To learn more about tokenization, take a look at our infographic.