If they haven't heard already, brick-and-mortar retailers are going to be hearing the term "EMV" a lot more in the coming months. As payment card issuers continue to roll out their newer, more secure cards containing a data-encrypting chip, merchants are feeling the pressure to upgrade their point-of-sale (POS) terminals to make sure they're up to date with EMV technology.
As with any widespread technological update, many businesses may hear confusing or conflicting information regarding how the changes will affect them. Business News Daily spoke with security and payment industry experts to get to the bottom of five common beliefs (and misbeliefs) about EMV.
Myth 1: EMV will make credit card transactions completely safe and secure.
While the new chip-and-pin cards do help to reduce fraud with their data-encryption methods, EMV is by no means a "silver bullet" solution that will secure each and every transaction your business processes. Andrew Avanessian, executive vice president of technology and consultancy services at security firm Avecto, said that while EMV will help to secure systems at the point of sale, there are plenty of other ways that businesses can be breached. [EMV: What Small Merchants Need to Know]
"For instance, companies gather and store information like names, addresses and credit card information," Avennessian said. "Even with EMV, this data is still available to fraudsters and can be exploited through sophisticated malware exploits. Because these other security holes will continue to exist, EMV will need to be complemented with additional security measures."
Similarly, a recent study by Experian found that only 53 percent of businesses believe the new chip-and-pin system will decrease their risk of suffering a breach.
"In-store fraud [may go] down with the advent of EMV, but online fraud has gone up," said Michael Bruemmer, vice president of consumer protection at Experian Consumer Services. "It's not a panacea where chip-and-pin takes fraud down to zero."
Myth 2: Merchants are required by the government to upgrade to EMV-enabled systems by October 2015.
Last year, President Obama announced that payment card providers must issue secure chip-and-pin cards to their customers by October of this year. At that point, liability for fraudulent transactions will shift from the credit card provider to the merchant, if the merchant hasn't upgraded their system to read EMV-enabled cards.
According to a new report by POS system provider Lightspeed, 45 percent of retailers are poised to miss this deadline, either because they don't understand the new rules around EMV or they don't want to spend the time or money upgrading their system. But contrary to a common misconception, the government's October deadline only applies to card issuers — merchants are not required to upgrade their systems by then, although they would be smart to if they wish to reduce their own liability.
"A lot of people think EMV is a government regulation or mandate, but it's not," said Chester Ritchie, senior vice president of payment-processing company Worldpay. "It's owned by EMVCo, a joint venture owned by major credit card brands [Europay, MasterCard and Visa]. They dictate what EMV is, when [liability shifts] are mandated, who it applies to, etc."
Ritchie also noted that EMV upgrades are not a requirement for complying with the new PCI 3.0 security standards, but merchants who process a large percentage of EMV-enabled transactions may receive a waiver on other PCI requirements if they have an upgraded system.
Myth 3: EMV upgrades are expensive.
Verdict: True (but it doesn't have to be).
One of the primary reasons small merchants are hesitant about upgrading their POS terminals is because it will be a strain on their already limited budget. Sushil da Silva, a co-founder of cloud-based retail platform Highline, said that retailers with legacy software that's a decade or more old, the upgrade likely will be expensive, but it may not be if you make the right tech choices. Many companies are currently offering trade-in or reduced-price incentives to get EMV-enabled systems into more stores, and merchants who already use newer cloud-based systems like Highline's will have a much easier time upgrading, he said.
"For customers with modern systems ... it's essentially free," da Silva said. "It's as simple [as downloading] a new app, reinstalling it and turning it on."
Myth 4: Merchants with a small volume of transactions don't need to upgrade their systems.
Some smaller merchants may believe that there is no particular rush or even a need to convert their POS terminals because their average transaction value is small, said Jackie Barwell, director of fraud product management at ACI Worldwide, a banking-and-payments-solutions provider. However, fraud targeting tends to migrate to systems that are less secure, meaning that merchants who have yet to convert will likely be the next victims of a breach.
"Fraud patterns [in the U.K.] showed that, as merchants migrated their POS terminals, domestic face-to-face fraud began to fall substantially, but only bottomed out to a consistently low level once full compliance was achieved," Barwell told Business News Daily. "This says two things to me — that fraudsters continued to find ways to [use] counterfeited cards ... terminals they learned were yet to be upgraded to EMV compliance, and they didn't move away from attempting that until full compliance was met across all POS terminals."
Myth 5: U.S. merchants will increasingly shift to EMV after the October deadline.
Verdict: Likely true.
There's been some debate among experts about how quickly retailers will adopt EMV technology. Will every single U.S. merchant upgrade to EMV-enabled systems? Probably not. But will more of them upgrade in the coming months and years? Ritchie believes they will.
"We expect less than 50 percent of merchants to have EMV [technology] by the deadline, but right after that, as customers continue to receive EMV cards, they'll be aware that their information is more secure," Ritchie said. "As non-EMV merchants experience more fraud, customers will demand it because fraud is too much to bear."
If you're unsure of what you need to do to make sure your store is up-to-date with its POS technology or what the EMV fraud liability shift means for you, Bruemmer advised speaking with your local bank and/or payment card processor to understand how and when you can implement this new technology.