According to the Identity Theft Resource Center (ITRC), the number of data breaches in the U.S. reached a high of 783 in 2014. The ITRC also found that since 2005, there have been 5,029 reported data breach incidents, which involved more than 675 million estimated records.
There’s a lot of confusion about what exactly the EMV (Europay, Mastercard, Visa) transition will mean for merchants. Many are skeptical that EMV will really make that big of a difference in the way customer payment data is secured. EMV by itself isn’t an answer. However, it’s important to keep in mind that EMV is within its first steps of implementation in the United States. The liability shift in October of this year is only the beginning. Ensuring that your POS terminals are ready to accept the EMV payment option is just one small piece of the puzzle that the Liability Shift is trying to put together—greater data security.
1. Does EMV really enhance data security?
The chip in EMV cards makes it more difficult for thieves to counterfeit cards. The traditional magnetic stripe contains sensitive information that is easily replicable. Once data is stolen from a MSR, it is able to be replicated over and over again, and used time and time again.
It is important to note that EMV doesn’t eliminate or reduce the chances of a data breach. What it does is make the gathered consumer data unusable. This is because the chip in an EMV card creates a unique transaction code every time it’s used for payment. If hackers steal the transaction code that was used once, that same code cannot be used again. The card would simply be denied.
2. If EMV doesn’t reduce the chances of a data breach, what’s the point?
It makes stealing customer card information less appealing to hackers. Additionally, EMV technology is compatible with encryption and tokenization which do reduce the chances of a data breach.
Encryption: As card data is transmitted in plain text from the reader to the POS server, or merchant’s central server, thieves are able to steal it. P2PE (Point to Point Encryption) protects consumer data throughout the transaction, from the point at which it is captured to the point it enters the server.
Tokenization: Tokenization improves the way in which customer data is stored in a merchant’s server. Instead of storing live credit card data, it replaces customer data with a value—a token— that is meaningless should it be stolen by hackers. These tokens can be used by merchants just like original credit card numbers to run sales reports and process returns. Many POS software vendors are including P2PE and tokenization capabilities in their software to further secure card data.
3. Are MSR readers still necessary?
Many merchants are also wondering if EMV technology renders their magnetic stripe readers obsolete. This is not the case. EMV is just an additional payment method at your point of sale.
4. What benefits are there in implementing more payment options at the point of sale?
That leads us directly to the benefit of multiple payment options at your point of sale. Many of the new EMV payment ready POS terminals also offer NFC (Near Field Communication) readers as well. This allows your customers to pay with mobile wallet applications.
With the increasing popularity of mobile wallets such as the ApplePay for iOS and Google Wallet for Android, it is highly advantageous for merchants to offer their customers the option to pay with the mobile wallet of their choice. When customers are given choices, customer satisfaction improves and when customer satisfaction improves, profits increase.
5. Who shoulders the liability after the October 2015 Transition?
Most merchants are also a little bleary on what the liability shift will mean for them come October. Outcomes will differ depending on whether or not you’ve implemented the EMV card option at your site.
If you are still using the “swipe and signature” method exclusively—without the EMV payment option available to customers—you will be responsible for any on-site fraudulent transactions that would have been prevented by EMV-enabled payments technology. However, if the merchant has implemented EMV card readers, but the customer’s bank has not issued an EMV card, the bank will be liable. If a data breach occurs when a merchant has EMV readers in place and the customer uses the EMV payment method, then the card issuing bank will again shoulder the liability.
The EMV liability shift marks a period of transition. While EMV alone won’t solve all of your security issues, it’s important to remember that it is simply a step in the right direction towards greater data security, benefiting both merchant and consumer.