Merchant Readiness: EMV Compliance Cerberus Sentinel Blog

In 2015, the main credit card brands released the EMV Compliance standard to shift the liability from banks who issue branded credit cards onto non-compliant merchant organizations. To succinctly explain, EMV, or “Europay, Visa, and Mastercard”, compliance is the global standard for organizations to issue credit cards (including branded “debit cards”) that are equipped with Chip/PIN technology, which can be used to authenticate chip transactions on payment terminals. This standard was put in effect to transfer the liability of credit card fraud from the bank to the merchant. One thing that should absolutely be kept in mind is that EMV is not mandatory for any merchant organization. The EMV standard impacts the merchant organizations who process card-present transaction because a payment terminal needs to accept Chip/PIN enabled credit cards. If a merchant organization chooses to not implement EMV-compatible payment terminals, then the risk and financial liability of any credit fraud resulting from their customer transactions remains with them, rather than with the card issuer or card brand company.

Prior to the release of the EMV compliance standard, the bank that issued a customer’s credit card would take on the liability and risk of financial fraud, but the new EMV compliance standard allows any fraudulent charge to be issued to the customer. So, without EMV payment terminals in place, a merchant is likely to be on the hook for refunding customers if they’re victims of financial fraud resulting from a payment interaction. In other words, the party who has made the investment in EMV deployment will be protected from financial liability for card-present counterfeit fraud losses. But if both or neither the bank nor the merchant is EMV-compliant, the liability for financial fraud remains the same as it was in the good ol’days, before the EMV standard.   

For example, if a merchant has EMV-compliant POS terminals and the customer's bank does not issue EMV cards, the customer's bank would be liable for the fraud. Conversely, if the merchant does not have EMV-compliant POS terminals, the merchant and/or the acquirer would be liable for fraudulent transactions if the customer who has been defrauded had a chip card. 

Core Facts About Compliance with EMV

1. Obviously, EMV compliance relieves the financial burden of fraud liability for a merchant organization. If you're a small to medium size merchant who accepts card-present transactions, you should invest in EMV. It may be more expensive in the short run, but the investment will serve to both beef up organization payment security an to reduce the organizations overall liability burden to customers who fall victim to financial fraud.
2. EMV technology encrypts cardholder data on the integrated circuit chip on the card, which helps prevent skimming and scanning theft when inserted into a payment terminal.
3. However, EMV technology is an authentication technology and should not be confused with an encryption technology. On its own, EMV in no way protects cardholder data on a merchant’s system. It is a technology that enables the EMV payment terminal to challenge the authenticity of the card, because the chip generates a unique authentication number/identifier. Only if EMV is paired with a Point-to-Point Encryption (P2PE) payment terminal can an organization can reduce liability while also protecting cardholder data. If the EMV terminal a merchant adopts is not P2PE, they are still fully on the hook for ensuring the safe processing, transmission, and storage of cardholder data.
4. Chip/PIN and Chip/Signature are not the same. The U.S. allows for the use of Chip/Signature in lieu of a Chip/Pin combination. However, the Chip/Signature combination does not make the card more secure and does not reduce the risk of fraud – only Chip/Pin accomplishes either of the benefits of adopting EMV-compliant terminals.

Greater Security, but with an Important Caveat

EMV-compliant cards increase the physical security of credit cards for both the customer and the merchant for two key reasons. First, the integrated circuit chip is specifically designed to be incredibly resistant and difficult to clone which helps prevent counterfeiting. The second reason is that without the full combination of the chip and the verification PIN, a stolen credit card can be rendered useless. However, there is a caveat to this because it’s not applicable to a merchant organization that defaults back to accepting magnetic swipes or Chip/Signature combination as operational standards. If an organization defaults back to either of those, the second benefit to adopting EMV-compliant payment terminals becomes moot.

Attaining EMV Compliance

If you’re a merchant, and you’ve recently become aware that you are not EMV compliant, and you don’t know where to start, there are a few steps I can recommend to help initiate the process.

1. Perform a cost/benefit analysis and evaluate the impact a transition would have on your business. You will need to determine the resources, including personnel training and the budget necessary to transition to EMV-compliant payment terminals before jumping on the EMV train.
2. Talk with your acquiring bank. Ask if they have programs to assist customers with the transition to EMV-compliant terminals, because the card brands have been offering incentives to acquiring banks to help speed up the transition since 2015. Also, ensure you verify whether or not the acquiring bank has any additional requirements in place for their customers to become fully EMV-compliant.
3. Read the contract that you have with your acquiring bank and verify that it addresses the liability shift of compliance with the EMV standard. You will want to know what responsibility and liability you will bear if you choose to deploy EMV-compliant payment terminals or not, and the liability the acquiring bank will accept in either scenario.

Does EMV Affect PCI Compliance?

This is the most common question regarding the EMV standard, because PCI compliance is a hefty and complex set of requirements merchants face today. PCI Compliance mandates the procedural and technical standards with which organizations who store, process, or transmit cardholder data must comply. While both the EMV and PCI standards are the brainchildren of our friendly, global credit card brands– and it seems that compliance with one would significantly impact the other, they are wholly independent of each other and serve two distinct purposes.

The only PCI implication of moving to EMV-compatible technology is the audit and breach penalty relief offered by card brands. If more than 75% of a merchant's transactions originate from EMV-compliant payment terminals that support both contact and contactless transactions, most card brands offer some relief from PCI DSS audit requirements (you still need to be PCI compliant) and decrease the financial penalties associated with a credit card breach.

If you would like to delve more into the relationship between PCI and EMV, you’ll want to check out this blog post by Vince Fusco, TRUE’s Director of PCI Services.