Yes, the EMV terminals certified by Vantiv, Comerica Merchant Services’ payment processor, will also have a magnetic stripe card reader.
Yes, for the foreseeable future credit and debit cards will be issued with a chip on the front of the card and the familiar magnetic stripe on the back of the card so that chip cards can be backwards compatible with existing non-EMV capable devices.
Since the customer has to leave their card in the terminal during the transaction, what can be done to reduce the number of cards forgotten in the terminal?
We recommend that merchants do not print the customer’s receipt until after the card has been removed from the card reader and/or program the terminal to produce an audible beep when the card should be removed.
EMV is an open-standard set of specifications that ensures functionality between smart chip cards and payment terminals. EMV originated as a joint effort among Europay, MasterCard® and Visa® to improve payment safety through better card security and improved standards. Today, EMVco is owned by Visa, UnionPay, MasterCard, JCB, Discover and American Express. Payments industry organizations participate with EMVco as technical and business associates. Worldpay is a business associate in EMVco. Find more information at www.emvco.com
The EMV “chip” is a secure microprocessor built into a card or other payment devices (e.g. mobile wallet on smart phone). The chip generates a unique number for each sales transaction, making it extremely difficult to use a cloned card fraudulently on a card-present transaction. Magnetic stripe cards use static cardholder data that remains the same for every transaction, which makes them attractive targets for theft, cloning and use in card fraud.
In addition to strong security features, chip technology includes other capabilities—like Near Field Communications (NFC) technology—which lets merchants accommodate both contact and contactless payments.
EMV chip cards are already well-established outside the US, particularly in Europe. Crime migrates to the easiest targets, which right now includes the US. Upgrading to the EMV standard is anticipated to greatly reduce card fraud here in the US.
Beginning October 1, 20151, the major card networks agreed to shift financial responsibility for losses due to counterfeit card-present card fraud to the party using the least secure technology. Merchants that want to avoid this liability should implement EMV chip technology in their point-of-sale (POS) devices before the deadline.
Chip and PIN payment devices are deemed most secure for card-present transactions. Ask Worldpay if you need help making decisions about EMV POS device purchases.
Merchants who don’t use EMV capable—and enabled—POS equipment after October 1, 20151 will be responsible for card-present fraud losses in the following instances:
- Counterfeit EMV card: Visa, MasterCard, Discover and American Express move liability to the merchant
- Lost or stolen card: American Express, Discover and MasterCard move liability to the merchant; Visa keeps liability with the issuer
Please note a chip and PIN terminal provides the most secure transaction environment available today.
Card authentication, cardholder verification and transaction authorization processes are all enhanced with EMV. Specifically:
Card Authentication: Is the card real? Unique data for each transaction travels between card, the POS device and issuer to ensure authenticity. EMV transactions also create unique transaction data, making captured transaction data incapable of being used to execute additional, new transactions.
Cardholder Verification Method (CVM): This step validates the cardholder as the legitimate owner of the card, using verification parameters set up by the issuer. The issuer of the card determines which of the following four methods will be required for a particular transaction: online PIN, offline PIN, signature or no CVM required. EMV supports each of these four verification methods.
Transaction Authorization: Like today’s magnetic stripe transactions, transaction information is sent to the issuer for approval. What’s different is a transaction-specific cryptogram (code) is also sent to the issuer who then either approves or declines the transaction and sends a unique response cryptogram back to the POS device for the card to interpret and validate the transaction.
The dynamic exchange of information needed to execute each transaction provides the extra security missing from the static, old technology used in magnetic stripe transactions.
The Aite Group predicts 70% of US credit cards will be EMV-enabled by the end of 2015. It also predicts there will be 4.5 million EMV- capable payment terminals in the US market by the end of 2014, and growing to nearly 7 million terminals by end of 2015. (The Aite Group, LLC, is an organization that provides research and advisory services focused on business, technology, and regulatory issues and their impact on the financial services industry.)
- Improves transaction security for credit and debit card-present environments
- Creates common cardholder experience globally
- Supports multiple methods of cardholder verification (signature, pin, etc.), providing flexibility of payment acceptance without
- Bundles emerging technologies–POS devices with chip technology are often grouped with NFC (contactless) and mobile; EMV
adoption accelerates merchant capabilities to accept payments in new ways
Now. The Smart Card Alliance/EMV Migration Forum in May 2014 estimated chip cards in the US total between 17 and 20 million. It’s important for businesses to develop EMV POS equipment adoption plans now.
Review existing POS equipment or systems to learn if upgrades are possible or whether new EMV-compatible POS hardware must be purchased.
Standalone POS. The only job of stand-alone POS is to authorize and clear payment card transactions and it is the easiest EMV solution to implement.
- Is your POS device EMV compatible? (Does it have a slot for EMV cards? EMV-compatible terminals have a slot, typically located at the bottom of the terminal, into which the EMV chip card is inserted and read; this slot is different from the side swipe used with magnetic stripe cards.)
- If POS EMV compatible, will you need to schedule a service call to have EMV software installed or will a remote software download be available? (Ask your payment processor—which is Worldpay if we do your payment processing)
- Worldpay’s standalone EMV solutions: POS VX 520 terminal and VX 680 wireless terminal. A remote EMV software download will be scheduled before the October 1, 2015, liability shift.
Integrated POS systems. Merchants using an integrated POS system should contact the independent software vendor (ISV) that
supports the merchants’ business applications and POS system.
- Learn if the ISV has contacted the merchant’s payment processor (like Worldpay) to do EMV testing and certification
- The processor will inform ISVs or POS vendors what testing tools they will need to obtain before testing can occur
- Worldpay is currently working with its POS vendors and ISVs on testing and certifications for every currently certified POS method
- We anticipate Worldpay’s major certifications will be completed by the end of 2015. Worldpay will continue to work with all our
supported ISVs to add EMV functionality as quickly as possible. In some instances, EMV support may not be available until after the October 1, 2015, deadline. Worldpay customers may contact a Worldpay representative to determine the exact roadmap of the POS system used at their location.
Some merchants connect to their payment processor through a payment gateway. Gateways used for card-present transactions will also need to undergo EMV testing and certification. Note that eCommerce payment gateways, which operate in a card-not-present environment, will not need changes for EMV.
Merchants should understand EMV-compatible POS device capabilities. POS devices that incorporate the EMV standard will be able to use up to four cardholder verification methods:
Determine if the new POS device that you’re considering will have contactless payment capabilities. Many POS devices bundle EMV- capable and contactless (NFC) payment features. This may allow you not only more secure transactions but also more ways to accept payments in the manner your customers want to pay.
The payment network rules do not require you to switch to an EMV card acceptance process; however, if you do not switch to an EMV card acceptance process by October 1, 20151, you will be held responsible for the costs associated with use of a counterfeit EMV card in a card present transaction at your location.
We recommend that businesses upgrade their POS equipment to a version that is EMV “future ready.”
- For most merchants October 1, 2015, is the deadline for EMV acceptance capabilities
- For petroleum merchants using automated fuel dispensers (AFDs) October 1, 2017, is the deadline for EMV acceptance capabilities
EMV cards issued to US cardholders will be hybrid versions, meaning the card will have a magnetic stripe on back and chip on front. As a result, EMV cards presented for payment can still be accepted at a non-EMV-compatible POS device (payment terminal).
Yes. PCI DSS examine the payment environment and evaluate how your business accesses, transports or even stores cardholder data. PCI DSS compliance will remain a requirement.
Yes. The chip in an EMV card protects individual transactions by adding a secret number only the card issuer knows, which verifies that the transaction is legitimate through an EMV-compatible POS device. However, EMV is not designed to encrypt the sensitive card information (Account Number, Exp. Date, etc.). Therefore, it is still possible for thieves to duplicate card data and create counterfeit cards that can be swiped for use at businesses that haven’t upgraded to EMV-compatible or EMV-enable POS devices or could be used with online retailers. Encryption removes this cardholder data for your POS device, which simplifies the scope of your PCI DSS obligations
Merchants who participate in Worldpay’s E2EE program receive an indemnity waiver of up to $100,000 in total—which includes up to $30,000 in approved compromise associated costs, such as forensic audits and fines, as part of Worldpay’s PCI Program , plus an additional $70,000 if you experience a compromise as a result of the failure of Worldpay’s E2EE equipment to encrypt when used properly. Note, not all card transaction types are available for the E2EE service, and additional terms and conditions apply so contact your Worldpay representative if you are interested in learning more.
EMV capabilities along with E2EE are a great combination for highly secure payment acceptance.
What role will EMV have in payments for the online, card-not-present environment? (Internet purchases)
Currently, the EMV standard exists solely for the card-present, face-to-face environment. Worldpay will work closely with the card associations to monitor any new requirements for card-not-present transactions.
- Worldpay completed certification with all major card brand networks in 2013 (Visa, MasterCard, Discover & American Express)
- Worldpay’s EMV-compatible standalone POS device solutions are available now and incorporate NFC (contactless) capabilities
too: VX 520 and VX 680 (wireless terminal). Software to enable EMV will be released by Worldpay before the October 1, 2015,
- Testing and certification with Worldpay POS vendors is under way
If you have additional questions, contact a Worldpay representative. We’re happy to help.