Retail pet businesses could pay a high price for not adapting to evolving credit card technology.
There is a potential storm cloud on the horizon for many pet supply retailers, grooming shops, kennels and other pet businesses that either accept credit or debit card payments, or use those cards for purchases. Ahead lies a so-called “liability shift,” where banks and card issuers plan to shift liability for fraudulent card transactions to those who are not ready for a new, more secure card.
Today, if a credit card transaction is conducted using a counterfeit, stolen or otherwise compromised card, losses from that transaction usually fall back on the payment processor or issuing bank. After October 1, however, any business that doesn’t have an EMV (Europay, MasterCard and Visa) processing device will find the banks will no longer be liable.
Although it is estimated that 40 percent of debit cards and more than 70 percent of credit cards that will be issued before the end of the year will employ EMV technology, many pet retailers, especially those with a relatively low volume of card transactions, may find the cost of upgrading to accept EMV cards could outstrip the potential future costs of fraud.
The New EMV System
EMV is a global standard for cards equipped with a small integrated circuit (or chip) that, along with the appropriate technology, is used to authenticate transactions. The EMV technology, often referred to as “chip and PIN,” is widely used elsewhere in the world. Now U.S. card issuers are moving to this new technology to both protect consumers and reduce the cost of fraud.
For consumers, the switch means activating the new EMV cards and learning new payment processes. For retail pet businesses, it means adding new point-of-sale (POS) terminals, in-store technology and internal processing systems.
The magnetic stripes on traditional credit and debit cards contain unchanging data, making traditional cards prime targets for counterfeiting. Whoever accesses the data on traditional cards has all of the sensitive card and cardholder information necessary to make a purchase. Setting apart the new generation of cards is a small chip.
Unlike the traditional magnetic-stripe cards, every time an EMV card is used for payment, the card’s chip creates a unique transaction code that cannot be used again. As with magnetic-stripe cards, EMV cards are processed for payment in two steps: card reading and transaction verification. With EMV cards, however, it is no longer necessary to master a quick, fluid card swipe in the right direction. Chip cards are read in a different way.
Instead of going to a register and swiping an EMV card, customers perform “card dipping” inserting the card into a terminal slot. When an EMV card is dipped, data flows between the card chip and the issuing financial institution to verify the card’s legitimacy and create the unique transaction data. This process isn’t as quick as a magnetic-stripe swipe.
Signatures or entering a PIN for card transaction will still be required, but which one is used will depend on the verification method tied to the EMV card, not whether the card is debit or credit. Fortunately, card dipping is not the only option.
A pet retailer can continue processing cards with the magnetic stripe and ignore the EMV technology. No business will be lost, since most cards will still have a magnetic stripe as backup. The only difference—albeit an extremely important one—is that, starting in October, the pet retailer may be liable for any counterfeit or fraudulent card transactions, thanks to the liability shift.
According to at least one expert, if a hacker stole the chip information from one specific point-of-sale system, typical card duplication would never work because the stolen transaction number created in that instance wouldn’t be usable again and the card would just get denied.
Near But So Far
EMV cards can also support contactless card reading, often referred to as near field communication (NFC). Instead of dipping or swiping, NFC-equipped cards are tapped against a terminal scanner that picks up the card data from the embedded computer chip. Unfortunately, dual-interface cards and the equipment needed to scan them are expensive. So, currently, the emphasis is on successfully integrating EMV cards into the shopping process. Dual interface will arrive later.
When no card is present, such as with online transactions, programs like MasterCard’s Chip Authentication Program (CAP) and Visa’s Dynamic Passcode Authentication (DPA) allow EMV cards to be used for authentication. For an online transaction, the user inserts the EMV credit or debit card into a handheld reader. Once the user enters a PIN, the reader displays a one-time password that can be used to validate the user’s identity. The user enters the password in the appropriate field on the retail pet operation’s checkout page, and the password is passed back to the issuer for authentication.
An EMV-based payment infrastrucure for mobile contactless payments has already been introduced in Europe. However, while continued growth is predicted for NFC-enabled mobile devices for contactless payments and other mobile applications in the U.S., as with duel-interface equipment, it will take awhile.
The Payment Card Industry (PCI) Data Security Standard (DSS) is a security standard that everyone handling branded cards from the major credit card companies such as Visa, MasterCard, American Express and Discover. All merchants, whether large or small, must comply with this standard. The credit card companies have collectively adopted PCI DSS as a requirement for everyone processing, storing or transmitting cardholder data.
Rather than focusing on a specific category of fraud, the PCI DSS was designed to protect cardholder and sensitive authentication data anywhere this data is present within the payment process, thus limiting the potential for hacking and fraud. When used together, EMV chip and PCI DSS will substantially reduce fraud and enhance payment security.
The Issue Of Liability
A key consideration for any pet retailer adopting EMV cards is the liability shift. Liability shift means that issuers (banks, credit unions, and any other financial institution issuing credit or debit cards) and merchants continuing to use non-EMV compliant devices and accept transactions made with EMV-compliant cards, will assume liability for any and all fraudulent transactions.
After the liability shift, if a pet retailer is still using the swipe-and-signature methodology and the customer has a smartcard, the merchant is liable. If the pet business/merchant has the new EMV chip and PIN technology, but the bank hasn’t issued the customer a Chip and PIN card, the bank is liable. If a merchant uses Chip and PIN technology on a customer’s smartcard and fraud still takes place, the credit card company bears the liability.
In other words, the liability for card-present fraud will shift to whichever party is the least EMV-compliant in the fraudulent transaction. Naturally, the capabilities of a pet business’s POS system will play a pivotal role in the success of the EMV card. Issuers can distribute EMV cards, but EMV’s fraud reduction benefits won’t be realized if merchants can’t accept the cards.
The upcoming liability shift means all pet retailers will have to review their POS systems, including in-store hardware and software. The transition could prove easier for small operations, which may be able to move to EMV by simply adding a new external pin pad. Larger operations will, in all likelihood, have to invest heavily as they look to upgrade numerous terminals and systems.
Although the upcoming deadline should be enough encouragement for all parties involved in the payment process to become EMV-compliant as soon as possible, it is increasingly obvious that not everyone will comply by that date. While EMV compliance is required for credit card acquirers and processors, it is not mandated for merchants and processors. Of course, a pet retailer that is not in compliance by October will assume liability for any fraudulent purchases—a shift that is poised to drive many to adopt the new standards and avoid the risk.
As the new EMV card strategy was developing, many experts were saying that the only merchants that should think about getting EMV-compatible credit card terminals were those that already need a new terminal. The consensus seemed to be, as with the case for computers, the best time to get a new credit card machine may be tomorrow. The technology will only improve with time, making it less important unless the retail pet business is already encountering large number of chip cards.
However, tomorrow may be today. Expert opinions notwithstanding, every pet retailer should protect themselves from fraud liability. The relatively small price of a new terminal may be worth the peace of mind it brings. Naturally, there is always the chance that no one will ever attempt to use a counterfeit chip card in your pet business, but can you afford to gamble?