Have you recently received a new credit card in the mail with a small, metallic square on one end? Welcome to a new era of credit card payments.
In October 2015, the liability shift for credit card fraud associated with EuroPay, MasterCard, and Visa (EMV) is due to take effect in the United States. Any businesses that accept credit cards, including physician offices and other medical offices and facilities, should prepare for the change and ensure they are protected not only from liability but also increased risk of fraud.
The new guidelines for liability primarily impact point-of-sale transactions in which the customer (or patient) has a credit card in hand. The new EMV technology embeds credit cards with microprocessing chips (just beneath that metallic square you see on your new card) that employ enhanced security features and other application capabilities not available with traditional magnetic stripe cards. During the transaction, the credit card is inserted into the reader (rather than swiped) and remains in the reader until the authentication and verification are complete.
Currently payment processors or issuing banks are liable for credit card fraud. However, starting in October 2015, merchants will assume liability for fraudulent POS transactions if they have not updated to the new EMV technology. Here’s how Tom Gara explains it in a Wall Street Journal article:
So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.The key point of a liability shift is not actually to shift liability around the market. It’s to create coordination in the market, so you have issuers and merchants investing in the migration at the same time. This way, we’re not shifting fraud around within the system; we’re driving fraud out of the system.
According to EMV Connection, these new cards are more secure for three main reasons.
- Card authentication, protecting against counterfeit cards. The card is authenticated during the payment transaction, protecting against counterfeit cards. Transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal.
- Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards. Cardholder verification ensures that the person attempting to make the transaction is the person to whom the card belongs. EMV supports four cardholder verification methods (CVM): offline PIN, online PIN, signature, or no CVM. (The PIN options are so popular in other countries that EMV is sometimes called “chip and PIN.”)
- Transaction authorization, using issuer-defined rules to authorize transactions. The transaction is authorized either online and offline. EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.
So, if your medical practice, hospital, ambulatory surgical center, lab, or other medical organization accepts credit cards, what should you do?
- Evaluate your current credit POS card readers to determine if they are already EMV compatible. For the past couple of years, most new readers have been equipped for both chip and magnetic stripe transactions. If your readers are more than a couple of years old, though, you will likely need new equipment.
- Talk to your processing rep or bank to determine their plan for EMV implementation. If you do not already have the equipment, determine with them how to update yours or purchase new. Also, talk with them about additional incentives for switching to chip transactions and determine any other steps needed to make the change.
- Work with your office manager, billing office, and/or staff members who use the credit card reader to develop EMV-specific protocols and implement training. As the October deadline nears and passes, more and more cards will have both the EMV chip and the magnetic stripe (in fact, for now, all EMV cards will also have the magnetic stripe). Once you are set up to accept EMV transactions, train your staff to look for the chip option on the card as a first choice. Remember, if a bank has issued an EMV card but you run a transaction with a magnetic strip, you are on the hook for any fraud-related costs. Also, while banks are not required to switch from requiring a signature to requiring a PIN for in person transactions, some may. Make sure your staff is aware so they can help patients with the new technology.
- Evaluate the security of your online credit card transactions, as well. While the liability shift doesn’t impact “card not present” (CNP) payments, many experts believe that the increased security of EMV POS transactions will drive fraudulent activity to the least secure venue, namely online transactions. Work with your online credit card processor to ensure the highest level of security is being utilized. Also, familiarize yourself with lesser-used technologies that may soon become more mainstream, such as MasterCard’s Chip Authenticated Program (CAP) or Visa’s Dynamic Passcode Authentication (DPA).
According to the WSJ’s Tom Gara, this transition to EMV is about more than just new credit card technology; it’s paving the way for new methods of making payments, from contactless payments, to tap and pay, and even mobile payments.
For more information, review the following resources:
- CreditCards.com has a great article with 8 FAQs about using EMV cards.
- VendHQ.com has a short post on steps vendors should take to accept EMV cards.
— All rights reserved. For use or reprint in your blog, website, or publication, please contact us at firstname.lastname@example.org. Photo by frankieleon via Flickr used with permission under the Creative Commons License.