You’ve probably heard talk of EMV with increasing regularity over the past several months. This new regulation seems to be creating a sizable knot in the stomachs of most independent business owners. It’s yet another difficult to understand regulation requiring action and investment from businesses. And it’s doubly scary because it is being advertised as the key to credit card security. With breaking news of new credit card data breaches every time we turn around, and deadlines for implementation of EMV set for 2015, it’s understandable that EMV is the topic everyone both does and doesn’t want to talk about.
Here is some information about EMV and what it means to you:
What is EMV? EMV stands for “Europay Mastercard Visa”. EMV technology was first implemented in Europe in 1995. EMV cards have a microchip embedded in them that creates a unique transaction code each time the card is used. This sharply contrasts to a standard card with a magnetic strip that contains constant and unchanging data. You may also hear EMV referred to as Chip and PIN, but EMV cards are more likely to be used in a signature based transaction during the early stages of EMV rollout in the United States.
What does EMV Do? EMV makes it virtually impossible to duplicate a card. So in essence, if someone were to obtain your credit card information, they could not simply make a mirror image of your card and have it work.
So EMV completely secures my store for credit card transactions? Unfortunately, EMV is not a guarantee against breaches and fraud. In fact, the presence of EMV would not have had any impact on the most notorious large scale data breaches such as Home Depot, Target, Sears, etc. In those instances, the data that was stolen would still have been vulnerable regardless of whether EMV had been adopted. So while a card cannot be duplicated, card information can still be obtained if other means of protection are not used.
Who is enforcing EMV? The major card brands such as Visa, MasterCard and American Express have chosen to push adoption of EMV in an attempt to reduce fraudulent transactions.
What is the deadline for EMV? There is no hard deadline for adoption of EMV. In countries like Canada, where they have been using EMV for 8 years, they still have only a 50% adoption rate. However, the major card brands have sited October, 2015 as their roll-over date when not supporting EMV becomes impactful to merchants.
What happens if I don’t support EMV transactions by October, 2015? Out of the 1.1 billion credit and debit cards issued in the United States, practically none of them are EMV capable just yet. But over the next year, more and more of your customers will be receiving cards with the EMV microchip technology. You’ll still be able to accept these cards without EMV enabled. EMV cards still have a standard swipe. What happens in October of 2015 is a shift in liability in instances of Fraud. The major card brands state that liability for fraudulent transactions will rest with whatever party is the least EMV compliant. So there is definitely some added risk, but it’s actually not so different from today. If you were to experience a breach today, you could still be liable for fraud perpetrated from that breach if the breach were determined to be caused by security negligence on your part. Basically, you are potentially just as liable today as you will be on October 2015, but there’s an added liability specific to EMV cards and transactions.
What changes will my customers see? There will be an adjustment period for your customers. Today, most customers are used to swiping their card as soon as the transaction begins. In order to utilize EMV, the card will have to be inserted into a special slot and left there during the entire transaction. This will mean re-training your customers -- "swipe at anytime" becomes a thing of the past.
What should I tell my customers? It’s important to make sure that your customers know that you are aware of the need for added security when it comes to handling their credit card data. Make sure to educate your staff on EMV and keep them up to date on the latest information so that they can answer questions that come up. As more card issuers release EMV capable cards, you’ll receive more questions from customers as to how your pharmacy can continue to meet their needs.
Can I start now? While we know that EMV is coming, there is little that we can actually do about it right now. As a point-of-sale provider, RMS cannot begin coding until we receive key information from the credit card processors themselves. The processors must determine how they will implement EMV, and what devices they will allow their merchants to use. As soon as we receive this information and can advise our customers on which path to follow we will reach out. We are having weekly meetings with our processing partners and expect to have new specs very soon.
Where can I learn more? You can learn more about security in your pharmacy and PCI compliance by downloading our free E-Book. I also encourage checking out this pharmacy podcast with special guest Brad Jones, RMS’ President & CEO. Brad talks in depth about EMV and other card processing security concerns. Keep reading the RMS blog for the latest information on EMV.