EMV Is Here: Is Your Customer’s Payment Hardware Ready?
Now that the holidays are over, the next big hurdle in payment hardware and software is right around the corner. EMV has an implementation milestone of October 1, 2015 for most retailers and processors to be EMV compliant. The three dates below are from Master Card and Visa’s website.
October 1, 2015 – Counterfeit Card Liability Shift (MC and Visa): The party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today. This date excludes automated fuel dispensers.
October, 2015 – Account Data Compromise Relief (MC and Visa): On this date, if at least 95 percent of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100 percent of account data compromise penalties.
October, 2017 – Fraud Liability Shift, Automated Fuel Dispensers. MasterCard liability hierarchy takes effect for automated fuel dispensers
By now, you would think that most retailers should be aware of the need to upgrade their POS and or Payment applications and hardware to meet EMV compliance, but I speak to retailers every day to which all this is a complete surprise. By now most POS and Payment App vendors and Integrators have made plans to upgrade their systems to accommodate EMV and have shared these timetables and plans with you, so if you have not started having conversations with your customers, the clock is ticking. Below is information that we have drawn from various sources aimed at helping you address EMV with your customers.
Frequently Asked Questions About EMV
What is EMV?
EMV is an open-standard set of specifications for smart card payments and acceptance devices. The EMV specifications were developed to define a set of requirements to ensure interoperability between chip-based payment cards and terminals. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. Today, EMVCo manages, maintains and enhances the specifications. EMVCo is owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa, and includes other organizations from the payments industry participating as technical and business associates. Information on the specifications and organization is available at http://www.emvco.com.
Why is EMV so much better?
- Card authentication, protecting against counterfeit cards. The card is authenticated during the payment transaction, protecting against counterfeit cards. Transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.
- Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards. Cardholder verification ensures that the person attempting to make the transaction is the person to whom the card belongs. EMV supports four cardholder verification methods (CVM): offline PIN, online PIN, signature, or no CVM. The issuer prioritizes CVMs based on the associated risk of the transaction (for example, no CVM is used for unattended devices where transaction amounts are typically quite low).
- Transaction authorization, using issuer-defined rules to authorize transactions. The transaction is authorized either online and offline. For an online authorization, transactions proceed as they do today in the U.S. with magnetic stripe cards. The transaction information is sent to the issuer, along with a transaction-specific cryptogram, and the issuer either authorizes or declines the transaction. In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity (e.g., at a ticket kiosk) or in countries where telecommunications costs are high.
What do I have to do to be compliant?
This one does not have a single answer. POS Integrators, Payment Applications, Gateway Processors and the Hardware Manufacturers have developed a variety of solutions to meet the challenge ranging from fully integrated solutions that will work with some existing POS platforms, to what is referred to as “Semi Integrated” solutions that process the payment on the payment terminal with nominal interaction with the POS and many variants in between. In addition, the Hardware Manufacturers also can make available all the documentation and tools for those that have home grown POS applications. POSDATA can assist here by working with the Manufacturers to get the right Integration Kit for the application and also provide basic development support where needed.
Where do I start?
In most cases, the process is going to start with you the reseller. The POS software application will likely dictate the path as by now they will have outlined an EMV solution. That solution may be to totally remove payments from their app partner specific third party Payment software or to provide “hooks” into the POS app to allow multiple third party solutions. They may also have chosen to provide an end to end solution. Integration and certification for EMV is a costly endeavor, so there may not be a wide range of choices for a particular POS depending on their size and install base. Same goes with payment hardware. You may find that an application may now only partner with one device manufacturer. There is also hardware out there that, while relatively new will not be supported by the manufacturer for EMV. Bottom line is, if you have not started having these conversations with your customers by now, they are behind the curve and are going to have to catch up.
Can I use my existing payment devices?
If the chosen POS/Payment application supports it. That being said, there are a lot of integrated payment terminals that are not being supported for EMV by the manufacturers. Some because they are not equipped with Smart Card readers, others because they have been recently “End of Lifed” and firmware application updates are no longer being developed for them. The breakdown below comes from the manufacturers. Please also note that while devices may be advertised as “EMV Ready” , “EMV Capable” or “EMV Certified”, additional licenses, updated OS and/or applications or certificates may need to be loaded before EMV transactions can be performed.
Verifone
Most MX product that was built with a Smart Card reader can be used for EMV, although upgrades and additional applications will be required. This is a matrix of the MX product that is EMV capable by model number. The number to look for is the 9 in the 7th position of the part number. For example, a non-EMV MX 860 would be M094-407-01-R, versus the EMV MX 860 which is M094-409-01-R. Also, there are no non-EMV models of the MX 915 or MX 925, only the EMV. In addition the current line of VX Pin Pads ( VX 820 and VX 805) are also EMV ready.
VeriFone Model | PCI 1.3 Part Number – These products are EOL, but can still be used until 2017. | PCI 2.0 Part Number | PCI 3.0 Part Number |
MX 830 | M090-309-04-R | N/A | N/A |
MX 850 | M090-209-01-R | M094-209-01-R Will be EOL at end of 2014 | N/A |
MX 860 | M090-409-01-R | M094-409-01-R | N/A |
MX 870 | M090-109-01-R | M094-109-01-R | N/A |
MX 880 | M090-509-01-R | M094-509-01-R | N/A |
MX 915 | N/A | N/A | M132-409-01-R |
MX 925 | N/A | N/A | M132-509-01-R |
Ingenico
Ingenico will support all iSC Touch models (250, 350 and 480) and the iPP 320 and 350. No Ingenico product that has been “End of Lifed” will be supported for EMV.
Equinox (Hypercom)
Equinox will be supporting the L5200 and L5300 only and well as the Apollo CFD. No Equinox product that has been “End of Lifed” will be supported for EMV.
PAX
Many PAX devices are EMV ready including the MT 30, SP30 and S300. Some PAX models did not come standard with Smart Card readers, so please contact us if you have any questions about specific models.
How do I dispose of my old payment terminals?
POSDATA offers a service called eWaste Disposal. You simply provide a list of serial numbers of your old devices and as they are replaced in the field, you have them shipped to our facility. There we keep track of the devices received and provide reporting to you. We then disassemble the devices making sure that all keys and any other sensitive information is removed or permanently disabled and recycle all components including any hazardous materials they may contain in an environmentally friendly fashion. When we are done, you receive a comprehensive report on the items disposed of and a Certificate of Recycling.
Closing Thoughts
This is going to be a very busy year in the payments industry. As you may imagine there will be quite a demand for replacement payment devices and all the requisite accessories and services. As you plan rollouts and upgrades this year, expect longer than usual lead times due to the volume. We here at POSDATA are here to help in any way we can to make your EMV transition as smooth as possible with a wide range of devices, services and solutions.