What Is EMV Compliance Law, and Should Your Business Worry About It?

Thanks to something called “EMV technology,” you’ve likely received new credit and debit cards in the mail sporting simple silver squares. Along with the futuristic look they add to any blasé black-striped credit card (nice!), they also come with higher-tech security—and EMV compliance regulations that all businesses must now follow to support it.

These squares are actually computer chips that are structured to accommodate EMV—the latest development in secure payment technology. EMV doesn’t stand for anything special. Rather, it’s actually an acronym for Europay, Mastercard, and Visa—the three companies to pioneer this payment method.

The technology behind it, however, is designed to not only cut down on consumer fraud, but also limit credit card and bank issuers’ liability for fraudulent payment chargebacks. With these new developments also come those shiny new physical credit cards you’ll need to accept as a small business owner (as well as ones you’ll be spending on with your own business credit cards). And that credit card compliance law, too—also known as EMV compliance law.

Here’s what you need to know about how credit card compliance law could affect your business—and what any consequences you could face for not updating your technology to follow the EMV rules.

What Is EMV Compliance Law?

EMV compliance law stipulates that all businesses need to upgrade their point-of-sale (POS) systems to accommodate EMV chip cards and EMV compliance. Otherwise, you won’t be able to avoid liability under new credit card chip reader law. Even though major credit card companies requested most merchants do so by October 1, 2015, a relatively staggering number have not yet adopted procedures meeting credit card EMV compliance. According to CreditCard.com statistics, only 50% to 52% of businesses currently support EMV chip card payments. ^[1] 

Fortunately, it’s not difficult to implement EMV into your business payment systems.

How EMV Technology Works—and Improves Upon Existing Payment Technologies

The major credit companies introduced EMV technology and credit card EMV compliance regulations in response to rampant credit card counterfeiting and fraud incidents tied to traditional magnetic stripe—or “mag-stripe”—cards. To understand why EMV technology and credit card chip laws matter to businesses, it’s good to contrast how EMV cards work vs. how mag-stripe cards worked.

If you look on the back of your credit card or debit card—including current EMV cards—you’ll see a thick black stripe that runs over the top of it. Although this bar may look plain, it contains complex information activated by magnetic iron particles. The magnetic credit card stripe is divided into three different sections, with the first two containing multi-bit alphanumeric characters that store your card’s payment and transaction information.^[2] When these cards are swiped into an electronic credit card reader, the reader connects to a card authenticator program to authenticate and process the payment.

Mag-stripe card purchases might be simple and straightforward, but they’re also vulnerable to fraud. This is because whatever the information embedded in the mag stripe stays in the mag stripe—and always stays the same for every transaction.

And that means that any criminal who’s able to successfully clone your mag-stripe data onto another card can use this information over and over again until you end up going through the trouble of getting replacement cards. In fact, one 2012 study published well before the introduction of EMV cards in the United States stated that the US generated 47.3% of worldwide payment card fraud losses, leading to total losses of $5.33 billion. ^[3] It’s why credit card companies have moved away from this payment approach and have adopted stringent credit card EMV compliance law procedures.

How EMV Credit Cards Help, aka Why We Need EMV Compliance Laws

EMV cards solve this problem with smart chips—that silver square located on the card.

Rather than being swiped into a card reader, EMV chip cards are dipped into compliant readers so that the reader interacts with the chip. The square chips on the edge of EMV cards ensure that the card generates one-time transaction codes unique to each purchase.

This process, known as tokenization, obscures the purchaser’s actual credit card number during the purchasing process so that the chip reader only sees random alphanumerical strings. After the smart chip communicates to the card processor to verify and authenticate purchase and availability of funds, the transaction is processed. Plus, EMV technology allows customers to pay securely via their smartphones and smart devices using NFC radio wave technology with compatible EMV readers.

Due to the amount of encrypted information being shared between the smart chip and users’ bank, transaction times can take around 7-10 seconds to process. ^[4] So, if you’ve seen a delay in processing chip cards—whether in your own business, or while you’re paying for things—it’s not just you.

Sure, it might not be the fastest payment approach, but it’s far more secure than using mag-stripe cards. And it’s why credit card companies are pushing credit card EMV compliance rules and credit card chip reader law.

If a cybercriminal were to successfully copy an EMV card off of a single transaction, the card would be declined because any transaction codes the criminal would have stolen from a single transaction card would have already expired. This makes EMV cards a safer alternative to traditional magnetic-stripe cards, since the transaction information stored on these magnetic stripes do not change.

According to VISA, this shift has already led to a 70% decrease in credit card counterfeit fraud from December 2015 to September 2017 for merchants who upgraded to using EMV chip readers.^[5] This only signals why credit card chip reader laws will become more pervasive in business owners’ day-to-day business affairs.

How EMV Compliance Will Affect You as a Business Owner

If you’re a merchant who doesn’t use a POS system that meets EMV compliance law, there’s nothing huge to worry about yet. You won’t face any strict legal consequences for not supporting EMV payments.

EMV technology and the accompanying credit card chip law are industry-regulated standards implemented and enforced by credit card issuers and banks. So, you’re not looking at a government fine or anything. Just know, however, that if you’re not meeting current credit card chip law regulations then you’re running well behind schedule.

That’s because the major credit card companies instituted an October 1, 2015 deadline to begin using EMV-compliant POS systems for all merchants accepting on-premises purchases.^[6] They did so in order to avoid liability for fraudulent payments. (The exception here is for fuel-pump operators, whose deadline for meeting EMV compliance law rules has been extended to October 1, 2020 in order to accommodate the cumbersome regulatory issues these stores face.)^[7]

EMV Compliance Law and Fraud Liability: 4 Scenarios to Understand

If you’re not EMV compliant, you could face a problem if you run into an issue like credit card fraud. These deadlines for meeting credit card chip reader law rules will have major implications for merchants, since liability for the fraudulent transaction could shift from the credit card company or bank issuer to the merchant in some circumstances. This means that for some fraudulent transactions, the merchant will be on the hook for costly fraud chargeback costs.

Fortunately, merchants won’t have to worry about this situation for all but a select few circumstances. In these common scenarios, for example, the merchant will not be responsible for fraud chargebacks whatsoever:

• Scenario 1: The merchant processes a mag-swipe card at an EMV-compliant credit card POS reader. Although the payment processes, the mag-swipe card turns out to be fraudulent. Because the merchant had taken the additional security precautions by implementing the EMV POS reader, liability falls on the credit card company or bank card issuer under credit card chip law.
• Scenario 2: A merchant processes an EMV card at an EMV-compliant credit card POS terminal. After the card company or bank processes the transaction, the card turns out to be fraudulent. Because both the merchant and the card issuer took all reasonable safety precautions by implementing EMV technology, liability falls on the credit card company or bank card issuer under credit card chip law.

Credit card and bank issuers will also remain liable under credit card chip reader law for all fraudulent processed mag stripe payments that are swiped on mag-swipe-only readers. But they won’t if the purchaser tries using an EMV chip card at a store that only supports mag stripe card payments. Here’s a few situations describing how this would play out under EMV compliance law and credit card chip law:

• Scenario 3: A merchant has a mag-swipe-only POS card reader, but the purchaser only has an EMV card. Because the merchant is unable to accept business payments made with the EMV card’s smart chip, the consumer is forced to swipe his or her EMV card through the mag swipe reader in order to complete the purchase. If that purchase processes and turns out to be fraudulent, the merchant is liable under credit card EMV compliance law because the credit card or bank issuer company was the only one to adopt EMV technology and fulfill its prerogative to secure the purchase.

That said, there’s still another scenario under credit card chip reader law where companies could be found liable for chargeback payments even while using an EMV POS card reader:

• Scenario 4: A merchant has adopted EMV technology, the purchaser uses the card, but the mag stripe is unreadable. As a fallback, the merchant has the purchaser enter in the credit card information manually. If the merchant enters in the user’s credit card information using manual key entry instead of industry-compliant PAN (16-digit primary account number) key entry, then the merchant remains liable under credit card chip law.

If your business operates ATMs or has international locations, additional rules will apply. US Payments Forum recently published a handy outline that goes into all of these case-specific liability shifting scenarios.

Criminals Might Take Advantage of New EMV Compliance Laws, So Be Vigilant

In addition, the credit card industry’s rush to adopt EMV could also open the door for enterprising criminals to manipulate transactions that fall outside the scope of EMV compliance law. The credit card industry’s push toward having businesses adopt EMV technology will affect businesses that are either slow to transition or haven’t transitioned off of magstripe POS software due to regulatory or cost-related matters.

According to one recent study by Canyan, overall credit and debit card fraud is expected to increase from $3.1 billion in 2015 to $6.4 billion in 2018 as criminals explore manipulating “card not present” transactions that don’t require EMV verification.

EMV’s technological benefits are only limited to in-person, card-present purchases. As a result, you’ll need to also watch out for other forms of credit card and debit card fraud that criminals could find easier to carry out that are outside the boundaries of EMV compliance law and credit card EMV compliance.

What Businesses Should Do to Fight Back Against Chargeback Claims

EMV cards are supposed to mitigate fraudulent transactions. But no technology is perfect.

If you’re facing chargeback claims that you believe are untrue, then you’ll need to initiate a chargeback claim against the credit card or bank issuer that processed the transaction. This takes the form of a “chargeback representment,” which is a process when you present a payment charge to a bank or credit card issuer for processing an additional time after the first attempt is rejected.

Whether you’re successful in convincing the buyer’s bank or credit card company to process the purchase will often come down to the evidence you provide to support your assertions. Although this evidence will vary depending on the type of transaction at issue, some of the kinds of evidence you may want to consider collecting and submitting include:

• Copies of any relevant sales receipts or purchase orders
• Proof showing that the purchaser works or resides at the disputed card’s billing address
• Proof showing that the items purchased match the billed costs
• Product shipping tracking numbers and delivery confirmation notices
• A historical log of prior orders from the customer owning the disputed card
• Communication records between your business and the purchaser
• Purchaser IP address information for digital download purchases
• Evidence that a close friend or family member of the customer may have made authorized purchases using the disputed card.

For some transactions, you might need to supply different evidence in order to strengthen and justify your claims. That’s why it’s always crucial that you consult with a small business lawyer well-versed in credit card transaction regulations to ensure you’re presenting your case in the best possible light.

How Small Businesses Should Adjust Billing and Charging Practices to Meet New Credit Card Chip Laws

The simplest thing you can do about EMV compliance law issues? Bite the bullet and upgrade your POS systems to ensure credit card EMV compliance. If your business has a brick and mortar location and accepts credit card or debit card payments—or if you operate ATMs that process debit and credit card transactions—you’ll need to use a POS system and card chip readers that support EMV transaction technology and comply with credit card chip reader law.

Fortunately, there are lots of EMV processing options that businesses can take advantage of. And many of these processors are cost efficient, too. If you’re just starting your business, vendors including Square and PayPal offer on-site mobile EMV payment solutions that you can invest in—including phone-compatible chip readers that can register EMV chips. Some of these readers are included with your account membership, and others entail additional fees. That being said, standalone EMV chip card readers can cost anywhere from $9.99 to upward of $1,000 per reader depending on the model.

The Bottom Line 

The moral of the story? If you don’t have current, compliant tech, get there as soon as you can. Although you won’t pay a fine, you might pay the price later.

You can find a solution that works for your business, no matter your size or industry—especially since transitioning to EMV payment technology to meet credit card chip reader standards is a step most businesses should have already done by now.

Fortunately, it’s not too late to make the leap towards meeting EMV compliance law and credit card chip reader law standards if you haven’t already. Ensuring your business meets EMV compliance and credit card chip laws will help you win over your customers’ and clients’ continued trust for sure—especially now that credit card companies are eliminating the signature requirement rule. But more than anything, it’ll also help you avoid costly chargeback costs that could damage your reputation and your business. 

Article Sources: 

1. Creditcards.com. “8 FAQs about EMV credit cards“
2. NCBI.gov. “The Design of High Performance, Low Power Triple-Track Magnetic Sensor Chip“
3. Paymentcardsandmobile.com “Card Fraud Report 2015“
4. CNN.com. “Visa moves to speed up chip card transactions“
5. Visa.com. “Visa Chip Card Stats“
6. Visa.com. “Visa Chip Technology“
7. Visa.com. “EMV at the pump“