Europay MasterCard and Visa (EMV) specifications refer to security features in credit and debit cards that have been used for some time in Europe. The standards for such secure payment transactions have been adopted by more than 80 countries worldwide, with the United Sates being one of the last major developed countries to move to EMV standards.
The change holds significance for colleges and universities in that, as of October 1, the liability for card-present fraud shifts to whichever party in the payment transaction is the least compliant with EMV standards. At Boise State University, Idaho, we have learned a lot about the standards and are quickly moving ahead with implementation.
The Risks of Noncompliance
Historically, when a fraudulent credit or debit card transaction was conducted, the risk and liability for the loss was placed with the card processor or card issuer, such as the bank that issued the particular card. As the merchant, universities were not responsible for the fraudulent amount approved.
With the liability shifting to whichever party is least compliant with EMV standards, a transaction made with a fraudulently used, chip-enabled card in your bookstore—which did not convert to the ability to accept chip cards—would result in the liability for that loss likely going to the university bookstore, not to the card issuer.
Increased costs and penalties—along with nonfinancial risks—to the university might also arise in cases such as data breaches. If there is a significant data breach at your institution, and you are not complying with the most recent payment security standards, including EMV, the noncompliance can easily become public information. Such publicity often results in some loss of goodwill, loss of trust in your institution, and possible additional secondary liabilities.
With a traditional credit or debit card, all the data and information needed to authorize a transaction is contained within the magnetic stripe. If a card is lost, stolen, or counterfeited, the information within the magnetic stripe can be used to authorize fraudulent transactions.
With an EMV card (credit cards often referred to as “smart cards,” “chip cards,” or “chip-enabled cards”; and debit cards called “chip” or “pin cards”), a smart chip creates a unique transaction authorization code. This is done either (1) online, via communication with the card issuer during the transaction or (2) offline, using a complex cryptogram generation process. The result is that for every transaction a unique code is assigned and usable only once. If an EMV card is lost or stolen, the authentication codes stored within the chip are valid only for the past transactions, and cannot be used for any future transactions.
Elements, Costs of EMV Compliance
In its simplest form, EMV compliance requires the mandatory hardware and software needed to authorize payment card transactions using the smart chip, rather than the magnetic stripe, or manual card number entry transactions. It also requires an update to the transaction terminal software that meets testing and certification requirements to ensure a successful implementation.
At Boise State University, we recently purchased dozens of new credit card terminals at a cost of $500 to $800 each, depending on the features each department needed. Terminals may also be leased or rented.
Since your institution’s merchant services provider and processer share in the risk associated with campus transactions, don’t hesitate to call upon them to be your partners and experts in all payment card compliance. As we transitioned to EMV compliance, our merchant services provider was a key partner and consultant in the process. That partnership started with a phone call to our bank and the request to help us be EMV-compliant. Within a day our vendor gave us a list of all our current card terminals and recommended replacement of EMV terminals, calculated the associated costs, and estimated the lead time needed to install all the equipment.
We’ve found that the following actions can help ensure compliance with EMV specifications:
- Ask your financial division or treasury office what has been done to-date to become EMV compliant, so that you are aware of the current status of compliance.
- Meet with your merchant services provider, discuss your current level of EMV compliance, and use the company’s expertise to fill in the blanks. Remember that your merchant services vendor is your partner and consultant in card payment compliance
- Review the compliance status of on-campus vendors. This is a hugely important step. It is likely, for example, that your campus has contracted food service with integrated point-of-sale terminals (POS); third-party parking meters with built-in credit card capabilities; third-party box offices; private bookstore operators; vending machines; and much more. Include in your EMV compliance review, not only university-owned terminals, but those used by third parties as well.
- As you renew or modify yourservice agreements with vendors, consider contractual clauses for EMV compliance and/or additional insurance and/or indemnification for fraudulent card activity and data breaches. While many of these companies may be reluctant to replace POS terminals costing thousands of dollars each; or parking meter operations may not have the funds to exchange hundreds or thousands of parking meter heads—and other third parties may go so far as to determine that the risk of not being EMV-compliant is less costly than updating their systems—be wary of this approach. The reputation of your university is linked to the performance and service your vendors provide to your students and guests.
- Partner with general counsel, risk management, and purchasing, as you review current and future vendor contracts. If certain vendors are not yet complying with the new payment standards, ask them for their plans and the schedule determining when they will arrive at EMV compliance.
RESOURCE LINK For more information, including a schedule for EMV compliance and risk transfer visit: www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php and http://lp.verifone.com/media/2146788/emv_key_dates_chart_021213.pdf.
SUBMITTED BY Jared Everett, treasurer and executive director of real estate and business development, Boise State University, Idaho.