Looming liability shift causes race to upgrade payment systems
09 June, 2015
As summer approaches, college campuses prep for and undertake many different projects while a segment of the students are back at home. General remodeling, upgrading computer systems and overall maintenance are just a few tasks that are easier to do when students are on break.
This summer, many campuses will be spending time and money to upgrade their point-of-sale payment terminals to ensure they are compliant with new payment technology coming to the U.S. It is called EMV – short for Europay, MasterCard, Visa – and it is the smart card standard used by the majority of the industrialized world for payment cards. It started its global rollout region-by-region way back in the mid-1990s, and the U.S. is one the last markets to jump on board.
EMV payment cards traditionally have a contact chip, and when making a purchase the consumer inserts the card into a reader, enters a PIN and conducts the transaction. This will be different in the U.S., as consumers will insert their card and then sign to complete the transaction, rather than enter a PIN.
fA major security benefit is that EMV doesn’t transmit the payment card number as it is shown on the card, but instead creates a one-time number that is only usable for that specific transaction. If that transaction is intercepted, it cannot be reused and the card number is not compromised, reducing the chance of fraud. Additionally, the inclusion of the cryptographically-secure chip makes it virtually impossible to clone or counterfeit ad EMV card.
Why do campuses need to switch?
To begin, EMV only impacts those payment terminals that accept branded payment cards, specifically Visa, MasterCard, American Express and Discover. Universities only need to be concerned about terminals that accept these payment types and don’t have to worry about terminals that just accept campus cards. In many cases, however, terminals in food services, c-stores, bookstores and a host of other locations accept both branded cards and campus cards. These points-of-sale are where the challenges arise.
Still, it is important to note that neither universities nor any other merchant are mandated to accept EMV payments. There is, however, an October 2015 liability shift mandated by the payment brands that encourages this to happen. In the past, the merchant has been liable for the cost of fraud from payment cards, but the liability shift puts the onus on the party with the weaker technology – either the merchant or the card-issuing bank.
For example, if a merchant has upgraded the point-of-sale terminal and backend system to accept EMV but the issuing bank has not provided an EMV card, the bank will be responsible for a fraudulent transaction. The opposite is also true. If a bank has issued an EMV card but the retailer has not upgraded systems, fraudulent transactions will be the responsibility of the merchant.
Bringing this example closer to home, if a campus doesn’t upgrade its point-of-sale systems for EMV, the campus will be liable for the fraud that occurs.
Campus card providers who also provide payment systems to their clients report that universities are taking the EMV switch seriously. “We’ve been in discussions with our clients for the last year and many of them have been moving briskly to take care of the EMV obligations,” says Jeff Staples, vice president of market development at Blackboard Transact.
The CBORD Group has also seen requests for new payment technology on campus, says Scott Jerabek, product manager at the company. “The demand is very high and a lot of campuses are moving at the same time,” he explains.
While EMV is a priority on campus, CBORD is seeing more interest in point-to-point encryption, Jerabek says. Point-to-point encryption secures all the sensitive data from the swipe at the payment terminal all the way through the process and, he stresses, should be done before or concurrent with any move to EMV. “The EMV liability shift is looming and the gateway partners need to have point-to-point encryption solutions that are EMV ready,” he adds.
The vast majority of EMV ready solutions include point-to-point encryption, says Brian Hendrix, product manager at Sequoia Retail Systems. But campuses will want to make sure and ask the question. “EMV is about authenticating the person at the terminal, it has nothing to do with preventing a Target-like breach,” he says. To guard against this, he adds point-to-point encryption is key.
Many campuses that have upgraded payment terminals in the past couple of years already have the hardware for EMV, Jerabek says. It’s a matter of making sure the gateway is prepared as well as making sure the software is capable of handling EMV transactions. “The software used on the point-of-sale side might have to be upgraded,” Jerabek explains. “The software versions can range on campus, some stay up to date but some don’t.”
Campuses can also be tricky in that the same terminals that accept payment cards are also used to run transactions for the campus ID, says Hendrix. Campuses need to take steps to make sure the new systems can handle both types of transactions. “We’ve seen campuses put new terminals in place and all of a sudden they can’t use their student cards,” he says.
Universities need to work with the payment gateways to make sure those campus card transactions aren’t also processed by them. Gateways charge on a per transaction basis and costs will add up if campus ID purchases are counted, says John Diaz, vice president of business development at Sequoia Retail Systems. “You want to dig into the details of how you get that card number,” he explains. “You don’t want it leaving the campus.”
The mag stripe swipe won’t go away immediately, but they will be supplemented then eventually replaced with EMV. These transactions require consumers to leave their card in the terminal until the transaction is complete. “The cashiers have to understand that they’re not just dipping the card in the reader, but rather leaving it in there the entire time,” Hendrix explains.
An unfortunate byproduct of this new workflow is that many cards are likely to be left behind in the readers. “Lost cards go up by an order of magnitude,” Hendrix explains. He cautions that some retailers have reported having drawers of left-behind payment cards, but this seems a small price to pay to curb the counterfeiting of cards and reduce at least one major area of payment fraud.