Campuses preparing for EMV acceptance
Looming liability shift causes race to upgrade payment systems
09 June, 2015
category:
As summer approaches, college campuses prep for and undertake many different projects while a segment of the students are back at home. General remodeling, upgrading computer systems and overall maintenance are just a few tasks that are easier to do when students are on break.
This summer, many campuses will be spending time and money to upgrade their point-of-sale payment terminals to ensure they are compliant with new payment technology coming to the U.S. It is called EMV – short for Europay, MasterCard, Visa – and it is the smart card standard used by the majority of the industrialized world for payment cards. It started its global rollout region-by-region way back in the mid-1990s, and the U.S. is one the last markets to jump on board.
EMV payment cards traditionally have a contact chip, and when making a purchase the consumer inserts the card into a reader, enters a PIN and conducts the transaction. This will be different in the U.S., as consumers will insert their card and then sign to complete the transaction, rather than enter a PIN.
fA major security benefit is that EMV doesn’t transmit the payment card number as it is shown on the card, but instead creates a one-time number that is only usable for that specific transaction. If that transaction is intercepted, it cannot be reused and the card number is not compromised, reducing the chance of fraud. Additionally, the inclusion of the cryptographically-secure chip makes it virtually impossible to clone or counterfeit ad EMV card.
Why do campuses need to switch?
To begin, EMV only impacts those payment terminals that accept branded payment cards, specifically Visa, MasterCard, American Express and Discover. Universities only need to be concerned about terminals that accept these payment types and don’t have to worry about terminals that just accept campus cards. In many cases, however, terminals in food services, c-stores, bookstores and a host of other locations accept both branded cards and campus cards. These points-of-sale are where the challenges arise.
Defining EMV Readiness
How retailers are preparing for the switch to EMV is a bit of a mixed bag. Campus payment providers say many campuses are busy making the move to accept chip cards for payments, but a survey of small businesses suggests retailers are unaware of the upcoming liability shift.
Based on a poll from Newtek Business Services Corp of more than 990 respondents, 71% of business owners were not aware that by October of 2015, Visa and MasterCard would hold the merchant responsible for credit card fraud if they do not have an EMV compliant terminal. Additionally, 81% of business owners have not yet upgraded their terminals to be EMV ready.
Overall, retailers fall into one of three categories, says Randy Vanderhoof, executive director of the Smart Card Alliance. First, you have those who know this has been in the works for a few years, have been making plans to upgrade their system, and will be fully operational by October.
In the middle there are merchants who are aware of what’s coming but aren’t jumping to make changes, Vanderhoof says. They have begun the process but are moving deliberately and taking their time to make the switch sometime in 2016. “They don’t see a problem with fraud and don’t think they need to make the investment right now,” he adds.
And in the last tier there are those who have no idea that the shift is coming, Vanderhoof says. “They either haven’t heard about EMV or they have no plans because they don’t see it as a priority,” he explains.
The problem with these last two categories is that fraudsters might flock to them once they find out. Upgrading one point-of-sale terminal and the infrastructure costs between $250 and $500, Vanderhoof says. This could be a small price to pay. “Some small business will be shocked to see hundreds of thousands of dollars in fraud that they have never seen before,” he adds.
In this situation, campus IDs are similar to closed-loop gift cards, says Randy Vanderhoof, executive director of the Smart Card Alliance. “Look at Subway, they work off a customized point-of-sale and they have a lot more work to do because of the way the payments are routed,” he explains. “They have customized settings in their terminal systems for handling closed loop cards as well as credit and debit cards.”
Many gateways are still updating their software and some terminal manufacturers are also awaiting certification in preparation for the October liability shift, Hendrix says. “We’re still waiting for certification from the gateways and hardware manufacturers, some might not be ready for the October shift,” he explains.
Making sure the hardware and software are EMV ready is paramount, but don’t skip the education, Hendrix says. “We tell the campuses that they have to train cashiers how the new transactions happen,” he adds.
Still, it is important to note that neither universities nor any other merchant are mandated to accept EMV payments. There is, however, an October 2015 liability shift mandated by the payment brands that encourages this to happen. In the past, the merchant has been liable for the cost of fraud from payment cards, but the liability shift puts the onus on the party with the weaker technology – either the merchant or the card-issuing bank.
For example, if a merchant has upgraded the point-of-sale terminal and backend system to accept EMV but the issuing bank has not provided an EMV card, the bank will be responsible for a fraudulent transaction. The opposite is also true. If a bank has issued an EMV card but the retailer has not upgraded systems, fraudulent transactions will be the responsibility of the merchant.
Bringing this example closer to home, if a campus doesn’t upgrade its point-of-sale systems for EMV, the campus will be liable for the fraud that occurs.
Campus card providers who also provide payment systems to their clients report that universities are taking the EMV switch seriously. “We’ve been in discussions with our clients for the last year and many of them have been moving briskly to take care of the EMV obligations,” says Jeff Staples, vice president of market development at Blackboard Transact.
The CBORD Group has also seen requests for new payment technology on campus, says Scott Jerabek, product manager at the company. “The demand is very high and a lot of campuses are moving at the same time,” he explains.
While EMV is a priority on campus, CBORD is seeing more interest in point-to-point encryption, Jerabek says. Point-to-point encryption secures all the sensitive data from the swipe at the payment terminal all the way through the process and, he stresses, should be done before or concurrent with any move to EMV. “The EMV liability shift is looming and the gateway partners need to have point-to-point encryption solutions that are EMV ready,” he adds.
The vast majority of EMV ready solutions include point-to-point encryption, says Brian Hendrix, product manager at Sequoia Retail Systems. But campuses will want to make sure and ask the question. “EMV is about authenticating the person at the terminal, it has nothing to do with preventing a Target-like breach,” he says. To guard against this, he adds point-to-point encryption is key.
Many campuses that have upgraded payment terminals in the past couple of years already have the hardware for EMV, Jerabek says. It’s a matter of making sure the gateway is prepared as well as making sure the software is capable of handling EMV transactions. “The software used on the point-of-sale side might have to be upgraded,” Jerabek explains. “The software versions can range on campus, some stay up to date but some don’t.”
Campuses can also be tricky in that the same terminals that accept payment cards are also used to run transactions for the campus ID, says Hendrix. Campuses need to take steps to make sure the new systems can handle both types of transactions. “We’ve seen campuses put new terminals in place and all of a sudden they can’t use their student cards,” he says.
Universities need to work with the payment gateways to make sure those campus card transactions aren’t also processed by them. Gateways charge on a per transaction basis and costs will add up if campus ID purchases are counted, says John Diaz, vice president of business development at Sequoia Retail Systems. “You want to dig into the details of how you get that card number,” he explains. “You don’t want it leaving the campus.”
The mag stripe swipe won’t go away immediately, but they will be supplemented then eventually replaced with EMV. These transactions require consumers to leave their card in the terminal until the transaction is complete. “The cashiers have to understand that they’re not just dipping the card in the reader, but rather leaving it in there the entire time,” Hendrix explains.
An unfortunate byproduct of this new workflow is that many cards are likely to be left behind in the readers. “Lost cards go up by an order of magnitude,” Hendrix explains. He cautions that some retailers have reported having drawers of left-behind payment cards, but this seems a small price to pay to curb the counterfeiting of cards and reduce at least one major area of payment fraud.
