Can states afford to wait on chip and PIN cards?
- By Mukesh Patel
- May 26, 2015
Weary of being on the hook for fraudulent transactions, Europay, Mastercard and Visa coordinated their efforts a decade ago to create a microprocessor that could be embedded in credit cards. When a chip-carrying, or EMV, card is inserted into a point-of-sale terminal, it generates a unique token for each transaction, reducing the likelihood of fraud.
In 2012, credit card companies started pressing for a move away from magnetic stripe credit cards to EMV cards. Fast becoming the global standard, chip cards are less vulnerable to counterfeiting than magnetic stripe cards and have been used in Europe, Canada and Australia for several years. The Target, J.P. Morgan, Home Depot and other high-profile breaches in 2013 and 2014 gave the credit card companies the platform they needed to push for EMV cards in the United States.
The federal government responded in October 2014 when President Obama issued an executive order requiring federal agencies to move to the more secure PIN and chip cards, but individual states follow their own policies.
Nevertheless, for virtually all entities that accept credit cards -- including government agencies -- Oct. 15, 2015, is a key deadline in the migration to EMV. It marks the “liability shift” date, when the responsibility for a fraudulent shifts from the credit card issuer to merchants if they haven’t upgraded their payment terminals to properly accept chip-based cards.
As news about the pending liability shift has filtered out, it has been accompanied by some misinformation. Some state and local agencies were led to believe, for example, that migration to EMV card readers is mandatory by Oct. 15. This is not the case. While EMV is becoming the global standard, magnetic stripe cards are not being eliminated. Nor will existing magnetic stripe readers cease to function on Oct. 15.
But before state and local agencies rush to accept chip cards, they need to understand what the liability shift really means for them -- and then evaluate the benefit of replacing existing card readers against the related cost.
Agencies must consider carefully before they decide to immediately replace their existing credit card terminals with models that accept chip cards. Basic EMV-capable terminals that accept chip cards and complete the transaction using the customer’s signature cost between $200 and $300 each. Models that accept EMV cards and complete the transaction by allowing the customer to enter a PIN number can start at $400 each.
A complete replacement of existing terminals prior to Oct. 15, therefore, is beyond some agencies’ budgets. Because government agencies generally experience far fewer fraudulent counterfeit transactions than retail stores do, it may be more cost-effective to simply keep existing terminals and accept the liability for a few chargebacks until EMV usage becomes more standard and widespread.
Whether agencies decide to purchase new equipment now or later, planning ahead is imperative. EMV conversion is more complex than simply unplugging a current card reader and replacing it with a new one. Back-end code must be written, and EMV requires a certification process that currently can take six to 12 months. Government agencies should double check potentially inaccurate information, weigh their costs and options carefully and take their time in deciding how to proceed.
Mukesh Patel is president of NIC Services LLC.