Author: Todd Becker, PCI QSA, ISO 27001 Auditor
‘Chip and PIN’, or EMV (“Europay, MasterCard, Visa”), is an open-standard set of specifications for smart card payments and acceptance devices and is a popular topic these days with HALOCK’s PCI clients. EMV is not a PCI requirement. However, there is a ‘liability shift’ in October 2015 that impacts brick and mortar merchants that accept credit cards (i.e. all of them). With this in mind, it is important to understand that EMV and PCI are complementary in their relationship, rather than being interwoven. We will explain below.
The PCI DSS (“Payment Card Industry Data Security Standard”) is a cardholder data protection standard, directed at protecting cardholder data processed, stored, or transmitted by a merchant. As mentioned above, EMV is an open-standard set of specifications for smart card payments and acceptance devices. Essentially, EMV is an anti-fraud technology within the credit card itself, responsible, along with a compliant card reader, for authenticating the physical card in card present transactions.
The liability shift is a contractual incentive, independently defined by each card brand, which transfers liability for fraudulent transaction loss (and in MasterCard’s case, account data compromise penalties) to merchants that do not accept EMV capable credit cards. Without EMV processing, as defined by the card brands, merchants will experience increased liability for fraudulent transactions beginning in October 2015. An approved EMV implementation will not only allow a merchant to avoid the shift in fraudulent transaction liability, but may also allow for reduced liability in account data loss compromise penalties (for MasterCard).
A lesser known condition of the EMV plans for MasterCard, Visa, and American Express is PCI Audit relief that became effective in 2012 and 2013. For each of these card brands, if more than 75% of merchant transactions for the given brand originate from EMV-compliant devices, the merchant may apply for relief from the audit requirements for PCI compliance (though the merchant must still maintain PCI compliance).
It is important to note, simply implementing EMV-compliant card reading devices may not meet the requirements of the card brands. Some card brand measures require a percentage of transactions using EMV enabled credit cards, therefore banks and consumers must also participate for the merchants to receive reduced liability.
Each card brand has established their own timeline. The announcements and highlights from each brand can be found below (Source: EMV Connection FAQ):
In August 2011, Visa announced plans to accelerate EMV chip migration and adoption of mobile payments in the United States through retailer incentives, processing infrastructure acceptance requirements, and shifting counterfeit card liability.
- October 1, 2012 – PCI Audit Relief: If more than 75 percent Visa transactions for a given merchant originate from EMV-compliant POS terminals that support both contact and contactless transactions, the merchant may apply for relief from the audit requirement for PCI compliance (but is still mandated to be PCI compliant).
- April 1, 2013 – Acquirer Compliance. Acquirers and sub-processors must be enabled to handle full EMV chip data in transactions.
- October 1, 2015 – Counterfeit Card Liability Shift. The party that has made the investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses as of October 1, 2015. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today. This date excludes automated fuel dispensers.
- October 1, 2017 – Counterfeit Card Liability Shift, Automated Fuel Dispensers. This extends the card-present counterfeit card liability shift to transactions at automated fuel dispensers.
In January 2012, MasterCard announced their U.S. roadmap to enable the next generation of electronic payments, with EMV as the foundational technology.
- October, 2012 – PCI Audit Relief: If more than 75 percent MasterCard transactions for a given merchant originate from EMV-compliant POS terminals that support both contact and contactless transactions, the merchant is relieved of audit requirement for PCI compliance (but is still mandated to be PCI compliant).
- April, 2013 – Acquirer Compliance. Acquirers and sub-processors must be enabled to handle full EMV chip data in transactions.
- April, 2013 – Cross-Border ATM Liability Shift. At this milestone, MasterCard will extend its existing EMV liability shift program for inter-regional/cross-border Maestro ATM transactions taking place in the United States.
- October, 2013 – Account Data Compromise (ADC) Relief: MasterCard has announced ADC relief for merchants. On this date, if at least 75 percent of MasterCard transactions originate from EMV-compliant contact and contactless POS terminals, the merchant is relieved of 50 percent of account data compromise penalties.
- October, 2015 – Fraud Liability Shift. MasterCard’s liability hierarchy takes effect. The party that has made the investment in the most secure EMV options is protected from financial liability for card-present fraud losses for counterfeit, lost, stolen, and non-receipt fraud on this date.
- October, 2015 – Account Data Compromise Relief: On this date, if at least 95 percent of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100 percent of account data compromise penalties.
- October, 2017 – Fraud Liability Shift, Automated Fuel Dispensers. MasterCard’s liability hierarchy takes effect for automated fuel dispensers.
In March 2012, Discover announced implementation of a 2013 mandate for acquirers and direct-connect merchants in the U.S., Canada, and Mexico, to support EMV.
- March 15, 2012 Discover’s approach will support all card authentication channels (online and offline), all cardholder verification methods (including both chip and PIN or chip and signature transactions), and all commerce channels (contact and contactless, including mobile).
In June 2012, American Express announced its U.S. EMV roadmap to advance contact, contactless, and mobile payments and planned to begin issuing EMV-compliant cards in the U.S. in the latter half of 2012.
Within the U.S., the contactless credit and debit cards that are being issued already include some EMV security features.
- April, 2013 – Acquirer/Processor Compliance. Processors must be able to support American Express EMV chip-based contact, contactless, and mobile transactions.
- October, 2013 – PCI DSS Reporting Relief. Merchants will be eligible to receive relief from PCI Data Security Standard (DSS) reporting requirements if the merchants’ POS acceptance locations, where 75% of their transactions occur, are enabled to process American Express EMV chip-based contact and contactless transactions.
- October, 2015 – Fraud Liability Shift. American Express will institute a fraud liability shift policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology.
- October, 2017 – Fraud Liability Shift, Automated Fuel Dispensers. American Express fraud liability shift takes effect for transactions generated at automated fuel dispensers.
As you can see, EMV plays an important role regarding PCI compliance but is not specifically a PCI DSS requirement. It is, however, a critical component of the contractual relationship between merchants, acquirers/processors, and the card brands. The key aspects for merchants are the increase in liability if they do not support EMV and the opportunity for PCI compliance audit relief (the ‘stick’ and the ‘carrot’). Understanding EMV, and specifically the shift in liability, will increase the adoption of this anti-fraud technology in the United States.
If you have further questions regarding EMV and what it means to your organization, contact your QSA Company for more information.