Named for the companies who developed the technology (Europay, MasterCard and Visa), the 2015 introduction of new chip embedded credit cards known as EMV are intended to add another level of security for card-present transactions. The so called smart cards add a second level of security to the traditional magnetic strip by embedding a chip in the card itself that stores and protects an individual’s payment data. The chip is intended to improve not only the security, but also the speed, of processing individual transactions.
While widely used in Europe and elsewhere in the world, the US has been slow to move to the new cards. However, the recent spate of breaches at retail stores and government agencies has added a greater sense of urgency around adoption of this new technology. An additional driver toward the new technology is a shift in liability that officially took place as of October 1, 2015 that holds the entity (in this case the merchant or card issuer) least EMV compliant responsible for fees resulting from fraudulent transactions. This shift in liability to the party who is the least secure is intended to remove some of the burden of covering losses resulting from fraud for credit card companies and the merchants who accepted the payment. For example, banks which issue non-compliant credit cards would be penalized if a fraudulent card is processed by a business on an EMV terminal. Conversely, a merchant would be responsible for losses if a transaction in which one of these new smart cards was processed through a non-EMV terminal proved to be fraudulent.
For colleges and universities who still process a large number of card-present transactions, the most significant benefit of EMV would be a decrease in fraud. That said, it is highly likely that fraudsters will shift their focus to card-not-present transactions - think mobile and online payments - only reinforcing the need for strict PCI compliance. As Kevin Xu lays out the value proposition in his article from September 11, 2015 entitled Universities Are Anxious About EMV… but Should They Be?1 “Reducing fraud at the point of sale is a good thing, but the question is how, or in this case, when, to implement mitigation strategies. Campuses must carefully consider their hardware choices in the context of their needs and budget, and must plan for the ripple effect of the adoption of this new technology. They must also proceed with their initiatives aimed at PCI compliance, which will become even more important in the new EMV-oriented environment.“
The Cost of EMV Compliance
As with any new payment method there are a number of hurtles to be overcome. There is the cost of terminals2 - anywhere from $500 to $1000 according to the Aite Group4. There is also training and required certification for each terminal by EMVCo2 which based on the size of the school, and the complexity and customization of the installation, which could take a couple of weeks and cost a few hundred dollars, or up to eight months and cost thousands of dollars.
It is expected that an estimated4 900 million EMV cards will be issued by the end of 2016.
And, with the shift in liability already in place, colleges and universities who are not yet EMV compliant need to look at mitigation strategies3. Xu suggests that colleges and universities ask themselves the following questions:
- Their student population—What are their students’ needs? Are they traditional or non-traditional students? How many come to the business office to make payments compared to making payments online? Do they use smartphones? Would they expect to be able to check out using contactless payment options like ApplePay?
- Their fraud rates for card present transactions—How often does the campus business office experience card-present fraud? What is the dollar amount for this type of fraud over the course of the past year?
- Their budgets—In how many places does the campus process card-present transactions? How much volume do each of these places process? Does each of these locations require a new EMV-capable device? How many EMV-capable devices would be necessary? What is the budget for hardware upgrades?
In addition to risk associated with credit cards, schools must also protect student information such as addresses and social security numbers. Maintaining the needed level of internal security comes with its own rules and regulations that must be met to be compliant. These efforts are also costly. So, while decreasing risk by implementing an EMV system makes sense in the long term, consider this: along with the shift in liabilities leaving non-EMV schools vulnerable to credit card fraud they also face increased demand by students to support an even wider variety of competing payments methods such as Apple Pay, Google Pay and PayPal. All of which may require new hardware and software. Campuses may be facing some hard choices in the near term in order to offer payment choices, maintain security, remain compliant and stay within ever tightening budgets.
To learn more about payment acceptance and PCI DSS compliance, read our free eBook:
- Universities Are Anxious About EMV… but Should They Be? September 11, 2015 by Kevin Xu
- Seventy Percent of U.S. Credit Cards to be EMV Enabled by the End of 2015 http://aitegroup.com/seventy-percent-us-credit-cards-be-emv-enabled-end-2015
- Universities Are Anxious About EMV… but Should They Be?
- Are Chip-and-PIN Cards Worth It? Cost Benefit Analysis of EMV Compliance
“Tuition Management Systems (TMS) is the sponsor of this post. The sources who contributed ideas to this post do not endorse or recommend any commercial products or services, including those of TMS. All information and opinions of the contributors are provided for informational purposes only. TMS neither endorses, has any responsibility for, nor exercises control over the views of any contributor to this article or the accuracy of the information provided by any of them.”