Webinar Q & A EMV: Preparing for the October Shift
Transcription
Webinar Q & A EMV: Preparing for the October Shift
April 2015 Webinar Q & A EMV: Preparing for the October Shift Q: Are the upgrade to the POS ready to be installed? A: No, Mercury is in the process of completing EMV certifications for the initial EMV solutions that we plan to take to market. As they become available we will be working with developers and dealers to complete the necessary integrations. Q: Do you have a list of POS that are compatible? A: As we bring EMV solutions to market and ISVs complete their certifications, we will be able to provide a list of POS systems that are EMV enabled/certified. Q: Will EMV have any effect on credit card pre-authorization procedure? A: Yes, the transaction flow of pre-authorization followed by a completion, for example restaurant addition of tip, will not work in its current form with EMV. The reason for this is that the amount of the authorization must be known at the time the EMV transaction is conducted, because the authorization amount is one of the data elements used to generate the transaction cryptogram. We are exploring ways to create a similar transaction experience, by completing a sale transaction followed by an adjustment, to add things like tips. Q: What about offsite transactions that we process with an iPad® and card reader A: You would want to speak to the solution provider of your tablet processing solution to see what its plans are for supporting EMV, including what new hardware you might need to process EMV transactions with that solution. Q: Do Discover® and Amex® cards work with the new EMV card readers? A: Yes, Visa®, MasterCard®, American Express®, and Discover® will all be issuing EMV cards. EMV is not limited to Visa and MasterCard issuers. Q: What happens if the system shuts down the internet? Can we still use the old knuckle-buster and then put them in manually? Or do we just stop taking credit cards? A: If your POS loses connectivity you can still run voice authorizations, and depending on the solution being used, process in stand in mode. Those transactions would be non-EMV, so the merchant may be liable for any fraudulent transactions that were ran. Q: Can I keep taking credit card numbers over the phone? A: Yes, EMV does not prevent you from taking orders over the phone, but those transactions would not be ran as EMV. Q: Full service restaurant environments will have wireless credit card devices. Is this a full pin pad & signature pad? How does that integrate with the EMV system? A: Some restaurant POS systems will leverage pay at the table solutions to support EMV. There are several devices coming to market that work for such solutions. Mercury as well as our restaurant POS system partners will work to take a select number of these devices through the EMV certification process. www.mercurypay.com | 800.846.4472 Q: I am an owner of a quick service restaurant. Did I understand correctly that I will need to obtain the EMV card before the transaction starts as opposed to the current method of swiping the card at the end of the transaction? A: That is correct. If you choose to implement EMV, and an EMV card is presented for payment, it is no longer swiped, but rather inserted into the terminal. The card must remain in the device as the transaction processes. The cardholder pay be prompted for things like tender type selection and amount confirmation, and the card must remain inserted in the device for the duration of that transaction. Q: Does this affect the debit cards that we take? A: Yes, over time both credit and debit cards will be issued with EMV chips. Q: A customer comes into our store - we take a 50% down payment and then when the install is complete we put the balance on the card. With EMV are we still able to access the card info to put the balance through without the card in the store? A: That is possible, but if the card is not present than it is not an EMV transaction. EMV currently only impacts card present transactions. Q: How does this impact card not present transactions? What about mobile transactions and internet sales? A: EMV is currently only impacting card present transactions, those where the physical card is present and inserted into the EMV device. Q: Do the chip (EMV) cards have a magstripe, and are they capable of either type of processing (kryptogram vs. reg)? A: Yes, EMV cards will be issued with both the chip as well as magnetic stripe. If merchants are not setup yet to process EMV, they will be able to swipe the card as they do today. Q: So no more just swipe the card? If we leave the card in the terminal till it is approved, how long will this take? A: EMV transactions tend to take a bit longer to process, mainly due to the amount of information being exchanged as part of the transaction, as well as the added level of data authentication. The impacts can also be felt more in certain POS environments where cardholders are not accustomed to interacting with a customer facing terminal or pin pad. Q: How will EMV add security and fraud protection to online transactions? As a brick and mortar store we desire to go online, but hesitate due to online fraud. A: EMV is for card present at this time. It does not address ecommerce transactions. In other geographies where EMV has been implemented, we have seen a shift of fraud from card present to card not present. Q: Where transaction speed is important (e.g. remote cashiering), do you see EMV slowing down the transaction? A: EMV will impact the transaction processing speed, based on a number of factors including they type of card being used, how the terminal has been configured, and if the cardholder and cashier are well versed in conducting EMV transactions. Q: How soon will EMV equipment become available? What updates are needed with my POS system to accept EMV cards? A: Mercury is working to bring a number of solutions to market prior to the liability shift. We will need to work with our developer and dealer partners to bring these solutions to market. It is likely that you might need a hardware and/or software update to your system to process EMV transactions. The specific details of updates needed would be addressed by your POS solution provider. Q: Do EMV transactions have different fee schedule? A: EMV currently does not have any impact on interchange qualification. Q: What is PCI-DSS scope and E2E? A: PCI-DSS stands for Payment Card Industry – Data Security Standards, and deals with how you handle the sensitive customer data, including card data, that you may be exposed to by processing payment transactions. The scope relates to where that data resides in your systems, and if/how you store and secure it. E2E is end to end encryption, which is a data security solution that encrypts card data at the time of entry. www.mercurypay.com | 800.846.4472 Q: Will EMV and magstripe process the same way? A: Yes, in the sense that you should be able to process them from the same POS device. No, in the way the data flows as part of the transaction. Magstripe transactions are a simple one way communication of data, including card number, off the magstripe. EMV transactions read data off the chip on the card, as well as generate dynamic data for each transaction, that is sent to the card issuer for validation and authentication. Q: What is the exact liability taking on vs. current PCI compliant? A: The liability shift as it relates to EMV is for counterfeit, and in some cases, lost and stolen, card fraud. Just because you process EMV transactions does not make you PCI compliant. PCI deals with how you transmit, store, and secure any card data, including EMV data. Q: You stated MOST cards will still be issued with magnetic strips. If no magnetic strip is issued on the card, does this mean I can only use this card in an EMV transaction or will I still be able to manually enter numbers? A: Manual entry would still be an option, but non-magstripe cards are very rare, usually limited to foreign cardholders. Q: Are there any provisions for doing recurring payments against a card that was originally presented as an EMV transaction (with recognition of subsequent transactions as being EMV authorized)? A: Recurring payments would not be impacted by EMV, nor would they be considered EMV transactions. Q: What is the cost for the EMV card readers? We have 3 retails and we use the traditional credit card machine. Is it any cost to change to this new EMV cards? A: Several hardware manufactures produce devices with EMV card readers. A hardware or software update may be required to our current device in order to start processing EMV chip on chip transactions. Q: Once you manually enter a card, does the liability then shift? A: Typically a merchant would be liable for a fraudulent transaction on a manually entered card. There may be some scenarios where the chip on the card is not working and the merchant has to fall back to magstripe or manual entry, in which case the liability may shift back to the issuer. Q: For cards running manually and cards run via EMV, will they both settle together in a batch at the end of the day? Or will they be somehow separate in the way they settle? A: EMV would not impact batch settlement. You would not have a separate settlement batch for EMV transactions. Q: How does EMV fit into the End to End Encryption security? A: A standard EMV implementation does not encrypt card data, meaning clear card data could still be passed as part of the EMV transaction. Mercury is working to bring solutions to market that encrypt the card data coming from the chip on EMV cards. Q: One of the challenges in Canada has been European chip cards. With the U.S. moving to EMV, will we see any improvement in Canada with European card acceptance? A: One of the goals of EMV is to create a greater interoperability at the point of sale, so that over time we should see a reduction of issues with foreign cards. The network and acquirer test cases continue to evolve to address issues as they are identified. Q: Will chip and pin be supported in the U.S. or is it just chip? A: It will be up to the card issuers to decide if they want to issue chip+PIN or chip+signature cards. Initial indications show a majority of credit cards will be chip+signature, while debit cards will be chip+PIN preferring. Q: How long does it take for a POS provider to obtain verification/enablement of their EMV solution? A: This will vary based on how they choose to implement EMV. Direct certifications can take many months to complete, due to the technical complexity and level of testing required with EMV. Other approaches, like semi-integrated solutions, should reduce the time to market for POS providers. Q: Should average ticket amount factor into the decision to switch to EMV? A: It should be looked at, as well as if your business runs a lot of large tickets. www.mercurypay.com | 800.846.4472 Q: With fraud and EMV, why would that be less? Will there be a PIN number like your ATM card? A: Some EMV cards will be issued with a PIN as a card verification method. This is often referred to as chip+PIN. Others will not require a PIN. Either option helps combat against counterfeit card fraud, because the chip on the card itself is what is impossible to counterfeit. Q: If customers are managing their own payment, what is to prevent them from using the stripe instead of the chip especially if the chip is slower! A: Many POS systems will have logic built into them to prompt the cardholder to insert their EMV cards. If they decide to swipe, there is actually a value on the track of the card that will notify the POS that the card is an EMV card, at which time the POS could prompt the cardholder again to insert instead of swipe. Q: Did you say EMV cards are not embossed? If so, no more imprinting cards if they can’t be read? No voice auth? A: Most cards issued today are still embossed, but we have seen a few cards with just a printed card number. Voice auth would still be an option for this card. Q: What does a declined EMV card look like? Is it similar refusal as with card present magstripe? A: Yes, it would be similar to a declined magstripe transaction. EMV cards will also have additional denial codes for errors around cryptogram authentication. Q: Is EMV a chip and pin or chip and signature program? Will we be required to add external pin pads to our POS terminals to accommodate chip and pin? A: It will be up to card issuers to choose if their cards will be chip+PIN or chip+signature. If you want to have the highest level of operability you would want to have an EMV device that supports all card verification methods. Q: Is there an increased liability for the merchant if EMV is not in place after Oct. 25 A: The date of the liability shift is going to be October 1, 2015. After that date liability for counterfeit, and in some cases lost and stolen, card fraud would shift from the card issuer to the merchant if the card used to commit the fraud was an EMV card, and the merchant is not able to process EMV. Today issuers are typically liable for counterfeit and lost and stolen card fraud. Q: Will processors be doing any public education on this shift and the different way that they will need to do a transaction at retailers? A: Yes, the payments community including processors, issuers, card brands, and solution providers will all need to play a role in educating merchants as well as cardholders about EMV. Q: We are a business where speed of service is critical. How will EMV affect speed of service? A: In other markets we have seen an impact to transaction speed due to several factors including card used, terminal configuration and capabilities as well as cashier and cardholder experience with EMV. Q: Are there any liability exceptions for unreadable EMV chips? Should customers with damaged EMV chips be turned away? A: There is the ability to fall back to magstripe or manual entry if there is a technical issue with the chip on the card. In the event of fallback due to technical issues the liability for that transaction could shift back to the issuer. Q: As a merchant, will we know if the card is an EMV card? A: Merchants would be able to identify an EMV card by the small chip that is present and visible on the front of the card. Additionally, there is a code on the magnetic stripe of an EMV card that identifies it as an EMV card if swiped. Q: How do I determine if my credit card reader is EMV ready? It was just installed late in the summer of 2014 by Mercury. I also have portable readers we use for events and telephone orders. Will they have to be upgraded? A: For specific questions about your current hardware please contact our support team, who can walk through if the device is EMV ready. Q: Who do we contact to check compatibility with EMV terminals that need to be purchased (VeriFone VX820 ? or VeriFone MX915 ?) and POS software Microsoft Dynamics 2009? A: The Mercury support team as well as your POS system service provider should be able to address your specific question. www.mercurypay.com | 800.846.4472 Q: If you are EMV compliant, and the card is used by someone other than the owner, who is liable for the fraudulent sale, the store owner or the credit card company? A: If a merchant is able to process EMV chip on chip transactions and the card is lost or stolen, the liability should shift back to the issuer of that credit card. Q: The 10/1/17 liability shift date. Is that for all fuel vendors? A: Yes, it is for pay at the pump transactions. Q: Is the liability shift 100% set for Oct. 2015 for traditional retailers? I have heard that may be pushed back. A: We are not aware of any plans by the networks to move the liability shift out. If the dates do change Mercury will provide that communication. Q: Just to reiterate, there will be no fines or discontinuation of service if we are not EMV certified by October 1st. Is that correct? A: That is correct. Q: Do I have any liability beyond the purchase price that is charged back on the card? A: No, the liability is on a per transaction basis for fraudulent transactions. Q: If you are EMV compliant, and a chargeback comes in regarding that transaction, who is responsible? A: It depends on the type of chargeback. EMV only impacts chargebacks originating from a counterfeit card, and in some cases lost and stolen, fraudulent transactions Q: Does EMV actually charge the card or would you still swipe through POS? A: EMV actually charges the card. The card number is stored on the chip on the card. Instead of swiping, the cardholder inserts the EMV card. LEARN MORE www.mercurypay.com | 800.846.4472