The EMV migration has been slow to make its way to America, but it’s finally here. Last month, the shift in liability took place for merchants. Now, financial institutions have less than a year to bring their ATM networks into compliance. MasterCard has set an October 2016 deadline and Visa an October 2017 liability shift date. EMV compliance isn’t mandatory, but fraud liability will fall on whichever party in a transaction is least compliant.
There’s no reason your ATM network should have to shoulder the liability. Diebold has been offering EMV-capable card readers since the late ‘90s when we introduced them on our iX self-service terminals. Rolling out new technology is rarely so simple, however. There are a few crucial things you need to know about how EMV technology might affect your ATM network.
- EMV transactions are safer than magnetic stripe transactions, but the process could also require slight behavior changes for consumers.
It’s a professor’s worst nightmare: one student gains access to exam answers, then distributes them among the entire class. Now imagine that the savvy professor distributes the exam online … and runs an algorithm that changes the questions ever so slightly on each student’s screen. Suddenly it doesn’t matter if a student gained access to the exam answers, because every copy of the test is slightly different.
That’s the difference between cards with a magnetic stripe, and those with an EMV chip (“EMV” stands for EuroPay, Mastercard and Visa, the original developers of the technology). In a traditional magstripe transaction, the terminal receives the same static information every time you swipe your card. Skimmers take full advantage of that vulnerability: once their skimming device reads and stores the info from that stripe, they’re off and running to make copies … and purchases or withdrawals.
Transactions activated through the EMV chip, on the other hand, undergo “tokenization.” The transaction is encrypted in a one-time-use number that’s useless if copied. Rather than swiping their card, consumers “dip” their cards into a machine, or insert them into a motorized card reader. The chip connects to a processor to deliver the encrypted information. Every EMV transaction authorization request includes additional data that allows the issuer to verify that the card used is genuine and that the transaction data has not been modified. It’s a safer transaction, and when it’s conducted through Diebold’s ActivEdge card reader, all known skimming threats, as well as fishing and trapping, are eliminated.
During a chip transaction, the card must remain in the card reader for the duration of the transaction. Consumers who are used to swiping their card will need to be educated on the new process – although the transaction experience has been easily adopted by dip card readers across the globe. For motorized card readers (which pull the card entirely into the machine), EMV transactions does not change the user experience.
- FIs should start planning for EMV enablement 12-18 months ahead of the liability shift deadline.
When major updates for ADA compliance were issued back in 2012, many FIs waited until the last minute to upgrade and comply. Manufacturers were flooded with last-minute requests. To avoid the bottleneck, make sure EMV compliance is a priority on your roadmap today. The ATM liability shift starts in October 2016 – less than a year from now. A thorough upgrade to your ATM network could take more than a year.
There are four main components to implementation:
- New cards will need to be issued with the microprocessor chip technology. This is the responsibility of the card issuer.
- The ATM card reader must be EMV capable. As I noted earlier, Diebold has been offering EMV enabled ATM card readers for nearly 20 years.
- A software EMV kernel needs to be implemented. The Diebold EMV kernel supports all major payment networks including the US Common Debit AID (Application Identifier).
- ATM processing entities must be configured to accept the EMV transactions.
Have you asked yourself whether your card readers are “smart card” capable? Which EMV software package is applicable? Do you understand the network implications of “turning on” the EMV component of your card readers? Do your card readers need to be activated manually, or can it be done remotely?
Although every ATM EMV migration will have different factors, these are all questions your team should be considering from the outset. If you’re just getting started, the first step is to find out whether your card readers are EMV compliant. You can search the EMVCo list here. If your organization is swamped with compliance and regulatory challenges, Diebold’s Managed Services team can manage your entire network, to make sure that when compliance dates arrive, your self-service terminals are upgraded and ready.
- Magnetic stripes are still a concern during the anticipated multi-year transition period.
EMV is coming, but that doesn’t exactly mean the familiar magnetic stripes on the backs of our cards are going. Some guests will be slow to arrive at the party – and until EMV compliance reaches its tipping point, retailers, FIs and card issuers will need to cater to their entire consumer base.
The continued presence of magnetic stripes means skimmers continue to have plenty of opportunities to steal card data. That static information is still embedded in the stripe – so even if consumers are dipping or inserting their card for some transactions, they may still be swiping their card for others – and leaving themselves vulnerable to fraudulent activities. FIs must remain diligent about security at the ATM and on their debit-card network, until the EMV transition is complete and magnetic stripes are a thing of the past. Of course, fraudsters are typically even more up-to-date on the latest technology than some FIs, which means they’re already preparing for an EMV-enabled world.
To prepare for EMV compliance now, use these best practices:
- Learn more about EMV. Don’t wait until it’s too late to raise your knowledge – and your team’s knowledge – on this subject. Our experts will host a webinar on December 2nd. Sign up to learn more.
- Evaluate your fleet from a hardware, software and network perspective.
- Calculate the necessary capital investments, as well as your FI’s ability to invest.
- Develop and prioritize an implementation plan.
- Don’t wait for your network state flow to be loaded. EMV card readers can be installed at any time, and used in a fallback magnetic stripe mode.
Find out more about EMV and how it will affect you; watch the EMV webinar now.