A Non-EMV Compliant Self Service Kiosks
Back in 2015, EMV announced a deadline for organizations and merchant to comply with their standards or they will face a shift liability for card fraud.
EMV stands for Europay, MasterCard, and Visa. These are the entities that dominate the financial card sector. EMV is a regulated payment method that is based on a smart card technical payment standard. EMV extends payment, security and business services. An example of extended secure payment service can be the state where a transaction is being signed by a cryptogram generated by the smart card which makes it difficult for malicious actors to break the associated security mechanism.
EMV is mainly associated with contact and contactless chip cards. These are the cards that must be inserted in the reader or brought in proximity to it (using RFID technology) when a consumer is checking out an order. EMV also provides a high security authentication mechanism for EMV compliant payments.
EVM reduces the damages that can result from counterfeit, lost or stolen cards. For example, in a case of contact or contactless cards, through the unique codes that are given to every transaction using, EMV technology reduces the extremity of contact and contactless card skimming.
Since that time (October 2015), EMV has urged all entities that process card payments to comply with its standards. As a result, we notice that there is a big number of kiosk deployers that is not EMV compliant.
Self-service kiosk deployers are being slow to adopt EMV-compliant technology due to the long process, the complexity of the required EMV upgrade and the high costs that are associated with the process, and lack of incentives. For you to upgrade the kiosk, you have to upgrade all the components of the kiosk. These components include the payment terminal, the processing software, and transaction infrastructure (such as storage) must also be upgraded.
In addition, Visa has issued new contactless requirements for its card payment. The new requirements provide high security of the payment data. From a high security perspective, the requirements highlight that the data on the card should be encrypted with 128 bit Triple DES encryption; and the data cannot be read by EPC readers.
Moreover, the requirements mention that it is a mandatory to have a new input data for every transaction. This will enforce data’s high security during transmission. In the event that data is intercepted during transmission, the stolen data cannot be used again in a new transaction or to generate a counterfeited card.
Furthermore, the requirements provide additional layers of security that supports zero liability and fraud detection systems.
There are several risk factors when a company is non-EMV compliant.
First of all, the company faces EMV liability shift and chargebacks. The liability shift is the transfer of liability for fraudulent credit and debit card transactions from issuers to merchants. This liability doesn’t take place when the merchants have migrated to EMV compliant technologies. In addition, if a consumer uses an EMV-compliant card with your non-compliant terminal, the consumer can dispute you as the merchant for being non-EMV compliant. He can also dispute the charge in legal ways. As a result, this will negatively impact the reputation of your organization, have you lose the consumer, and entitle you to expensive chargeback liabilities.
Second, an organization runs the risk of exposing confidential information about its customers when attacked by hackers or bad actors. EMV compliant technology implements sophisticated encryption techniques that ensures high security of customer’s data in case of a data breach. EMV will preserve the confidentiality of information during an attack.
Furthermore, in case of a data breach, the organization needs to take few actions. The organization needs to disclose the breach and announce new high security mechanisms that will safeguard customer’s confidential information. It should also take extra measures to prevent such a breach to happen in the future.
The organization may need to pay regulatory fines for that breach. It may need to hire a public relation manager to enhance its reputation, pay legal fees and investigate the breach. This will be additional expense to the organization that may not afford.
Third, the organization can face the risk of fraud threats when it uses non-EMV compliant technology. Cyber criminals can re-use data transactions or make a counterfeit card that can generate fraudulent transactions. This will enable the criminal to obtain funds from the organization in fraudulent manners. As a result, the organization will suffer a financial loss.
Fourth, the organization may be entitled to non-EMV non-compliance fees that come in form of penalties. These fees are different from the liability shift and chargebacks. The fees will be charged anytime you are found that you are using non-EMV compliant payment technology. It depends, on the country that you operate in, the name of the penalty or the fees may differ. In addition, the fee range also differs from country to another.
After mentioning the risks and consequences that an organization can face for being non-EMV compliant, we notice that there are some kiosk deployers insist to be non-EMV compliant.
It is a fact that there is lack of incentives for the kiosk deployers to become EMV compliant, but it is a cost effective decision to start planning the EMV compliant process now. You do not want to wait until you are a victim of a fraud threat to plan the move.
In an attempt to cut high costs, and evade the risks of being non-EMV compliant, some kiosk deployers partner with third parties (such as payment equipment manufactures) that offer EMV-compliant and certified solutions. These solutions can be easily integrated into their existing infrastructure. This will not only cut costs and reduce risks, but it will also save time and efforts.
The easiest way for a business to start its EMV-compliance process is to find a suitable technology partner that they can partner with, and select efficient and secure payment solutions from their offerings.
At Cardzgroup, there are different types of contact and contactless chip cards. The requirements of customers’ application determine the specifications of the card. We offer contact and contactless chip card solutions that are ISO certified. Our contact and contactless chip cards can come with enhanced e-purse security functions and date management features.