Not Being EMV Compliant is Like Not Being Ready for Y2K

Photo credit: Anthony Quintano (https://www.flickr.com/photos/quintanomedia/)

Flashback to 1999

On the eve of the new millennium, billions of people around the world anxiously awaited the collapse of our technological infrastructures. The problem was called the Y2K bug and it threatened to cause nuclear meltdowns, bring aircrafts crashing down to Earth, and essentially turn our tech-dependent world to a halt. And it was all caused by the natural human instinct to speed things up.

When early programmers decided to cut the first two digits in the way the computer read “years” off dates, it was meant to make the process more efficient. If the date was August 4, 1995, we could just type in 8/4/95 and the computer would “understand.”

However, it was a flawed system. If the issue was not resolved before the new millennium approached, the computers were predicted to transition from 12/31/99 to 1/1/00 or December 31, 1999 to January 1, 1900. It wouldn’t be time traveling; it would be a system error. Luckily for us, the Y2K bug caused a few hiccups here and there, but overall, it didn’t send humanity back to the stone age.

Payment Shortcuts and Shortsightedness

That wasn’t the first time people were caught for taking short cuts… and it surely won’t be the last. I want to talk about another critical shortcut that has caused billions of dollars of damages each year. I’m talking about the magnetic stripe on credit cards. When it was introduced, it changed payments instantly, but like the Y2K bug, the side effects took time to materialize. When it did, it became a global event.

Like computers, credit cards have come a long way since its inception. In the ’60s credit cards were minimalistic, all that was on it was the client’s basic information and the account number. To facilitate the transaction, the merchants would have to dial up the bank and exchange information verbally. It was a lengthy process.

There needed to be a solution, and there was. For years, we have been swiping the magnetic stripe on the credit card to conduct charges. All the card carrier’s information is right there on the stripe — the same type of stripe found on a conventional cassette tape. No need to call the bank. All the merchant has to do is swipe it and all the (sensitive) data is transferred. Transaction completed.

The magnetic stripe is simple. It is simple for the merchants, simple for the consumers, and simple for the fraudsters. The magnetic stripe is notoriously easy to replicate. Remember how simple it is to make bootleg cassette tapes? It’s not rocket science. If you have a piece of cardboard, a cassette tape, and some time on your hands, you can create your own fake credit card. And that’s what people did. These aren’t credit card hobbyists either; these are criminals and they are out to steal all your credit card information.

So the story goes. Credit card information became the prime target for fraud and the magnetic stripe was an open window to the data.

One of the first magnetic stripe credit card.

The Smart Card Solution

The technique for stealing credit card information is known as card skimming. In an instance as swift as a swipe, your credit card information can be in the hands of a criminal. What the criminal chooses to do with it then is up to them, and the card owner won’t even find out about it until they see their bank statement. The damage is done.

There are three parties that feel the pain of credit card fraud: the customers, the merchants, and the banks.

While the customers may feel victimized by the situation, it is the unsuspecting merchants that suffer more from the credit card fraud. The merchants lose their product, the profit, and have the cover the fine and fraudulent transaction, in addition to being flagged for the chargeback.

The incentive to find a more secure option is beneficial to everyone. So, when a new technology came along, you’d figure that all parties would happily climb aboard and integrate this more secure form of transaction.

It was called a smart card or EMV (named after the major credit card consortium at the time: Europay, MasterCard, Visa) chip, and this little microchip has existed for decades. Invented by a French inventor named Roland Moreno, the EMV chip was able to communicate with computers, and thus encrypt data. Simply put, each purchase would be unique — protected by a code that is almost impossible to replicate.

In the ’70s as the increase in fraud in France grew, the credit card companies, who were hesitant to adopt the technology, finally gave in and integrated the microchip into credit cards. Slowly the migration of fraud and the smart card made it’s way to all major markets. With the increase in fraud, came the salvation of the smart card. In essence, the Y2K bug was fixed.

However, unlike the Y2K bug, the issue didn’t resolve itself with the changing of a calendar, not in the United States, at least. The adoption of the EMV chip was slow. The banks were hesitant to switch the structure, the merchants were hesitant to buy new POS terminals, and the customers weren’t all that excited about taking an extra minute or so to enter their PIN. When all sides needed to agree at the same time for an initiative of such magnitude to happen, nothing did…

Until now! Metaphorically, December 31, 1999 has come and gone for merchants. They are still susceptible to a Y2K-bug-sized problem that could have their business shut down overnight.

The Slow Change for Merchants

In October 2015, the liability shifted from banks to merchants and credit card issuers. If fraud should take place, and the merchant is not using a chip-enabled reader or the customers were not issued an EMV card, the merchants and the card issuers will have to take the financial burden of the fraud.

Banks are now shipping chip-enabled credit cards out to consumers with a penetration of 60%. However, only 20% of POS terminals are capable of processing this new secure cards. The ball is now in the merchant’s court. Get set up for an EMV card reader.

If they don’t invest in the new technology, two things are bound to happen:

1) The customer’s issuing bank will not allow them to process the card with the old magnetic swipe method.

This is a frustrating experience for customers. Imagine you are in a taxi heading to the airport to catch a flight. You arrive at the terminal and want to pay for the fare with your credit card. Unfortunately, the cab is not equipped with the latest card reader. You can swipe all you want, but if the credit card company is not going to process it, you’re screwed. Let’s hope you are lucky to be carrying some cash with you, or you’re probably going to miss that flight. Trust me, it’s no fun missing a flight because old technology. Just earlier this month this situation happened to me and it sucked.

2) The merchants will be liable to any funds charged back to them.

If you are Target or Home Depot, you will be able to survive the impact of credit card fraud. But if you are a small company, simple credit card frauds can be difficult to recover from.

Let’s put this into perspective. You run a small business selling novelty t-shirts. You don’t have an EMV card reader, so you accept all credit card payments with the magnetic swipe. One day, an inconspicuous shopper enters, makes a purchase; they swipe your terminal with their skimming card and steals your customer’s information. He goes on to copy the credit card information and heads off to the mall. In the end, he accumulated $100,000 in fraudulent charges. Guess who’s going to have to pay to replace that money? Guess who’s going to have pay for the fines and fees? Hint: Not the criminal.

It would be a shame if a careless shortcut like the Y2K bug led to the end of your organization. The magnetic stripe is a similar shortcut and it threatens to do the same. Don’t allow it.

Small business merchants can no longer cut corners — not with security and customer service at stake. At Control, we know that as technology advances to defend against fraud, the only real defense is awareness and diligence set forth by the merchants of small businesses themselves. The credit card companies are not going to protect you. The banks are not going to protect you. The customers are not going to protect you. The success of your business depends on your own actions.