What Is EMV Compliance Law And Should Your Business Worry About It?

As with all forms of payment, businesses that accept credit cards face an inherent level of risk. Hackers and thieves make a career of figuring out ways to steal your customers’ credit card details so they can run up fraudulent charges for in-person or online purchases.

Fortunately, many credit cards come with zero fraud liability protection, meaning your customers won’t be on the hook for fraudulent charges posted to their accounts. Further protection afforded by the Fair Credit Billing Act (FCBA) ensures they’ll never be liable for more than $50 in fraudulent charges. But if your business doesn’t have an EMV-compliant point-of-sale system to accept chip credit cards, it could be a costly mistake.

EMV compliance: An overview

EMV cards are smart payment cards, also called chip cards or IC cards, that store data on integrated circuits rather than magnetic stripes, according to Mastercard. EMV stands for Europay, Mastercard and Visa, signifying the three major credit card providers.

Chip cards create dynamic data every time a consumer makes a transaction, making it nearly impossible for fraudsters to duplicate or clone a card. This adds security protection to everyday purchases. EMV cards can also store loyalty program information, allowing consumers to earn or redeem loyalty points at participating merchants.

A cautionary tale

Daniel Vasquez, owner of Miami-based Dynamic Auto Movers, says he learned a “hard lesson” after he continued using a MagTek magnetic stripe card reader that wasn’t EMV-compliant. “Many companies are still unaware that if they are not EMV-compliant, fraudulent transactions are directly blamed on them rather than the bank.”

The chargebacks cost the company around $15,000, said Vasquez. “On top of that, our processing fees shot up because of the non-compliance,” he adds. But after upgrading to an EMV-compliant system, everything improved.

“Our fraud rates decreased dramatically and clients felt safer doing business with us,” he says. “What is frequently missed [by businesses] is that EMV compliance does more than simply prevent fraud. It also develops trust and boosts your reputation, adding genuine long-term value to your organization.”

Chip card protections

Another layer of protection you can expect with most credit cards comes in the form of a chip, located on the left mid-side. Chip-enabled credit cards are also called EMV-enabled credit cards, due to the EMV technology used to create them. Chip cards can be either:

• Chip-and-PIN cards, which require customers to enter their personal identification number (PIN) to complete a transaction.
• Chip-and-signature cards, which use a signature instead of a PIN to verify the cardholder’s identity.

With both types of chip cards, the embedded chip holds your payment data and provides a unique code for every purchase made. The code generated is only good for that single transaction, and the codes are always changing. As a result, credit cards with chip technology are considerably more difficult to hack than their magnetic stripe counterparts. However, that extra protection means chip cards take a bit longer to process.

Before chip technology, credit cards used a magnetic stripe to store cardholder data. But where magnetic stripe credit cards can be “skimmed” by hackers and thieves, this type of theft is much less common — but not eliminated — with chip credit cards.

Because thieves have adapted to chip cards via a technique called “shimming.” They use a reader called a shim that fits into a card reader slot at a retailer or ATM. Shims have a microchip and flash storage captures and saves your card information.

The information stolen from a shim contains the details required to authenticate and process future transactions. This allows thieves to create forged credit cards with magnetic stripes that now have your information. These fraudulent mag stripe cards don’t arouse suspicion, because chip cards also typically contain a magnetic stripe as backup.

While EMV technology is intended to cut down on consumer credit card fraud, it also helps businesses reduce chargebacks that result from fraudulent purchases.

How do customers use an EMV card to make a purchase?

Compared to swiping magnetic stripe cards, completing an in-person transaction with an EMV-enabled credit card requires a different process.

Specifically, both chip-and-PIN and chip-and-signature credit cards require shoppers to either dip their credit card in or tap it on the terminal, at which point the card is read and a unique token is created for the transaction. From there, cardholders either enter their PIN (for chip-and-PIN credit cards) or provide signatures (for chip-and-signature cards).

What is the EMV compliance standard?

Prior to Oct. 1, 2015, either the merchant or card issuer could be held liable for losses due to fraud. After this date, however, liability shifted to whichever party — the merchant or the card issuer — was the least compliant with EMV requirements.

In theory, this deadline should have been enough to motivate businesses to change their payment systems in order to reduce fraud and avoid financial losses. However, many businesses still have not upgraded their payment systems, though there is momentum in the right direction.

Nearly 14 billion chip cards were in global circulation in 2023, up seven percent compared to the year before, according to EMVCo, a partnership that specializes in payment specifications and security. It was founded in 1999 and is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa.

EMVco data also shows that more than 70 percent of globally issued cards were EMV-enabled, and almost 95 percent of card-present transactions used EMV chip technology.

EMV transaction times have been cut from seven to 10 seconds down to nearly instant, according to a 2020 report by Thales. A contactless transaction can be around 53 percent faster than a traditional magnetic stripe credit card transaction.

How does EMV compliance affect you as a business owner?

Businesses are not currently fined for failing to upgrade their payment systems. If you’re a business owner who hasn’t yet upgraded to EMV-compliant systems, you should do so — but you won’t be on the hook for government penalties if you don’t make the change.

While EMV compliance is more of an industry standard that serves as a guideline, rather than a government-mandated law, you could still face liability for fraud and chargeback situations if you aren’t compliant.

In order to minimize your risk of being held liable for credit card fraud, there are a few measures you’ll want to take, including:

• Ensure you’re compliant with the EMV standard.
• Make the switch to EMV-compliant card readers if you haven’t already done so.
• Acquire POS systems that are EMV compatible.
• Have mobile readers that accept chip cards.

Vendors such as Square offer EMV-compliant readers for small businesses that you can easily use at your point of sale.

When are you liable for non-compliant credit card transactions?

If you haven’t upgraded to an EMV-compliant card terminal, but you process EMV credit card transactions, you may be found liable if any fraud occurs. That’s because, although the card issuer was compliant, you aren’t since you haven’t upgraded your card reader to be EMV-compliant.

Even if you have upgraded to an EMV-compliant card terminal, you may be liable for fraudulent transactions if you manually entered the customer’s card information rather than processing the card in the terminal.

When are you not liable?

If you process a magnetic stripe card on your EMV-compliant card terminal and the transaction turns out to be fraudulent, you likely won’t be held liable since you used an upgraded card reader.

Further, if you process an EMV credit card on your EMV-compliant system and the transaction turns out to be fraudulent, you shouldn’t be held responsible since you’re compliant with the EMV standard.

Consider partnering with an EMV-compliant payment processing company to eliminate liability and reduce stress. Potential companies include PayPal, Clover and Shopify.

How small businesses should adjust their practices

“It’s been 10 years since the EMV liability shift put the burden on small business merchants when it comes to accepting credit cards,” says Robert Livingstone, CEO of NoRate.com and IdealCost.com, which advises owners on how to protect themselves from unfair fees and fraud.

“There are many POS systems that have not been upgraded and will only swipe a credit card. Small business clients with that setup are setting themselves up for several problems,” said Livingstone. “They include a 1 percent or greater additional charge for non-EMV transactions and losing cardholder charge disputes for fraud and virtually any other reasons.”

Here’s what small business owners can do to stay compliant:

• Keep copies of credit card receipts and relevant order documentation in case you have to make a case to a card issuer refuting a customer chargeback.
• If a customer transaction doesn’t go through on your EMV-compliant card reader, don’t manually enter their card information.

For instance, in a case of “card not present” fraud, you could present the issuer with shipping information and delivery confirmation, as well as any records of your communication with the customer.

Scammers can target businesses that don’t have an upgraded POS system, says Livingstone. “They can target those businesses and ring up a bunch of charges knowing that they’ll likely never have to actually pay for any products or services.”

The bottom line

EMV-enabled credit cards are usable anywhere credit cards are accepted, but businesses should also know the U.S. is still behind other regions worldwide when it comes to EMV technology. In Europe, for example, most countries made the transition to EMV technology years ago, and chip and PIN cards are now the norm.

If you’re a business owner, be aware that while you can’t be legally prosecuted for not upgrading to EMV-compliant payment systems, making the switch should still be a priority. With the deadline for EMV implementations long passed, you risk facing liability in credit card fraud situations if your business remains out of compliance with this industry standard.

Frequently asked questions

• How can businesses ensure they are EMV compliant?
  

  Businesses need to install EMV-compliant card POS systems, along with relevant software to handle chip-and-PIN and chip-and-signature cards. You may also want to accept payments via digital wallets such as Apple Pay and Google Pay. Many existing terminals either include this technology or offer it as an upgrade.

• How much does an EMV-compliant system cost?
  

  The cost of equipment and software is always a consideration for businesses and can vary wildly. They can cost from free to thousands of dollars. Those costs include, but are not limited to, hardware and software, an internet connection, training, maintenance, licensing, inventory, reports and analytics and processing fees.

• Which EMV-compliant system is right for my business?
  

  The U.S. Chamber of Commerce offers the following tips for businesses looking for EMV-compliant POS systems:

  • Create a baseline understanding of what your business needs to operate.
  • Connect with vendors who can meet your needs.
  • Pinpoint where you could use help, because every POS system comes with advantages, disadvantages, tools and features.
  • Know your budget and spend accordingly.
  • Ask the right questions so you know which systems fit your needs.
  • Find a system that can grow with your business.