The vending industry first heard about EMV or Europay, MasterCard and Visa, at the 2013 NAMA OneShow during Dr. Michael Kasavana’s V-Engineering: The next generation panel and educational session. Ron Spinella, executive vice president at Apriva, shared with attendees that by 2018, major credit card companies in the U.S. would be switching to EMV technology.
Commonly seen as a chip card where there is a mini microprocessor or chip embedded in the physical credit card, EMV technology has been around since the early 1990s. It is used in Europe along with a personal identification number or pin entered at the time of sale. Data is transmitted from the chip to the cashless payment device and back again. The chip is extremely difficult to reproduce, therefore EMV cards are considered more secure than traditional magnetic stripe (mag stripe) cards seen in the U.S. today.
Last year, Spinella wanted to get operators to consider the ramifications if their readers were not EMV ready. This year, with some large retail security breaches, such as Target, EMV has become headline news and the move to EMV is likely to come sooner than 2018. Currently, the major card brands have deadlines in place to move the cashless payment industry towards EMV cards. The most important deadline for vending operators is October of 2015. At that point, card companies will shift liability for fraudulent credit card charges to the party with the least secure system. For the industry, this includes vending machines if the card reader isn’t EMV compliant, which is the case for nearly all cashless devices on vending machines today. Operators would need to buy all new terminals to be EMV compliant — a huge investment and challenge. However, the full story of EMV and vending isn’t so bleak.
In case of fraud, what really is the vendor’s liability? In many situations, the vending operator may have a merchant’s agreement with a provider which migrates their responsibility. As long as the operator was in compliance with this agreement, EMV wouldn’t change the liability for the operator. Even without a merchant’s agreement, fraud in the vending industry is quite low.
“The fraud risk for vending is somewhere in the area of 0.16 percent,” said Brendan Kehoe, vice president of Streamware at Crane Merchandising Systems. “With the fraud risk that low, there would be no justification for replacing an existing reader.” Kehoe uses the example of a vending company doing a million dollars in vending transactions a year. At 0.16 percent fraud, that’s a fraud exposure of $1,600. When each EMV reader is likely to cost in excess of $200 apiece, that’s $40,000 to replace the reader on 200 machines. “The economics in vending will probably never make sense for operators to replace their readers,” said Kehoe. He reminds the industry that the October 2015 deadline from Master Card and Visa that affects operators is simply a liability shift, not a deadline to have EMV readers installed on machines.
Additionally, Kehoe sees banks including mag stripes even on EMV-capable cards for the foreseeable future, until EMV readers are everywhere, which won’t happen any time soon. He also suggests that there are other industries that won’t be changing their card readers such as municipal parking, which accepts credit at parking meters. “They are not changing those,” said Kehoe. “It’s the same as vending — a low value transaction amount coupled with a low fraud risk with a large number of readers.”
EMV is the future
Other industry members warn that the industry must be thinking ahead. Apriva’s Spinella talks about EMV as a long term investment. “Over time mag stripes won’t be supported,” Spinella said this year. “Operators like their technology to last many years, therefore they will want it to be EMV capable.” He wouldn’t encourage vendors to go into the field and replace mag stripe readers yet, but to make sure to purchase EMV readers when they are installing new equipment in order to get the most out of their investment. Within five years, Spinella expects 90 percent of the credit cards in consumer pockets to be EMV. “My thought is initially, the transition will be very slow,” he said. “But in 2015/2016, we’re going to see it change over.” The change will come as terminals are upgraded and replaced with EMV-capable models and the consumer is educated about what to look for, Spinella adds.
Canada has been using EMV cards for years. The liability shift the U.S. is expecting in 2015 happened there in 2010. “Card associations are learning from the EMV shift in Canada,” said Paul DeRosse, vice president of business development, Canada, for Apriva. In Canada, the chip cards also require a pin be entered, however, not necessarily at vending machines. “The pin isn’t required if the transaction is below a certain value,” said DeRosse. That value is assigned by the bank issuing the card. The one caveat is that the Canada chip and pin cards need reauthentication every so many transactions. A consumer must use the card at a merchant with a pin pad in order to reauthenticate the card. It’s a tradeoff Canadian users are willing to make. “Consumers haven’t found it to be an unsatisfying experience,” said DeRosse. “Canadians as a whole are more security conscious and willing to give up some convenience for that. The U.S. might be different.”
Updating the reader
“EMV really ups the game in terms of security and an investment by the operator,” said Chuck Reed, director of marketing and sales operations at newly merged MEI and Crane –Crane Payment Innovations (CPI). Previously, there weren’t any readers on the market that could read EMV cards. Operators adding the technology would need to reterminalize, explains Reed. A few years ago, merchants had to prove they were Payment Card Industry (PCI) compliant — as secure as they could be. “EMV is different,” warns Reed. “PCI is behind the scenes…with EMV there are physical changes to the hardware.”
In the retail world, cashless terminals are replaced more often, so reterminalization isn’t new to them. However, vending operators keep a close eye on their investments and want the card readers to last at least 10 years, said Patrick Richards, cashless product manager — vending management services at CPI. This means installing EMV readers isn’t going to happen overnight. “It has to make sense for the operation,” said Richards. Vending operators should consider the consumer’s reaction. Before the Target breach, consumers didn’t worry about security, but afterwards, consumers became more sensitive to using their cards at this merchant and Target took a 40 percent loss in sales during the 2013 holiday season, warns Richards. While fraud at the vending machine is unlikely to happen, a consumer whose credit card is unwittingly stolen is going to be looking for security measures, especially if the fraud is tracked back to a vending machine. “Vending as a whole could be perceived as less secure than retail,” Richards said.
As operators prepare for the future they need to look closely at which cards they will be accepting and buy the terminal based on that. Richards says it’s easy to know if a card reader is capable of reading/accepting an EMV chip card, the card has to physically stay in the reader during the transaction as data is transmitted back and forth between the reader and the chip.
For contactless card readers or “tap and pay,” because the device uses near field communication (NFC), the changes required for EMV compliance are different and will likely be handled by the device and by the supplier as an upgrade.
Updating readers at each vending machine would put a tremendous strain on vendors, explains Ron Manne, vice president of global sales and marketing at Coinco/Royal Vendors. “A lot of credit card hardware has been installed over the past 10 years most of which is not EMV capable,” he said. Vending operators are essentially running 100s or 1,000s of individual stores each with a card reader, and to be on the safe side they would have to be replaced.” With all the recent negative publicity about cyber-attacks, Manne believes the card companies will launch a campaign explaining how secure EMV is in order to regain some consumer confidence. But if a vending machine is not identified EMV compliant, will consumers shy away? After all, vending is not the main target of credit card fraud. “I believe it will be one of the hot topics at the NAMA convention,” Manne added.
Other security options
While EMV is more secure than mag stripe, suppliers and processors have already put work into maintaining the security of current mag stripe data. In the case of USA Technologies, Maeve Duska, vice president of marketing touts the end to end encryption and secure card tokenization — which adds another level of encryption beyond PCI requirements — that ensures the safeguarding of users’ information when they pay via cashless. “The ePort Connect service network, as well as our devices, are currently designed to protect customer credit data — whether it’s magnetic stripe, EMV contactless or EMV contact. However, since the card associations (Visa/MasterCard), banks and others in the payment processing ecosystem still need to agree and move in unison towards the creation of an EMV infrastructure, to date, the business case for adding EMV at the vending operator level hasn’t been strong,” Duska added. “We’ll be gathering more feedback from customers in this area based on the EMV options we intend to present to customers over the next few months.”
Everyone is waiting on the major card brands to decide exactly what EMV will look like in the U.S. It may have a chip and pin or chip and signature but in vending at least, it’s likely neither will be required at the machine and mag stripe cards will continue to work for the near future. While a low fraud risk may give vendors a reprieve from replacing existing devices, most of the industry agrees that as new readers are purchased, operators would be wise to buy those that are EMV capable. It is the only way to ensure they are ready for the day chips cards are all consumers carry.