The shift to EMV credit and debit cards began in the U.S. in October 2015. However, the change has been a gradual one, and it’s still quite common to visit a merchant who either does not have an EMV-capable terminal or has one but is not using the EMV functionality. As of February 2016, in fact, only 37% of U.S. merchants had made the switch. There have been many dire words spoken about merchant liability under the EMV regime, so it’s important to understand exactly what is happening, and if you are a QuickBooks Point of Sale user, it’s also important to know what Intuit is doing about EMV.
So first, what exactly is EMV? The acronym stands for Europay, MasterCard, and VISA, who jointly developed the standards for the technology. EMV cards use an embedded chip—a small microprocessor, actually—rather than the traditional magnetic stripe (although the stripe is, obviously, still there). When a card is swiped for a transaction in the old way, the associated information (including the card number) is transmitted “in the clear” throughout the authorization process. Yes, it’s been over a decade since merchants were required to hide all but the last four digits of a card number on receipts and other documents, but processors were still transmitting millions of unencrypted transactions daily. So it’s not hard to see how card data could be stolen.
The EMV process differs in a couple of substantial ways. First, the data is encrypted and not stored locally in processing systems. Second, each transaction generates a unique digital token that is never reused. These steps are relatively complicated—at least compared to reading data from a magnetic stripe—which is why EMV transactions take noticeably than swiped ones. (Processors have been working with some success to reduce the time required after widespread complaints from both consumers and merchants.)
The good news is that EMV is significantly more secure. The U.S. in particular was seeing rapidly accelerating rates of credit card fraud—up 14.5% just from 2013 to 2014. Moreover, the U.S. accounted for 47% of credit card fraud globally despite having only 25% of the transactions. But European countries that have already implemented EMV have seen fraud drop to 1999 levels, with U.K. merchants seeing a 67% decrease since 2004, and the U.S. experience should be similar.
The bad news—at least from a merchant standpoint—is the shift in liability. Before October 2015, merchants were not subject to liability for in-store fraud—that is, for “card present” transactions. After that date, liability shifted to the merchant, but only if the customer presents an EMV-enabled card and the merchant does not have (or use) an EMV-capable terminal. If the customer still has a magnetic-stripe-only card, there is no shift in liability.
Interestingly, many merchant processors are also behind the power curve for EMV transition, and many do not yet offer EMV processing. In most cases they have accepted the liability for fraudulent transactions in order to shield their clients from something that is currently beyond the merchants’ control—short of changing processors, of course, which is something they prefer to avoid. One of the processors that protected merchants from liability was Intuit.
However, that grace period has now ended. Intuit has made the shift to EMV-compliant processing, and as of August 15, 2016 its merchant clients are now fully liable for card fraud under the standards described above. (Intuit had originally announced a March 31, 2016 deadline in the autumn of 2015 but subsequently extended it.) So if you accept credit cards through any of the QuickBooks products using Intuit as your merchant processor, it is important that you ensure that your business is compliant.
Because EMV is such a significant shift in card processing, it was not feasible for Intuit to retroactively include that capability in existing software products—not the sort of thing, in other words, that can be added with a patch. As such, only certain versions of QuickBooks will be EMV-compliant. For the traditional desktop editions of QuickBooks (Pro, Premier, Accountant, and Enterprise), that will be the 2016 (or V16 for Enterprise) versions and later. QuickBooks Online will be supported automatically since that software is constantly updated. For QuickBooks Point of Sale, V12 and later will be supported. In all cases, the software must be used in conjunction with the updated card reader hardware, including an EMV-capable PIN pad for Point of Sale.
Fortunately, you have an opportunity to upgrade to the compliant version of QuickBooks Point of Sale at a discount if you act quickly. Intuit recognizes that the inability to support legacy versions can potentially place some customers at a disadvantage. This major shift in credit card processing technology thus offers a chance to move to the most current version of QuickBooks at a better price.