Understanding EMV and NFC Compliance: How Card Brands Detect Terminals to Ensure Liability Shift

Think of payment terminals as the gateway to digital commerce. Ensuring these terminals meet the latest security standards, particularly the EMV and NFC standards, is crucial for both merchants and financial institutions. But how do major card brands such as Visa and MasterCard know that a payment terminal supports EMV and NFC to determine the liability shift?

The Role of the Acquirer

The responsibility for configuring payment terminals falls squarely on the acquirer (or acquiring bank). An acquirer is responsible for linking merchants to the payment networks. Merchant decisions about whether to adopt or reject EMV standards are tempered by the acquirer's approval because the acquirer ultimately bears the risk of fraud.

Acquirer Orchestration and Risk Management

Acquirers may approve the use of non-EMV terminals only under specific conditions. If granted, the acquirer might mandate a rolling reserve, a financial buffer to cover potential fraud losses. This allowance is made with the awareness that high fraud rates can negatively impact the acquirer. If fraud rates are exceptionally high, card schemes may become wary of working with this acquirer, which is not in the acquirer's best long-term interest.

Card Brand Incentives and Requirements

Card brands have set a variety of rules to encourage merchants to adopt EMV compliance. For instance, MasterCard offers additional incentives by combining liability shift and PCI (Payment Card Industry) enhancements for Level 1 and Level 2 merchants, which include large retailers like CVS. These incentives aim to reduce ADC (Account Data Compromise) and provide relief from card data breaches.

Merchant Terminal Identification and Reporting

Every merchant account has a Terminal ID (TID) even if the merchant uses a payment gateway. This ID is a unique identifier that defines the connection method and what data can be sent. EMV transactions involve more data than standard transactions, hence, a merchant cannot claim to have EMV-compatible terminals without substantiating it.

Reversing NFC Functionality

Technically, a merchant could turn off NFC and then turn it back on after an event such as an ADC incident. However, any such action can be detected via an audit. This underscores the necessity for transparency and consistency in terminal configurations.

The EMV and NFC Landscape

It's important to distinguish between EMV and NFC. NFC (Near Field Communication) is an international standard for short-range radio communication between devices. While EMV cards can communicate via NFC, the default approach involves direct contact. Thus, NFC does not necessarily equate to EMV-compliance.

Future of NFC and EMV

NFC's primary current role is supporting mobile wallets, as evidenced by the wide adoption of solutions like Apple Pay, Android Pay, and Samsung Pay. Card issuers are often cost-conscious, and the added expense of dual interface chips capable of both EMV contact and EMV contactless NFC communication might be prohibitive. Mobile wallets also offer a more secure payment experience through tokenization and biometric authentication, making them a preferred choice over traditional EMV cards for many issuers.

Conclusion

Ensuring payment terminals are both EMV and NFC compliant is vital for managing the liability shift effectively. Acquirers, card networks, and merchants all play a role in this process. With clear guidelines and incentives from card brands, the application of these technologies is becoming more widespread. Understanding these technologies and their roles helps merchants protect their businesses and ensures smooth transactions for customers.