Why government agencies need EMV for payments

Published November 16, 2020

 

Government agencies, like the private sector, are at risk of accepting payments from fraudulent cards, especially if they have magnetic strips. Personal information from swipe-able cards is easy to lift to “clone” cards, and it can be next to impossible to find the guilty parties who do it.

And, a few years ago, major credit card companies introduced a policy that places the liability burden onto agencies (and merchants) that are unable to accept EMV payments. Not only is that costly to your agency, but you’re missing out on the opportunity to reduce fraud and the risks that come with it by not using EMV technology, which increases the security of payment card transactions through use of a chip embedded in credit, debit and pre-paid cards. The purpose? To prevent fraudulent practices such as card skimming and cloning.

What is the cost of not having EMV chip-ready devices for EMV card payments?


There’s a big reason why government agencies (local, state and federal) are popular targets for cyberattacks: they hold some of society’s most sensitive personal information, from social security and credit and debit card numbers to voter information (dates of birth, addresses, party affiliation and voting records) and much more.

So, protecting data is, of course, one of government agencies’ top priorities. Still, many of them are slow to adopt EMV chip-and-pin technology, and payment vendors too often overlook the need to deploy in the government space. Why aren’t vendors making EMV chip-and-pin a priority in the government space? Maybe this is the next discussion for your current payment vendor—or it’s time to switch to a new governments payments vendor.

Say someone comes in to pay for their car tag renewal. They have a counterfeit credit card with their name on it—but the magnetic strip actually has someone else’s account number and personal information attached to it. No one is any wiser, so the person swipes their card for their tag renewal and walks out with their new license plate sticker. You don’t know until three months later, when your tag office gets a chargeback from the credit card issuer of the identity theft victim. Even worse, the only contact information your office has on file is outdated—and the thief no longer lives in the county.

In this case, the theft wasn’t due to a lack of governmental oversight; it was because the criminal was able to swipe their cloned card successfully. Since the card was swiped in a USB magnetic card reader, instead of using chip-and-pin, it was easy for the fraudster to use a counterfeit payment method. And while this is theft on a small scale, examples like this are costly and can lead to a larger scale data breach.

And addressing fraud after it happens is a costly, time-consuming hassle. Just to correct this one situation, the motor vehicle office must:

  • Relinquish the payment amount in question without even an investigation
  • Use back office personnel to research the details of the payment in question
  • Determine the liability (submit requested payment info to the credit card company, search and contact parties involved)
  • Remain in the required waiting period to get the result of the internal investigation
  • Take any actions necessary after the investigation concludes

These small-scale instances add up and can eventually cost government agencies lost revenue, reduced efficiency and increased risk of making mistakes.

Who’s liable for card fraud?


Chip technology was intended to help bring the entire payment industry on board with EMV by encouraging compliance to avoid liability costs. And since the October 1, 2015 deadline created by major U.S. credit card companies (Mastercard, Visa, American Express), the liability for card-present fraud shifted—with more burden falling on the merchant or agency.

So, when someone uses a fraudulent card issued by a financial institution (FI) with a chip embedded in it, but the agency hasn’t changed its systems to accept chip technology, the cost of the fraud falls on the government agency, not the FI.

How can government agencies avoid problematic payments, and minimize risk for nefarious activity?


For decades, the federal government has been passing legislation to protect the privacy of American citizens—The Privacy Act of 1974 was enacted to “establish new expectations for how the federal government responsibly collected and managed information on behalf of the American public.” But hackers have made the U.S. government’s goal to protect its citizens—and their sensitive information —much more difficult.

Beyond protecting their databases with legislation, government agencies can avoid costly charges from people using fraudulent cards by incorporating EMV across the board. That’s because data security in “chip” based transactions are far less likely to lead to fraudulent activity or chargebacks compared to magnetic stripe swipes.

Why is a card “dip” safer than a card “swipes?”


EMV cards contain a computer microchip that encrypts, or produces a unique, one-time cryptogram for each transaction to make it more secure than a magstripe card transaction. Chip cards work only with PCI (Payment Card Industry) certified devices that are compliant with EMV chip-and-pin standards. 

So, whenever you “dip” a chip card in a reader (as opposed to swiping a magnetic stripe card), it creates a unique code that changes with every transaction. Compare that to data stored in a card’s magnetic stripe; that data never changes, making it susceptible to being cloned or skimmed.

Indeed, in 2019, Visa reported that counterfeit fraud from retailers who have chip-enabled payment terminals declined by 75 percent in 2018 compared to 2015, with continued decline in 2019.

A simple apples-to-apples comparison of both chip and swipe highlight the different card data security aspects of both:

EMV chip “dip”

Card Data Security:

✓ Impossible to clone. One-time-use cryptogram per transaction (card data changes for every payment)
✓ No personal information about cardholder stored on chip
✓ Fraud liability shifts to payment vendor
✓ Only compatible with PCI Certified Devices (reduces PCI scope) P2PE

Technology Enhancements:

✓ NFC-enabled (Near Field Communication) which facilitates even more secure contactless payments
✓ Electronic signature capture
✓ Wi-Fi Enabled
✓ Touchscreen
✓ Dip and swipe compatible
✓ Ethernet port

3 EMV certification levels: (layers of security testing)

✓ Hardware: Logic and transmission of payments are tested
✓ Software: The transmission of payment information is tested
✓ Payment Application: Card brand tested against entire processing solution

Magstripe “swipe”

Card Data Security:

⨉ Data stored within stripe never changes. (card data vulnerable to skimming or cloning)
⨉ Stripe cards stores account details and account holder info.
⨉ Fraud liability is with merchant or agency office.

For government agencies, fighting fraud will be an ongoing battle, but why not eliminate your agency’s liability when fraud occurs? Certified P2PE EMV payment devices with chip-and-pin authentication significantly reduces fraud risks. So, if your payment vendor hasn’t already reached out to you to get your office EMV compliant, take the lead by finding a vendor who who supports EMV. 

This is payment processing, made simple.

Everything you need to take and process payments, all in one trusted, secure solution.

Need more information?