URGENT MESSAGE: Effective October 1, 2015, businesses that accept credit and debit cards can be responsible for fraud charges if they do not implement technology that reads the microchip-enabled cards now being issued by banks. Urgent care operators should work with their credit card processors to assure compliance through use of upgraded equipment that is compatible with their practice management systems.
Alan A. Ayers, MBA, MAcc is Practice Management Editor of The Journal of Urgent Care Medicine, a member of the Board of Directors of the Urgent Care Association, and is Vice President of Strategic Initiatives for Practice Velocity.
You’ve probably noticed a change in the way your credit or debit card is processed at certain stores lately. Since October 1, major retailers like Target, Walgreens, and Best Buy have been transitioning to “Europay, MasterCard, and Visa” (EMV) technology, employing new credit card terminals that can read microchips embedded into new cards.
The chips are the latest weapon available to improve security and reduce fraud. However, this is not a new technology. Debit and credit card microchips have been used by most of Europe and other parts of the world for decades, with the United States being the last major market to make the transition.
The move to EMV is necessary because data contained in the magnetic strip on the back of legacy cards has proven to be unsafe and easy to steal. In some instances, fraudsters can copy the magnetic strip directly off a valid credit card onto the magnetic strip of a retail gift card and make charges undetected to the victim’s account. Several large-scale data breaches, such as the one that occurred at Target in 2013, have been the result of unsecure payment cards and terminals.1
While payment card fraud occurs all over the world, it happens at a higher rate in the U.S.; about 25% of all the world’s payment card transactions take place here, accounting for over 50% of all credit card fraud worldwide.2 In addition, fraudulent card activity represents 10 cents per every $100 spent and it is estimated that there will be over $16 billion in losses as a result of fraud in 2015.2,3
EMV has been proven highly effect in reducing card-related fraud in other countries. For example, the transition to microchip cards and terminals between 2007 and 2012 in the United Kingdom resulted in a 27% drop in credit card fraud.2
It’s a different story for online purchases, however, where fraud involves the card’s account number rather than the card itself. Some analysts even expect to see an increase in fraudulent online transactions using cards with microchip-enhanced security.4
EMV technology uses an algorithm to create a unique transaction code that can never be used again, whereas the magnetic strip on the back of traditional payment cards uses the same data during each transaction, making it easy for criminals to steal and replicate. EMV card transactions provide an additional layer of protection to businesses and consumers by offering the option to use a PIN, rather than a signature, at the point of sale.
The way we physically use our cards at the checkout is changing, as well. For starters, microchip cards no longer have to be swiped when you make a transaction. Instead, they are “dipped” into the terminal and data flows between the microchip and the bank to verify the card’s legitimacy to create the distinctive transaction code.
Impact on Urgent Care
So what does this transition mean for urgent care centers? For starters, facilities that are currently operating on older magnetic stripe card terminals leave themselves open to considerable risk. Businesses that have continued to use magnetic strip terminals after the October 1, 2015 deadline are now liable for charges posted against a lost or stolen card they processed for payment. However, if your practice does operate with new EMV-acceptable terminals and your patient’s bank does not (or the bank has not issued a chip-enabled card), then the liability falls onto the bank. Therefore, the upfront costs to implement EMV terminals could be significantly lower than being liable for fraudulent medical care costs.
New terminals can cost anywhere from $30 to $500, depending on the make, model, and capabilities (such as having near field communication or being able to accept Apple Pay). Intuit is currently offering a basic EMV reader that plugs into a smartphone or tablet for $30, while other companies such as First Data are offering more high-end versions that can cost nearly $500.5,6 Even after considering other direct costs associated with making the transition, such as the cost of setting up new equipment and training workers on how the new terminals work, the balance tilts in favor of making the transition.
It is important to note that these new terminals will still be able to accept old magnetic stripe cards as a form of payment.
If you’re still on the fence about updating to microchip-reading terminals, which is completely voluntary, you’re not alone. Visa estimates that by the end of 2015 only 60% of U.S. businesses will have made the switch, even though EMV technology is designed to protect against credit card fraud and reduce liability they take on when accepting a stolen card.7 In the past, merchants who accepted fraudulent cards weren’t liable for the fraud―those costs were absorbed by the banks and credit card issuers. (For insights from a banking professional, see A Banker’s Perspective at the end of this article.)
Of course, urgent care centers are not typical “merchants.” Because a medical visit usually entails presenting a photo identification and other forms of identification (such as an insurance card), most medical facilities do not directly experience payment card fraud like other businesses that sell goods such as jewelry and electronics that can be easily fenced by crime syndicates. However, that does not mean that the healthcare field is immune to fraud. In most instances, fraudulent payment activities are a result of using a stolen identity, where the patient is impersonating someone else in order to receive medical treatment. Medical identity theft can exhaust a patient’s lifetime insurance benefits, create false medical records that result in future misdiagnosis, and result in significant legal costs. The goal of EMV microchip technology in a healthcare setting is to cut down on these occurrences, thus lowering the monetary impact of “stolen” medical care.
If you have made the decision to set up new terminals, getting into your practice is relatively easy. Companies such as First Data and AxiaMed provide detailed how-to guides on the steps necessary to get your payment system up to speed and avoid being liable for fraud.8 They also offer helpful cost/benefit analysis, marketing tools, and training plans to guide you through the process.
Like all change, the transition may be painful in the beginning, and there may be confusion on how the terminal or payment process works. Issues of integration with your practice management system should be fully discussed with your software vendor, who likely has already developed a solution that fits your practice. At the end of the day, the improved security and reduction in fraudulent payment activities will far outweigh the associated costs and hassle of making the transition.
- Riley M, Elgin B, Lawrence D, Matlack C. Missed alarms and 40 million stolen credit card numbers: how Target blew it. Bloomberg Business. March 13, 2014. Available at: http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data. Accessed October 19, 2015.
- First Data Corporation. EMV for merchants. Available at: https://www.firstdata.com/en_us/all-features/emv/emv-for-merchants.html. Accessed October 19, 2015.
- Cowley S. Coming soon to checkouts: micro-chip card payment systems. The New York Times. September 23, 2015. Available at: http://www.nytimes.com/2015/09/24/business/smallbusiness/coming-soon-to-checkouts-microchip-card-payment-systems.html?_r=1. Accessed October 19, 2015.
- Steverman B. What that chip in your new credit card means for you. Bloomberg Business. September 29, 2015. Available at: http://www.bloomberg.com/news/articles/2015-09-29/what-that-chip-in-your-new-credit-card-means-for-you. Accessed October 19, 2015.
- Gagliordi N. Intuit to offer $30 mobile EMV reader ahead of October liability shift. ZDNet. June 2, 2015. Available at: http://www.zdnet.com/article/intuit-to-offer-30-mobile-emv-reader-ahead-of-october-liability-shift/. Accessed October 19, 2015.
- Google search: “First Data EMV terminal.” Available at: https://www.google.com/search?client=safari&rls=en&q=emv+terminal&ie=UTF-8&oe=UTF-8#safe=off&tbm=shop&q=First+Data+emv+terminal. Accessed October 19, 2015.
- Introducing Visa chip technology—confidence in a smarter world. Available at: https://www.visa.com/chip/personal/security/chip-technology/index.jsp. Accessed October 19, 2015.
- EMV healthcare solutions. Available at: https://www.axiamed.com/emv-healthcare-solutions/. Accessed October 19, 2015.
|A BANKER’S PERSPECTIVE: Marsha Abramson, Senior Vice President and Operations Manager of Illinois Bank & Trust, based in Rockford, IL shares her insights on the transition to EMV in an interview on October 19, 2015.|
On the occurrence of credit card fraud…
The data on the card’s magnetic strip has become relatively easy for fraudsters to obtain, either using technology to copy it directly from the victim’s card or by compromising software containing the magnetic strip data. The latter is what occurred with the Target breach in December 2013. EMV should help reduce fraud that originates at the point of sale.On the difficulty of preventing fraudulent charges…
The issue with credit cards is there is a real-time balance. When fraudsters duplicate a card, they will typically test what the account balance may be by starting with small charges, such as gas, and then working their way up to larger purchases. Banks must show some reasonableness in allowing authorizations. While there are systems and processes to identify and alert customers of unusual activity, we also don’t want to leave stranded a customer who is far away from home and may be in trouble. And while we do ask that customers notify us when travelling or making large purchases, they often don’t remember to do so.
On the process for disputing fraudulent charges…
Today if a customer disputes a charge, if it’s a reasonable request, the bank will provide a credit back to the customer’s account at the bank’s expense, and then notify VISA. If it’s determined there was fraudulent use of the card, generally the bank is liable for that expense.
On the impact of card fraud to the bank’s profitability…
On the timeline of the EMV rollout…