Universities Are Anxious About EMV… but Should They Be?

With the EMV upgrade seemingly just around the corner, traditional merchants aren’t the only ones worried about the liability shift.

According to the National Center for Education Statistics, the United States higher-education industry brought in $555 billion in revenue from 2012–2013.

Despite this massive volume, the upcoming move to EMV in the United States is not necessarily a cause for concern for institutions of higher learning, whose revenue comes mainly from student tuition and government grants.

However, after the EMV liability shift, colleges may find themselves becoming the next big fraud target as criminals move on from merchants and set their sights on easier prey.

Reducing fraud at the point of sale is a good thing, but the question is how, or in this case, when, to implement mitigation strategies. Campuses must carefully consider their hardware choices in the context of their needs and budget, and must plan for the ripple effect of the adoption of this new technology. They must also proceed with their initiatives aimed at PCI compliance, which will become even more important in the new EMV-oriented environment.

Schools still process a large number of card-present transactions in the campus business office, but they also process a growing volume of card-not-present transactions through online portals. EMV adoption will make card-present fraud much more difficult, which will draw fraudsters to card-not-present transactions as the path of least resistance. It is imperative that campuses pursue methods of reducing their PCI scope in addition to, or before, the adoption of EMV hardware and software.

Higher One services two-thirds of all higher education institutions with faster and more efficient payment solutions as well as better insight into campus intelligence.The company is working with colleges and universities to help them planfor EMV adoption and to reduce their PCI scope.

According to Don Smith,VP Payments Product Management at Higher One, “We’re receiving a number of client questions about EMV, and we’ve learned that there’s a good deal of confusion about this transition. There is a lot of FUD in the market right now as vendors try to capitalize on the confusion.”

In reality, the liability shift is less of a mandate and more of a strong suggestion.

After October 1, 2015, the liability for card-present fraud shifts to the merchant if it does not have the ability to process the payer’s EMV transaction. There is no requirement that merchants implement the necessary software and hardware changes prior to, or after, this date.

According to Smith, “On day one, it’s not an all-or-nothing proposition. The card brands understand the complexity of this implementation in the U.S. for card issuers, merchants and consumers.”

Campuses should carefully consider a few things when determining their EMV strategy:

1. Their student population—What are their students’ needs? Are they traditional or non-traditional students? How many come to the business office to make payments compared to making payments online? Do they use smartphones? Would they expect to be able to check out using contactless payment options like ApplePay?

2. Their fraud rates for card present transactions—How often does the campus business office experience card-present fraud? What is the dollar amount for this type of fraud over the course of the past year?

3. Their budgets—In how many places does the campus process card-present transactions? How much volume do each of these places process? Does each of these locations require a new EMV-capable device? How many EMV-capable devices would be necessary? What is the budget for hardware upgrades?

The reality is that most college students use banking products that are not immensely profitable for banks. It is also significantly more expensive to produce an EMV card than a standard magnetic stripe card. In addition, card-present fraud rates in the campus business office are generally much lower than they are for other merchants. Given these points, it may take some time for banks to issue new EMV cards to their college-aged customers, which means that many campuses may be in a position to be patient with their EMV roll-out strategy.

On the other hand, campuses should display a greater sense of urgency in mitigating their PCI risk. The next logical target for hackers would be card-not-present transactions, but payment data is not the only treasure trove for criminals. Sensitive information such as student addresses, social security numbers and contact information is just as valuable.

Coalfire, an independent IT and technology compliance auditing firm, tests vulnerabilities and solves issues with data security at companies and institutions.

According to Matt Getzelman, Director, PCI Practice at Coalfire Systems, these institutions are facing “a lot more scrutiny” from banks and financial institutions to become PCI-compliant, the industry standard for payment card and cardholder security.

According to Getzelman, these higher education institutions generally “don’t have huge IT security departments—there’s usually a handful of people.” Getzelman estimates that out of 100 schools, 90 to 95 percent would not be PCI-compliant.

“The first step is to do a thorough risk assessment, looking at the point of sale and point of interaction, e-commerce fraud that will increase after adoption of EMV, and of course there’s data and legacy data storage,” Getzelman says. Processes tend to be siloed, meaning these institutions may not even be aware of all their points of vulnerability due to a lack of communication between departments.

There’s an expectation that 2015–2016 will bring increased investments to security upgrades for all stakeholders.

It’s paramount for institutions of higher education to move quickly to establish a PCI-compliant environment, and to determine their EMV implementation strategy.