A new credit card reader system will soon be in place that has the potential of greatly reducing fraud—both large-scale data hacks and the retail spending sprees of small-time crooks. But the new system could shift the liability costs of fraud onto churches or retail outlets if they fail to implement the new system. The deadline of October 1 of this year is approaching quickly, especially as many churches are completely unaware of the change.
Credit card fraud in the United States has been on the rise largely because nearly every other country in the world has different and more secure credit cards. Known as EMV cards, these new credit cards have become the global standard. Developed by and named after Europay, MasterCard, and Visa, these cards do away with the old swipe-and-sign technology based on a magnetic strip. Because the EMV system is far more secure, fraud has migrated to the United States where security is the weakest. The United States is home to 24 percent of global credit card usage but 47 percent of the $11.3 billion in global credit card fraud, reports The Economist. America is the only country where credit card fraud is growing.
The new EMV technology includes a computer chip embedded in each card. The chip creates a unique transaction code each time it is used. Unlike a magnetic strip in which the data never changes, the chip updates its data with every use. If the data on the EMV card is copied, it can’t be used to make fraudulent purchases. According to CreditCards.com, about 160 million EMV-equipped cards have already been issued to Americans and another 600 million will be by the end of 2015. These new cards require new devices to read them, and those who process transactions will need to be trained on the new procedures. Instead of swiping the magnetic strip, the card will be “dipped” into the device, which can read the chip, authenticate it, and then require a PIN or signature from the card holder.
To encourage adoption of the latest technology, liability for fraud will change on October 1. Traditionally, credit card companies or banks issuing cards were responsible for any fraud that occurred with the card. Beginning October 1, however, whoever uses the older card system will be liable. This means that churches processing payments on EMV cards with old devices could be on the hook if they process an upgraded card with an old magnetic strip card reader.
As more and more retail stores and other outlets make the switch to the new technology, fraudulent activity will no doubt increase where systems are most vulnerable—and this could certainly include churches with dated readers.
Many churches use readers to process a variety of transactions, whether it’s registrations for events, such as Vacation Bible School, retreats, concerts, kiosks for weekly giving, or purchases made at ministry-related businesses, such as coffee shops and bookstores. Even if churches don’t use readers, they should still be aware of the new technology and also be cautious of using swipe readers when they make purchases. Leaders also should contact their banks or credit card providers about receiving EMV debit or credit cards to be used by their churches.
Unfortunately most churches seem oblivious to the changes.
“For most churches, this is a low priority,” says Nick Nicholaou, president of Ministry Business Services, which provides technology services to churches. “They don’t realize that with lower security someone can get access to credit card information, and if fraud is traced to the church, they would be liable.”
Unless the company that provided a church’s credit card readers is making a big deal of the upcoming change, most churches aren’t paying attention. “The initial reaction is to dismiss it,” explains Nicholaou, who has blogged about the change. “This is on nobody’s radar.”
Churches need to care, even if they decide to wait to upgrade their systems. At the very least, Nicholaou says it should be treated as a risk management decision made by the church leadership. Because this is a fraud liability issue, the bookstore manager or the technology director should not be making the decision about whether or not to transition by October 1. “Those are leadership calls,” Nicholaou says, “and it can cause harm to the ministry if it doesn’t go quite right.”
The real threat to churches is if fraud is traced back to a transaction on its terminal. “Probably the greatest exposure would come if someone got the credit card number from a transaction at a church and then used it to make some heavy purchases elsewhere,” says Nicholaou. Then, a church could have to foot the bill for a large fraudulent shopping spree.
Steve Law, owner of Financial Leadership for Churches and Non-Profits, says he isn’t aware of any churches that are upgrading their credit card machines. He says it is mostly the responsibility of the credit card processing companies to provide churches devices that enable them “to receive credit card funds.” That’s what most churches are expecting, he explains. When they need to upgrade, their vendor will let them know. Unfortunately, regardless if those companies inform churches of the change, the churches could still be liable for fraud.
MinistryLINQ is one of many credit card payment processors that work with churches. David Henke, vice president of sales for the company, says the company is doing its best to get churches’ attention, but most church leaders have too many other things to pay attention to. “We do spend a lot of time trying to educate,” Henke says. Over the phone, through its product catalog and other mailings, or its website, Henke says the company is informing clients of the need to upgrade their machines. However most pastors “struggle to understand.”
The cost to upgrade isn’t prohibitive for most churches that have only one or two simple credit card terminals. The new EMV devices are priced between $300 and $600, says Henke. However other terminals, such as a cash register with a credit card reader embedded, can be more expensive.
A popular alternative to the traditional credit card reader is to use the mobile devices sold by Square, a company that is quickly becoming more widely used thanks to its simple, portable devices. Square’s readers plug into smart phones and other mobile devices. They are commonly used at trade shows or other places where a retail vendor needs to take payments on the go. But Square is also becoming more common in coffee shops and other “brick and mortar” retail outlets. According to Law, “Square is incredibly easy and portable. Other devices have more buttons and a steeper learning curve.”
Not only are they easy to use, but Square’s credit card readers cost just a fraction of traditional ones. Square is selling preorders of its EMV-compatible readers for less than $30. It is one of the reasons why Law says that “Square is becoming a simple solution for lots of problems.”
According to Gordon Conwell Theological Seminary professor Todd Johnson, fraud in churches currently could be as much as $37 billion globally, outstripping the money spent on missions. The new EMV transition is one way of preventing fraud and making sure congregations aren’t financially liable for it. “Churches are notoriously slow to change,” says Law, “preferring to react instead of pro-act.” With just a few months before the October 1 deadline, there’s still time to proactively address this potentially critical liability issue.
Related article: “Keeping Your Church’s Electronic Giving Safe“