Business Intel, December 2015 | Business Officer Magazine

RISK MANAGEMENT

Understanding and Complying With EMV Payment Card Standards

Europay MasterCard and Visa (EMV) specifications refer to security features in credit and debit cards that have been used for some time in Europe. The standards for such secure payment transactions have been adopted by more than 80 countries worldwide, with the United Sates being one of the last major developed countries to move to EMV standards.

The change holds significance for colleges and universities in that, as of October 1, the liability for card-present fraud shifts to whichever party in the payment transaction is the least compliant with EMV standards. At Boise State University, Idaho, we have learned a lot about the standards and are quickly moving ahead with implementation.

The Risks of Noncompliance

Historically, when a fraudulent credit or debit card transaction was conducted, the risk and liability for the loss was placed with the card processor or card issuer, such as the bank that issued the particular card. As the merchant, universities were not responsible for the fraudulent amount approved.

With the liability shifting to whichever party is least compliant with EMV standards, a transaction made with a fraudulently used, chip-enabled card in your bookstore—which did not convert to the ability to accept chip cards—would result in the liability for that loss likely going to the university bookstore, not to the card issuer.

Increased costs and penalties—along with nonfinancial risks—to the university might also arise in cases such as data breaches. If there is a significant data breach at your institution, and you are not complying with the most recent payment security standards, including EMV, the noncompliance can easily become public information. Such publicity often results in some loss of goodwill, loss of trust in your institution, and possible additional secondary liabilities.

Defining Differences

With a traditional credit or debit card, all the data and information needed to authorize a transaction is contained within the magnetic stripe. If a card is lost, stolen, or counterfeited, the information within the magnetic stripe can be used to authorize fraudulent transactions.

With an EMV card (credit cards often referred to as “smart cards,” “chip cards,” or “chip-enabled cards”; and debit cards called “chip” or “pin cards”), a smart chip creates a unique transaction authorization code. This is done either (1) online, via communication with the card issuer during the transaction or (2) offline, using a complex cryptogram generation process. The result is that for every transaction a unique code is assigned and usable only once. If an EMV card is lost or stolen, the authentication codes stored within the chip are valid only for the past transactions, and cannot be used for any future transactions.

Elements, Costs of EMV Compliance

In its simplest form, EMV compliance requires the mandatory hardware and software needed to authorize payment card transactions using the smart chip, rather than the magnetic stripe, or manual card number entry transactions. It also requires an update to the transaction terminal software that meets testing and certification requirements to ensure a successful implementation.

At Boise State University, we recently purchased dozens of new credit card terminals at a cost of $500 to $800 each, depending on the features each department needed. Terminals may also be leased or rented.

Since your institution’s merchant services provider and processer share in the risk associated with campus transactions, don’t hesitate to call upon them to be your partners and experts in all payment card compliance. As we transitioned to EMV compliance, our merchant services provider was a key partner and consultant in the process. That partnership started with a phone call to our bank and the request to help us be EMV-compliant. Within a day our vendor gave us a list of all our current card terminals and recommended replacement of EMV terminals, calculated the associated costs, and estimated the lead time needed to install all the equipment.

Five Steps

We’ve found that the following actions can help ensure compliance with EMV specifications:

Ask your financial division or treasury office what has been done to-date to become EMV compliant, so that you are aware of the current status of compliance.
Meet with your merchant services provider, discuss your current level of EMV compliance, and use the company’s expertise to fill in the blanks. Remember that your merchant services vendor is your partner and consultant in card payment compliance
Review the compliance status of on-campus vendors. This is a hugely important step. It is likely, for example, that your campus has contracted food service with integrated point-of-sale terminals (POS); third-party parking meters with built-in credit card capabilities; third-party box offices; private bookstore operators; vending machines; and much more. Include in your EMV compliance review, not only university-owned terminals, but those used by third parties as well.
As you renew or modify yourservice agreements with vendors, consider contractual clauses for EMV compliance and/or additional insurance and/or indemnification for fraudulent card activity and data breaches. While many of these companies may be reluctant to replace POS terminals costing thousands of dollars each; or parking meter operations may not have the funds to exchange hundreds or thousands of parking meter heads—and other third parties may go so far as to determine that the risk of not being EMV-compliant is less costly than updating their systems—be wary of this approach. The reputation of your university is linked to the performance and service your vendors provide to your students and guests.
Partner with general counsel, risk management, and purchasing, as you review current and future vendor contracts. If certain vendors are not yet complying with the new payment standards, ask them for their plans and the schedule determining when they will arrive at EMV compliance.

RESOURCE LINK For more information, including a schedule for EMV compliance and risk transfer visit: www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php and http://lp.verifone.com/media/2146788/emv_key_dates_chart_021213.pdf.

SUBMITTED BY Jared Everett, treasurer and executive director of real estate and business development, Boise State University, Idaho.

CAMPUS OPERATIONS

Business officers in small, financially strapped institutions often can’t spare the millions of dollars required for highly expensive—yet necessary—major technology upgrades. So what can they do to stay current?

Leaders at The College of New Rochelle (CNR), New York, found an award-winning answer, by adopting a shared service model with nearby Marist College, in Poughkeepsie. “The shared service model allowed us to move forward aggressively on upgrades to our website and ERP (enterprise resource planning) system,” says Betty Roberts, CNR’s vice president, finance and administration.

Using the model (recognized with a NACUBO 2015 Innovation Award), CNR was able to upgrade the college’s 30-year-old outsourced proprietary system to a new Banner-based system that now provides self-service financial management on desktops across the institution via a Web interface.

“Our student, human resources, and financial systems were not integrated,” Roberts explains. “We needed to move forward in adopting an ERP model that would unify these operations. Users had no way of getting financial information unless they bombarded my office with calls for reports and analysis. Access to data needed to be in real time.”

Now that the finance system and website are complete, Roberts is looking forward to the rollout of the student system in the summer of 2016, with the HR implementation to follow. The new website, which is hosted on Marist’s server, was built using open-source software, eliminating licensing fees.

Why Share Services?

Recognizing that technology is a driving force in the instructional methods and administrative processes of higher education, Judith Huntington, CNR’s president, endorses the concept of sharing services. “Adapting to new forms of technology is costly, complex, and an ongoing challenge for every college,” she says. “A sound technology strategy is one that not only responds to the opportunities of today but also builds capacity for growth.”

She believes the partnership benefits both institutions: The College of New Rochelle avoided a costly investment in hardware and additional IT staff, and Marist College expanded its partnership of institutions that could take advantage of its technical capability and excess capacity.

“We are able to leverage the expertise of Marist’s technology proficiency to drive down our costs and preserve our commitment to affordability for our students,” Huntington explains. “At the same time, the shared services model supports Marist College in its objective to advance in its technology leadership role in higher education.”

Compatible Collaborators

According to Roberts, CNR chose to partner with Marist for a variety of reasons: The missions of both institutions are compatible; and presidents, board members, and administrators have established relationships based on mutual trust. “Marist is committed to educational excellence, service, and community,” she adds. “Because the college has been an ERP institution for eight or more years, its leaders brought instant knowledge and capabilities. It was a good fit.”

She explains that a five-year contract spells out service levels, costs for support, procedures for bringing systems onboard at a later date, financial obligations, and cost escalators.

“In shared services, you don’t lose your individuality as an institution,” Roberts points out. “If anything, you gain synergy. It has been an efficient, cost-saving model for us to embrace. We as business officers need to look for greater opportunities like this. We have to look for innovative ways to stay vibrant. In light of the economic situation that higher education is facing, this is the way in which we must travel if we want to be progressive and continue to flourish.”

Dennis Murray, president of Marist College, agrees. “The use of a shared services model is imperative to advancing technology in higher education for students in a cost-effective way,” he says. “It doesn’t make sense for every college to invest in high-tech resources, when colleges like Marist, who have it as a core competency, are in a position to share that expertise.”

RESOURCE LINK For more on ways that institutions are taking advantage of shared services, see the feature article “Control-Center Services.”

SUBMITTED BY Margo Vanover Porter, Locust Grove, Va., who covers higher education business issues for Business Officer.

“Any professional [who] is mainly involved in dealing with information is going to be replaced by algorithms and artificial intelligence.”

—Graeme Codrington, futurist at TomorrowToday Global

Fast Fact

Quick Clicks

Surge in International Students Studying in U.S.

The Open Doors 2015 report, released mid-November by the Institute of International Education, shows a 10 percent increase in international students attending U.S. colleges and universities. The increase, bringing the total number of international students to nearly one million, represents a 10 percent increase over last year’s numbers—and the highest rate of growth in 35 years.

College Readiness Remains Challenging

While the percentage of graduating high school students meeting three or four of the ACT College Readiness Benchmarks increased slightly from 39 to40 percent, in this year’s report, 31 percent of the ACT-tested graduating class still does not meet any of the benchmarks. Nationwide, an opportunity to improve on student college and career readiness can be found in reading and science, where at least 10 percent of the students were only 1 or 2 points below the benchmark.