EMV rules for vending machine owners


Your Business Credit
Elaine Pofeldt is a journalist whose articles on entrepreneurship and careers have appeared in Fortune, Working Mother, Money and many other publications. She is a former senior editor at Fortune Small Business magazine and an entrepreneur herself, as co-founder of, a website for independent professionals. She writes "Your Business Credit," a weekly column about small business and credit, for

Ask Elaine a question or read her prior answers in the 'Your Business Credit' archive.

Question Dear Your Business Credit,
I have a vending machine with a credit card reader. A third party handles the service. Does the new law of having a reader able to read chips apply to vending machines?  -- Roy

Answer Dear Roy,
It's a good thing you asked. As you are aware, a shift in liability for card-related consumer fraud kicked in Oct. 1, 2015. It's not a law, but it is substantial, industrywide change in how payments are accepted in the United States. As of that date, merchants -- not banks -- became liable for consumer fraud involving credit cards that contain EMV chips if they have not installed an EMV-compliant credit card reader. Cards with the chips are more secure than magnetic stripes against counterfeit card fraud.

According to Henry Helgeson, CEO of payment technology company, Cayan, the fraud liability shift does apply to vending machines, so you should indeed upgrade your credit card reader.

"This means vending machine operators without EMV-capable hardware should contact their vending supplier and processor to ask about an upgrade," Helgeson said in an email. "The only exception to this are self-service gas pumps -- what the card brands call automated fuel dispensers. Gas stations have two additional years, until October 1, 2017, to upgrade to EMV."

Paul Bridgewater, CEO of Sage Payment Solutions at payment processing firm Sage North America in Atlanta, noted that since the liability shift covers kiosk acceptance, merchants who own vending machines but don't upgrade are at risk of paying for chargebacks in fraud-related situations. "If EMV technology isn't used and an EMV-related chargeback is initiated, the merchant would be liable," he said in an email. "This is only for chargebacks related to card fraud or the use of replicated cards."

As more consumers receive EMV cards to replace those with magnetic stripes, this risk could conceivably increase over time. "What the liability shift does mean for vending machine operators is that if they have a mag stripe point-of-sale reader and an EMV card is used, the operator will bear the cost of any fraud that occurs, since the card could have been processed as an EMV transaction," Jack Jania, senior vice president of strategic alliances at digital security company Gemalto, said in an email.

However, Bridgewater pointed out that the risk of vending machine fraud is very low. He cited an article in trade publication Vending Today that quotes Brendan Kehoe, vice president of Streamware at Crane Merchandising Systems, who estimated this risk at about 0.16 percent. (In some cases, the article notes, vending machine operators may have an agreement with the provider of the machine that migrates the responsibility to the provider.)

Jania had a similar perspective. "Fraudsters most likely won't go through the trouble of cloning credit cards just to use them at a soda machine, so ultimately the risk is very minimal," he said in his email. "It really comes down to being a business decision for vending machine operators. They will need to determine the amount of fraud they are willing to risk and make their decision to implement chip readers or not based on that assessment."

Although the risk vending machine operators face is low, this is a good time to point out the risk of credit card fraud is higher in many industries where small businesses operate.Many business owners have not upgraded their credit card processing machines, which means they now face what could be steep liability for fraud. According to research from TD Bank, as of early October 2015 only 41 percent of small businesses had installed EMV chip-enabled payment terminals. Many were planning to do so but hadn't gotten around to it yet. The bank found that 40 percent plan to install chip-enabled payment terminals but have run into obstacles or have concerns about making the conversion.

Some small-business owners believe making the shift will be expensive, the bank found, and that's a legitimate concern. While it isn't cheap, especially if you run multiple terminals, the average cost among survey respondents who made the conversion -- $450 -- is probably less than many would anticipate. (In an earlier "EMV terminal recommendations for small businesses," I looked at some lower-cost options for merchants). When you consider that bearing the cost of a single fraud could potentially put you out of business, this expense may not seem to be great.

Unfortunately, it seems many owners are taking the ostrich approach. Among small-business owners, 73 percent who responded to the survey said they are not very concerned about fraud or not concerned about it at all. Taking that approach can land you in unexpected trouble. First Data found that the cost of a data breach for a merchant with less than $1 million card transactions annually averages $36,000. While EMV won't prevent data breaches, it will make breaches harder to pull off and less attractive to thieves because the stolen data would be much less useful.

If you find you're overwhelmed by the requirements of the new law, I would recommend talking with your bank or credit card processor for advice. It may not be fun to comply with the liability shift, but it's not going to go away. Credit card fraudsters are getting more creative by the day, and small businesses are an easy target.    

See related: 7 merchant tips to understanding EMV fraud liability shift, Poll: Most cardholders lack smart-chip cards, despite deadline, EMV holdouts: Why merchants are slow to make chip-card switch

Meet's reader Q&A experts

Does a personal finance problem have you worried? Monday through Saturday,'s Q&A experts answer questions from readers. Ask a question, or click on any expert to see their previous answers.

Published: November 9, 2015

Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Follow Us

Updated: 10-27-2016

Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.