Skipping Out on the EMV Deadline?
With the deadline for the EMV liability shift mandate looming ever closer, the simple fact is that a majority of U.S. merchants aren’t going to meet it. Whether that’s unintentional or deliberate, they will all face the same consequences. PYMNTS recently caught up with Chris Lee, President of North American Strategic Partnerships and Emerging Markets at Moneris Solutions, to get her perspective on what those consequences will be, why some businesses are willing to accept them, and how EMV is actually only one part of a much-needed overhaul of payments security.
Fewer than half of all POS terminals in the U.S. will be EMV-capable by the end of 2015. In your opinion what is the real cost and consequences for those missing the liability shift deadline?
CL: The real cost will be paid in a number of ways: First, there are costs directly associated with higher incidences of fraud. This will become a more prevalent issue as the costs of fraudulent non-EMV transactions will fall to merchants after the October 2015 liability shift. Consumers expect businesses to offer the best – and latest – methods of payment security, and merchants transitioning to EMV-enabled POS terminals will significantly enhance the security of their transactions. The unique data provided by the EMV chip makes it nearly impossible for fraudsters to produce counterfeit cards. In fact, fraud related to counterfeit cards has been virtually eliminated in countries where EMV has been adopted. That alone should be enough to persuade merchants in the U.S. to adopt this standard.
Second, those merchants waiting to adopt EMV, or, worse yet, not adopting EMV at all, could face significant financial loss as a result of security breaches and the resulting fees they would be required to pay – not to mention the potential loss of business. With only months until the liability shift, merchants not preparing for the transition to EMV really need to contemplate whether their businesses can survive these potential losses. Some are at more risk than others. Traditional retail and restaurants could face substantial losses if they wait to transition due to the nature and volume of transactions they deal with day-to-day. However, others like dentists and doctors’ offices are at less of a risk and may not need to transition as quickly and can afford the short-term risk.
Lastly, and most importantly, consumers are frustrated with the growing number and scope of data breaches. In the past couple of years, popular retailers, such as Target and Home Depot, suffered costly breaches. Today’s consumers are well aware that chip-card technology has been implemented in other countries with much success. In fact, many of the merchants we work with, who are currently making the transition to EMV, have told us their customers are already inquiring as to when they will start accepting “chip cards.” Consumer expectations need to be met to maintain repeat business and revenue.
With EMV, checkout times will be slower than they currently are, and POS terminals will take more time to read a chip than a mag stripe. With customer experience being impacted, what is a merchant to do?
CL: Merchants have a lot of control over how they can manage the customer experience during this transition. It will take time for consumers to become accustomed to the new process so they might question cashiers about using the chip reader terminals. However, merchants can help ease the transition by taking a few basic steps, including training front-line employees, like cashiers and customer service team members, and enabling contactless readers. From our 10 years of experience helping businesses convert to EMV in Canada, training is one of the most effective tools in managing the transition. Retailers should educate employees on EMV and how chip cards operate, and then set a formal fallback policy – for example, when it is OK for a cashier to swipe a card with an EMV chip. Finally, create steps for cashiers to follow if a customer leaves a card in the terminal. The right payment processing partner should be able to provide staff assistance, training materials and other important tools to assist with system integration, testing and certification.
Merchants should certify contactless payment acceptance while transitioning to EMV, so they can quickly accept new payment methods as they become available. Customers will appreciate having more payment choices, including popular mobile payment options like Apple Pay. Merchants that enable acceptance of these new methods of payment enhance the customer experience by offering improved cardholder security and faster checkout times.
To address this, there are other options being introduced in the market that allow merchants to be more mobile and accept payments wherever they are. To date, these have been limited to mag stripe ‘swipe’ payments, but EMV will change that. Mobile payment solutions that can accept EMV – like the PAYD Pro solution we offer in Canada and are introducing into the U.S. market – can be a game-changer. It will make merchants more flexible in when and where they can accept payments and offer more convenience to customers, faster checkout times and improved overall service at places like restaurants where customers could pay at the table.
If implemented correctly, the transition to EMV presents merchants with an excellent opportunity to boost service levels and their reputation – by being among the first to make the change, training their staff on accepting EMV-enabled cards, and future-proofing their technology for contactless acceptance.
Payments security is much bigger than just EMV. In fact, EMV only partly addresses the real security issues at stake today. What security approach needs to be in place so that fraud is virtually eliminated both in card-present and card-not-present transactions? Is this even a realistic future for the U.S. market?
CL: This is absolutely something that can be accomplished in the U.S. market. The key will be to take a layered approach to your security strategy. While adopting EMV is an essential part of any payments security strategy, it is vitally important to round out your strategy with end-to-end encryption and tokenization. Combined, these three elements offer a robust approach to security resulting in decreased incidences of fraud, greatly reduced liability in the event of a network intrusion and lowered PCI-compliance costs.
Encryption and tokenization are two highly complementary products to EMV, and have received a lot of attention over the past year. Encryption, also known as “E2EE,” secures data in motion. Implementing end-to-end encryption, at the same time as EMV, will allow merchants to easily deploy encryption when needed, while also minimizing costly touch points to their systems. It is important for merchants to select an end-to-end solution with applications that operate within a certified PIN transaction security (PTS) device that encrypts card data the moment a card is inserted, swiped, or tapped. The data remains encrypted until it reaches the processor so merchants never have access to sensitive information, which reduces their PCI scope.
Tokenization focuses on securing data at rest. Merchants regularly store customers’ card data to track purchases – often to support loyalty programs – and to facilitate refunds or perform follow-on transactions. Tokenization solutions perform a critical role in data security by replacing card data with a unique numerical token. Merchants considering a tokenization solution are encouraged to seek solutions that use “format-preserving” tokens. With this approach, the token remains in the same format, with 15 or 16 digits, as the primary account number (PAN). Format preservation is important for integration with many common accounting and reporting software systems. It also allows merchants to confirm payment with customers by referencing only the last four digits of the account number.
Finally, what advice can you give about what to look for when choosing a payment security partner?
CL: As mentioned previously, EMV is just one part of your broader payment security strategy. It’s important to find a trusted partner that can also deliver end-to-end encryption and tokenization to round out your strategy. Look for a company that has experience in EMV processing. That may sound like the obvious answer, but a partner with experience understands how to navigate the complexities of the transition more so than a partner with less experience. The process of EMV development, certification and testing can be time-consuming and often frustrating. Processors that have worked with the card networks to implement EMV in other countries have found ways to simplify the process for U.S. merchants. For example, merchants can significantly shorten the certification and testing processes by integrating with an EMV and contactless payment solution that is pre-certified as compliant by one or more of the card networks. This will ensure their system will pass all mandatory EMV test cases and, as a result, system validation will take a significantly shorter time.
It is also helpful to work with a processor designated as a certified agent of one or more of the card networks. After completing the EMV testing phase, merchants and independent software vendors (ISVs) need to certify compliance with each of the card networks. Card networks charge for this service and often take weeks to respond to a merchant’s request. By working with a processor designated as a certified agent, merchants and ISVs only have to deal with one authorized party – their processor, which minimizes costs and delays of waiting for network certification. In addition, if you would like to integrate directly with your processor’s host system, look for a partner that provides tools to manage the process, such as simulator testing of EMV transactions.
Integrated payments software adds yet another level of complexity to EMV implementation, especially for firms with more than one ISV partner. That’s because integrated applications need to function as a cohesive infrastructure. Every application integrated with payment processing must pass hundreds of network-specific tests to achieve certification. ISVs collaborating with processors that support multiple EMV devices using consistent embedded software can provide considerable benefits to their merchant clients. For example, leading solutions can contain EMV-related testing to payment modules without affecting other ISV software.
In the end, finding the right payment processing partner to help with your EMV transition will depend on many factors, including their capabilities and experience, security offerings, pricing, and ability to meet the rigorous EMV timeline.