Lose the misconceptions.
Some merchants, including restaurant and hotel operators, have done little or nothing to prepare for EMV “because they think it won’t happen,” notes Lori Breitzke, president of E&S Consulting (www.eandsconsultingllc.com), a payments and payments technology consultancy. However, statistics indicate otherwise. According to Aite Group (www.aitegroup.com), 40 percent of debit cards and 70 percent of credit cards issued in the U.S. will, by the end of this year, be EMV-enabled and 86 percent of financial institutions plan to issue EMV debit cards in the next two years.
David Starmer, vice president, IT store systems, Dunkin’ Brands (www.dunkinbrands.com), says changing consumer sentiment also necessitates debunking the notion that the U.S. hospitality segment will never cross the EMV threshold. “Domestic consumer expectations” regarding payment security, such as that afforded by EMV-ready technology, “will shift accordingly as the penetration of chip cards grows over the coming years,” Starmer observes.
In conjunction with its franchisees and existing technology partners, Dunkin’ Brands has conducted what Starmer deems a thorough RFP to select appropriate payment terminals and corresponding technologies for its Dunkin’ Donuts and Baskin-Robbins units.
Certain merchants — particularly small ones — have also shied away from jumping on the EMV bandwagon because they believe they can avoid the liability shift by paying an annual fee for failing to deploy EMV-compliant equipment. “They don’t understand that there’s no such thing as an exemption; unless equipment is EMV-compliant, [operators] face increased liability for data breaches and chargebacks to their business,” Breitzke notes. “The financial repercussions can run into the millions.”
Give vendors a push.
The Cal Poly Pomona Foundation (www.foundation.csupomona.edu) operates Kellogg West (www.kelloggwest.org), an 85-room hotel and conference center, on the campus of California State Polytechnic University in Pomona, Calif. Its operational reach also includes 30 restaurants, mobile foodservice outlets and convenience stores scattered throughout the university’s grounds. EMV-ready POS equipment has already been installed at the Foundation’s Subway location and at Kellogg West. Upgrades to EMV-ready technology at other locations will be undertaken this summer.
Randall L. Townsend, PMP, SPL, the Foundation’s IT director, emphasizes the importance of exerting pressure on vendors to move faster with EMV-related technology development as the October 2015 liability shift deadline draws closer. “Our main challenge is getting POS system vendors to expedite their EMV hardware/software testing and certification,” Townsend states. To that end, the Foundation has been actively soliciting its vendors to commit to a late spring/early summer card reader upgrade schedule. Townsend and his colleagues anticipate that some vendors will not meet the deadline, but they intend to continue pushing these companies to get the job done.
Consider alternatives and special requirements.
Cost constraints need not prevent operators from moving forward with EMV now; other options can be explored to keep the ball rolling. For example, the Cal Poly Pomona Foundation’s budget precludes the installation of new POS terminals with chip card acceptance capability. As an alternative, its model calls for integrating external EMV-ready chip card readers with existing POS terminals. Several locations on the California State Polytechnic campus are awaiting final certification, between vendors and the Payment Card Industry Security Standards Council (www.pcisecuritystandards.org), for back-end integrated software using EMV-enabled readers.
Additionally, despite the current tight migration time frame, keep in mind that not every EMV solution is suited for every POS environment, and certain industry-specific requirements apply to restaurants and hotels. For instance, table service restaurants will need to implement chip card acceptance technology that is attached to the stationary POS system, and WiFi-enabled, integrated EMV-compliant devices for payment acceptance at diners’ tables. Similarly, hotel operators will need to ensure compatibility with property management systems.
Pay attention, also, to the advisability of activating contactless EMV card acceptance (near-field communications, or NFC) capabilities. Most, if not all new POS terminals can accept contact and contactless payments; by default, manufacturers have installed the hardware for both. However, unless the contactless capability is turned on, customers will be unable to pay for their food or lodging with an NFC-based mobile wallet. Dunkin’ Brands has recognized this, and it is reflected in the company’s overall payments technology strategy.
Once Dunkin Brands’ selects options from among those presented in the RFPs under review, it will engage its POS vendors in integrating technologies “in the most effective manner in support of an enhanced security posture, franchise operations and our guests’ experience,” including the desire to use mobile wallets, Starmer asserts.
For its part, the Cal Poly Pomona Foundation already accepts contactless payments in its Subway location. Some of its other operations will utilize Ingenico (www.ingenico.com) EMV-compliant card readers that can be retrofitted for contactless transactions when ECRS (www.ecrs.com), its POS solutions provider, is ready to effect the change.
Prepare to implement complementary technologies.
While EMV can be extremely effective in securing card transactions completed on restaurant and hotel premises, it has significant limitations. For example, EMV works only in card-present environments; there is no way for consumers to enter PIN numbers or scan chip-enabled credit cards to authenticate online transactions (e.g., paying in advance for takeout or delivery orders initiated on restaurants’ websites). Additionally, it is more focused on preventing counterfeit cards than on securing data as it passes from the point-of-sale to its final destination.
“EMV is a powerful weapon against data breaches, but it’s not the be-all and end-all of data security,” says Chris Bucolo, senior manager, partner relations for the security and compliance practice of professional service firm Sikich, LLP (www.sikich.com). “A multi-layered approach that includes tokenization and point-to-point encryption (P2PE) is highly advisable.”
Tokenization protects data by replacing the primary account number (PAN) on cards with a “token” that can either be a unique, randomly generated sequence of numbers and alphanumeric characters, or a combination of a truncated PAN and a random alphanumeric sequence. Because tokenized data cannot be decrypted without a special key, it is of no value to hackers.
Meanwhile, in P2PE, card readers harness encryption at the point of capture to eliminate clear-text data from operators’ networks and POS systems before that data passes through a secure gateway to the bank or processor.
“Merchants really have to upgrade their POS for EMV, but smart ones are choosing card readers that can support both EMV and P2PE,” Bucolo says. “Tokenization represents a natural fit.”
Starmer agrees. “Although the liability shift and EMV are a consideration, many brands, particularly QSR brands, don’t find much if any business case for the investment required to support only EMV,” he concludes. “[P2PE] and tokenization, along with increasing customer engagement (through the introduction of) diverse payments, can be larger motivators.”