A Roadmap to EMV
“The fraud liability shift in simple terms means the party with the least security in place will be responsible for the fraud if that transaction turns out to be a counterfeit card,” explains Randy Vanderhoff, director of the EMV Migration Forum, an organization founded by the Smart Card Alliance (www.smartcardalliance.com). Vanderhoff goes on to stress that merchants would be responsible if an EMV-capable card is used at their location but they don’t have the technology to read it so the transaction defaults to magstripe. However, if the card itself is not EMV-capable, the rules of the shift don’t necessarily apply.
“If a merchant installed EMV chip readers, and the customer uses a credit card that does not have a chip and it turns out to be counterfeit, the merchant is protected because the merchant is the more secure party,” Vanderhoff explains.
EMV, also described as Chip-and-PIN or chip-and-signature capture, is already being used in Europe and Canada, and offers a more secure face-to-face transaction because it relies on a chip that generates a unique code each time the card is presented and read by a payment terminal. In theory, if a hacker were to get this data, it would be useless because it does not store any customer data necessary to create a counterfeit card.
“The October 2015 deadline is extremely important because of the liability shift,” says William Chen, owner at CafÉ Kafofo (www.cafekafofo.com), based in Cambridge, Mass. “We don’t have the resources to have a lot of liability put on us for fraudulent transactions.”
In preparation of the liability shift deadline, following are four key steps operators should take prior to October 2015.
1. Start early
Many in the retail industry have already made the switch — although most have not turned on EMV yet — and instead are waiting for the October date to do so, Vanderhoff says. He says the hospitality industry can learn from those retail migrations and realize the process is often more complicated and takes longer than planned. Because of this, experts are encouraging merchants to start the conversion sooner rather than later.
“Retailers who have started early and completed the process will tell you it took them longer than they anticipated,” he notes. “For merchants with integrated POS hardware, software and swipe terminals, it can be complicated, particularly if they are operating with an older system. It’s not just a new hardware terminal, but upgraded software as well.”
2. Utilize vendor knowledge
Like many operators, Jersey Mike’s (www.jerseymikes.com) a fast-casual sub sandwich franchise with more than 1,300 locations open or under development nationwide, has the ability to process the cards but hasn’t turned it on yet because they are waiting to see how everything plays out with the switch, says Scott Scherer, CIO. They are also relying on their card processing vendors for guidance on the software needed to process the transactions, including First Data (www.firstdata.com) which is used at most of their stores.
“We have our own proprietary POS system so we will have to rewrite the interface between the software and the terminal, which is high on our priority list,” Scherer says. “We will leverage the vendors’ expertise because they are in the credit card business and will know more than we do. We want to do it once and do it right.”
Chen is also looking to his POS provider, Leaf Mobile POS (www.leaf.me), which is a tablet-based system. While he won’t need to replace hardware, he will be looking for an update from the company and any hardware he will need to add on.
“Right now we take credit cards, gift cards and mobile payments, so we anticipate EMV being another option,” he says.
3. Deploy approved and EMV-ready POS equipment
All hospitality operators, whether planning for or in the middle of a point-of-sale (POS) upgrade, should have EMV top-of-mind when it comes to POS hardware and software, as well as payment terminals. Choosing a lab-tested terminal verified by the PCI Security Council is advised, and a list can be found at their website says Troy Leach, CTO of the PCI Security Council (www.pcisecuritystandards.org).
Six months ago Jersey Mike’s started rolling out Ingenico (www.ingenico.com) customer-facing payment terminals equipped for NFC, magstripe and EMV. “We knew EMV was coming so we planned and budgeted for it,” says Scherer.
4. Prepare and train staff for new requirements
While some EMV cards will call for a signature, others will require a PIN to be entered by the customer. For fine dining restaurants, this will necessitate a portable device brought to the table for the customer to complete the transaction, Vanderhoof says.
“Training will depend on the type of operation being run,” he explains. “For counter service, employees will need to recognize the card has a chip and help people complete the transaction, whether there is a PIN involved or a signature. There will be a certain amount of interaction necessary between the cardholder and the staff that will require training.”
At Jersey Mike’s, they are already planning for employee training because they know customers will have questions and the staff will need to be educated to help. For example, an EMV card slides into the front of the terminal rather than being swiped on the side, says Scherer.
“We will have a training component with printed materials and webinars, and area directors will be trained ahead of time,” he explains.
For Chen, when Leaf sends updates for its POS software, they always send along training materials, he says, explaining he will rely on them to help train the staff at his cafÉ when the time comes.
“We get updates every month or two from Leaf, and there is always an email explaining new features and links back to a page with videos, and I imagine they will do the same for EMV,” says Chen.
EMV & its Impact on E-Commerce
While EMV is set to reduce fraud issues for face-to-face transactions – and has done so in Europe – there is still a need for extra security with online transactions, according to Troy Leach, CTO of the PCI Security Council.
“It’s like squeezing a balloon. We can tighten down on the face-to-face transaction fraud, but e-commerce and card-not-present fraud has skyrocketed in EMV secure markets,” he explains. “For online transactions or taking credit cards over the phone, the information can be reused, so operators still have to secure that information.”
While the Data Security Standard is still important even with the increased security of EMV transactions, it’s imperative for hotels and restaurants taking payments online or over the phone, and Leach suggests tokenization – the approach Scott Scherer, CIO will be taking at Jersey Mike’s.
“We do take payments online with online ordering and are moving towards using a payment gateway that will use a token,” he says, noting the company uses an outside company (www.splickit.com) for its online ordering, but the payment processor involved will be token-ready when the time comes.
The goal is a multi-layered approach to security and protecting customer data whether point-to-point encryption or tokenization, and for restaurants taking online orders, Leach also suggests accepting payment in person when the order is picked up.
“Taking the credit card information on a secure terminal once a person enters the restaurant to pick up the food will give the operator the benefit of EMV without the exposure faced online,” he says.