Sept. 28, 2016
By J.D. Oder II
Switching to EMV can be a massive undertaking. For major national chains currently processing EMV, the transition was more manageable; after all, they have the clout (and cash) needed to affect change and define the rules. For everyone else, it's been an uphill battle. Many are stuck in a frustrating limbo: they've shelled out for the new terminals, but solutions still haven't been certified by the processors. The certification process takes months, and the processors can't keep up with the demand. This is disproportionately affecting smaller chains and independent retailers as they fall further and further down on the priority list for processors.
As we've helped partners and merchant customers navigate the murky waters of the EMV adoption process, we've come across a number of commonly asked questions. Here are the answers, and some additional tips:
Why is the small business down the street processing EMV but I'm not?
Some small businesses are using simple, non-integrated EMV solutions because they have a single revenue center and already process payments with standalone terminals. For most businesses, we advise against these "quick-fix"” solutions, given non-integrated solutions are rudimentary and create costly limitations, while increasing the risk of erroneous transactions and potential fraud.
How do I respond when someone asks why I'm not processing EMV yet?
As we mentioned before, many merchants are stuck waiting for certification, through no fault of their own. If this describes the situation you are in, you can simply respond you want to accept EMV, but the timeline is out of your hands. One thing important to understand is EMV by itself does not guarantee payment security. The marketing for EMV has suggested it was going to prevent data breaches, even that it would have prevented the high-profile breaches of Target and The Home Depot. This is not accurate. EMV is an additional security solution, not a complete security solution.
How do I make the most of EMV?
Modern payment processing environments are becoming more complex and unique, and that's why it's important for merchants to understand EMV is not the payment security panacea it was once made out to be. Instead, it needs to be approached as a single component in the overall payment security strategy. A best practice is to use EMV with point-to-point encryption (P2PE) and tokenization. This constitutes the payment security trifecta.
EMV helps to prevent instances of card-present fraud by using a microchip to authenticate the card or cardholder.
P2PE is a vital layer of security for any card-present payment processing environment, including mobile points of sale. Look for solutions that encrypt card data at its first point of interaction with the payment terminal. By doing this, the actual card data never enters or travels through the merchant's payment system.
Tokenization solutions replace card data with a random, alphanumeric value, or token, for storage. This token should not have a one-to-one or mathematical correlation with the card number and, therefore, would be impossible to unencrypt and use for future fraudulent transactions in the case of a data breach.
With these three technologies working together, merchants are able to protect their customers' card data from every direction — making them much better equipped to avoid becoming the next victim of a data breach and a headline for all the wrong reasons.
The bottom line is that yes, EMV is a big pain in many ways, but ultimately, it's a key component of your payment security trifecta — a necessary evil, if you will. Fortunately, there are organizations working to make the transition smoother. The path to EMV acceptance might be a long and winding one, but remember that you're not navigating it alone.
J.D. Oder II serves as Shift4’s CTO and SVP – R&D and is a certified network engineer with more than 15 years of experience.