Meeting EMV Requirements in the Hospitality Industry

Half of credit card fraud happens in the United States, often as a  direct result of magnetic-stripe cards that are easy to counterfeit or steal data from. 2015 was the year when forces combined to demand a transition away from magnetic-stripe cards to cards equipped with EMV technology (“Europay, MasterCard, Visa). These cards come with a small computer chip that drastically increases security. As of October 2015, businesses that don’t have an EMV processing device could be held liable for fraudulent card transactions originating from their business. Few industries are unaffected by this liability shift, and as a result there has been a scramble to work with payment solution providers like POSDATA to ensure large-scale EMV transitions are handled professionally and efficiently.

Case Study: The Problem

In the hospitality industry, every business decision centers on providing first-class, personalized service to every guest. Part of this first-class service is ensuring the security of all guests. In October of 2014, a major provider of hospitality property management software systems realized they would need to adapt to the heightened EMV requirements to ensure the users of their software (hotels & spas) were keeping their guests’ payment information secure. The provider began with a full review of the payment systems that interacted with the technologies they provided to their clients. The review revealed numerous improvements that would need to be made in the systems they installed at hotels and spas nationwide. Unlike a small business that could quickly replace just a few aging POS systems, the provider was looking at a large-scale upgrade for nearly 2000 different properties.

The provider first turned to Ingenico for assistance in the migration to EMV-compatible systems. Ingenico advised them that a third party payment solution specialist would be critical in overseeing the successful configuration and deployment of such a high quantity of terminals. They recommended POSDATA as their third party solutions provider because of a history of excellence in being knowledgeable, consultative and perfective in the rollout and ongoing management of payment technologies.

Case Study: The Solution

It was critical the new payment terminals being deployed to the locations were standardized company-wide and pre-configured to operate perfectly right out of the box. POSDATA provided custom-configuration, staging and deployment of the terminals straight from their Louisville, Kentucky headquarters. Each device was loaded with the point-to-point keys and the pin encryption key. The appropriate cable and power supplies were combined with the solution and shipped to each individual destination.

Equally important, POSDATA offered ongoing managed services for these end users. Now whenever a property needs to purchase new devices or repair their existing payment terminals, they can call POSDATA directly to handle everything. POSDATA is able to recommend the ideal combination of payment technologies for each location, all while ensuring all EMV requirements are taken in account and built into the final solution.

As a longstanding leader in the payment services industry, POSDATA has evolved over the years to be able to easily accommodate both high and low-volume requests of our clients. We are proud of our ability to manage so many moving pieces and keep our clients happy and secure.


The preceding article is available as a printable case study. Access it here.

Setting Up Your EMV Payment Solution

Business owners, card issuers and payment processors throughout the United States are now in the process of switching over to EMV. Despite plenty of time to prepare, there are ongoing reports that the transition process has been very rocky and US merchants as a whole are not prepared. Many businesses are being pressured into a quick EMV solution that doesn’t take into consideration their specific need.

EMV technology was designed to authenticate cards at card-present payment terminals. It helps to prevent the use of fraudulent cards in stores better than traditional magnetic stripe cards. However, EMV is not 100% secure nor was it designed as a security method to protect the merchant’s payment environment. This means that a well-constructed EMV solution requires the use of layered security to protect sensitive cardholder data, including:

P2PE.All card data should be encrypted from the time it is keyed, swiped, tapped or inserted. Merchants should use a device that encrypts at the point a payment terminal interacts with a card or mobile wallet so that no payment information is ever in the clear and at risk of being stolen by a savvy hacker. This shrinks the merchant’s cardholder data environment to the secure device level, reducing much of the merchant’s breach profile and their PCI DSS scope along with it—something that EMV alone can’t do.

Tokenization. All card data should be removed from the merchant environment and placed under the protection of an organization that considers the security of their merchant customers’ payment processing its primary job. To do this, merchants must adopt a security- or storage-based tokenization solution, which replaces sensitive cardholder data with non-decryptable information that is meaningless to all but a select few. This differs from emerging “payment token” solutions, such as those offered by mobile wallets, by providing security for merchant systems, not just individual consumers.

EMV. EMV has merit for authenticating card-present transactions. Still, merchants should implement EMV in a strategic fashion, making sure to add the layered security of P2PE and tokenization to protect their customers’ payment information from data thieves by removing that sensitive data from the merchant environment entirely.

Though big undertakings such as the transition to EMV can be confusing, merchants must not be pressured into a quick solution that doesn’t meet their specific needs. Instead, they should take the time necessary to implement EMV as a step in the path to true security, not as a security solution in and of itself.

By layering EMV with the security of P2PE and tokenization, merchants can better authenticate cards used at card-present payment terminals, with the added bonus of securing that card data throughout the transaction process and within their systems and networks. This will ensure that their environment – and their customers’ payment information – is protected against the attacks of hackers.


POSDATA is your trusted source in the transition to EMV. We advise organizations of all sizes on payment processes and products. To learn more, Contact Us.

Credit Card Issuers Not Prepared for EMV

In a September 30 press release, Mastercard says that only 40% of their issued cards have chips for EMV.

While this press release is intended to put a positive light on the transition to cards featuring EMV chip technology, the reality is that there is a long way to go to get consumer credit cards transitioned over. With October 1 as the official liability shift deadline, there are some very concerning signs in regards to the slow adoption of EMV technology in the United States:

  1. Last minute rule changes by the Debit Network Association has delayed development efforts and caused solution providers to have to update systems already deployed.
  2. No one can accept Contactless EMV until 4/16
  3. Only 27% of merchants will be able to accept EMV cards this October. Various sources quote 40% by year end, but this is a lofty goal considering that retailers are very unlikely to roll out new devices and software during the holiday period.

 

Here’s the full press release:

Purchase, NY, September 30, 2015 — With just hours before the October 1 liability shift, new data from MasterCard reveals that 40 percent of all U.S. MasterCard-branded consumer credit cards feature EMV chip technology. According to a Payments Security Task Force forecast announced earlier today, the number of chip cards in the U.S. will grow to 60 percent by the end of this year, expanding to 98 percent by the end of 2017. “The data proves that the shift to chip in the U.S. is a reality. We’re incredibly encouraged by the tremendous progress across the industry, knowing that consumers are ultimately the ones who will win,” said Chris McWilton, president, North America Markets, MasterCard. Not only are consumers beginning to carry chip cards in their wallets, but they are also able to use them at more and more merchants around the country. The company reported tens of millions of chip transactions in September alone at the more than 350,000 national merchant locations accepting the new cards.

One-quarter (26 percent) of national and regional merchants – stores and restaurants with multiple locations – have started to accept chip cards.

“Consumers are ready for the new chip cards. In fact, 75 percent of cardholders agree the increased security of the chip cards greatly reduces the ability for thieves to copy or use their cards for unauthorized purchases,” said McWilton.

About MasterCard

MasterCard (NYSE: MA), www.mastercard.com, is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. MasterCard’s products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone.

Read more

Additional information

EMV Liability Shift Ebook

Most people do not understand the upcoming EMV Liability shift. With the deadline coming October 1, 2015, many merchants and service providers are ill-prepared for the potential consequences of this shift. Fortunately Ingenico has put together an important eBook outlining the EMV Liability shift, with a focus on:

  • What EMV is and the benefits it provides
  • What the EMV liability shift actually means
  • What the risks of not migrating to EMV are
  • How to initiate the EMV migration process for your business
  • How the EMV liability shift will impact specific stakeholders in different fraud scenarios

You can download the eBook at Ingenico’s site here.

EMV Updates: Summer 2015

As I interact with our dealer and reseller partners or sit in on sales calls with end users, questions consistently come up regarding EMV. Here are the latest EMV updates as of Summer 2015.

Do I still need to use P2P Encryption since I am moving to accepting EMV cards?

The answer to this one is definitely yes. A large portion of transactions will still have to be approved “on line”, meaning that account number information will still be being sent up to the host for authorization. Without P2P encryption to protect it, that account data is still at risk as it travels through the network. Allen Friedman, Director of Payment Solutions at Ingenico says “Linking EMV and encryption creates and effective shield against card fraud and data breeches. Both are necessary and they complement each other”.

A recent NY Times/ National Small Business Association survey of 675 small businesses found that …

  • 50 percent had been victims of hackers looking for Credit Card data.
  • 68 percent of those hacked, were hacked more than once.
  • Small businesses are being hacked at the same rate as large tier retailers, possibly higher as many incidents go undetected or unreported.
  • Average attack on a small business costs over $20, 000.

A Point to Point Encryption scheme in conjunction with EMV substantially reduces the possibility of account info being

What does the coming Liability Shift really mean to the retailer?

After the October 2015 shift, liability falls to the party using the least secure technology. AMEX, Master Card and Discover will hold the merchant liable for any counterfeit or stolen cards accepted if the merchant is using a Non EMV device.Visa for now exclude stolen cards and will hold the card Issuer liable.

To put this in perspective …

  • 25 percent of all transactions in the world take place in the US.
  • 50 percent of all credit card fraud occurs in the US.
  • Credit Card fraud has increased to represent 10 cents per every $100 transacted and is still growing.
  • 10 billion dollars in Credit Card fraud is expected in 2015. Up from 8.5 billion last year.

All this fraud is going to find it’s way to the least secure merchants as EMV is implemented.

A few of the payment industry’s experts have also weighed in on liability and security…

  • “Once the larger merchants adopt EMV, fraudsters will pick on the smaller guys unless or until they have migrated” – First Data Merchant Services
  • “While many small merchants will say they are currently not expecting a lot of chargebacks from counterfeit cards, they should know that they will become a target once the liability shift occurs – unless EMV compliance has been achieved” – Vantiv
  • “At some point, consumers will strongly embrace EMV as the secure way to pay as seen in foreign visitors who are hesitant shop in US stores that do not have EMV” – First Data Merchant Services

I also often hear asked what the return on investment or the ROI is for spending all this time and money. The simple answer is that there is not a simple answer. True, the liability shift is not a mandate and EMV is not mandatory to be PCI compliant. Also true is that many merchants do not see much fraud given the nature of their business or that the number of chargebacks a merchant is seeing today can be used as an indicator of future fraud activity. The fact that there seems to be little incentive in the form of lower processing fees is no help either, but think of it this way:

  • Security standards are changing more rapidly and the crooks are getting smarter. Those old PCI 1 and 2 devices that you have may not be secure enough to fend off today’s attacks on their own. Keeping up with changing technology is part of the ”cost of doing business”. It’s not just EMV that’s bringing on these changes.
  • Data breaches are increasing rapidly in the US and EMV paired with a P2P encryption solution and PCI mandated networking standards will make you more hacker proof and they will focus on less difficult targets. Bear in mind that the liability for data breaches is already something that the merchant is liable for already and a breach could stop a merchant’s ability to accept credit or debit payments.
  • Once EMV is up and running, stealing card data is less attractive and counterfeit cards will be more difficult to use. This benefits all merchants in the long run.

Something else to consider is the risk level going forward as certain merchants are more exposed to fraud by the nature of their business and how prepared they are. Is the merchant…

  • Dealing in a vertical that sells goods that often get returned for cash, sold on the street or sells gift cards?
  • Located in a transient area such as tourist destination, near a major highway or high traffic area?
  • One that has a large number of employees that handle credit cards and also has high employee turnover?

If so, it makes good sense to be as protected as possible.


I hope that this information helps as you speak to your customers about their upgrade plans. If you have any questions, please contact me (Bryan Jackson at this email or 972-514-4236) or your PosData Business Development Manager. We are more than happy to help.

Payment Industry Acronyms

A Guide to Payment Industry Acronyms

The payment industry is chock-full of acronyms and abbreviations to describe the often complicated technologies surrounding electronic payment transactions. We have worked in the industry for many years and even we have trouble keeping up with the latest acronyms and their definitions. To help clear up the confusion among our customers and friends in the industry, we have put together this list of the most important payment industry acronyms.

Acronym Definition
ANSI American National Standards Institute- A non-profit that oversees voluntary consensus standards for US products, processes and systems. Encryption key transfer, storage and injection asre subject to ANSI Standards.
API Software Application Interface- a set of routines, protocols and tools for building software applications.
Contactless See NFC
CurrentC See MCX
E2E See P2P
EBT Electronic Benefit Transfer. Usually refers to SNAP (Food Stamps) or On-Line WIC
EMV Europay, Master Card and Visa joint venture which created the original standards used for Smart Card payment transactions.
Form Agent Verifone Mx Terminal application
FPE Forms Processing Engine- Equinox’s L Series Terminal Application
IK Integration Kit- Used to integrate a pos system to a payment termial’s default application
ISO International Organization for Standardization – International standard setting body composed of representatives from various national standards orgs.   ISO created standards for Credit auth messaging (ISO 8583 for example) and NFC communication messaging ISO 14443 and ISO 18092.
ISO Independent Service Organization – an entity that specilaizes in the sales, repair and maintenance of another company’s equipment.
ISV Independent Software Vendor
JPOS JPOS is an open source library which is used on variety of POS and Payment applications. It can be used on PC’s or Browser based applications
KSI Key Identifier First 10 digits of the KSN
KSN Key Serial Number- Generate and sent with each encrypted PIN Block. Identifies the Key to the host processor.
MCX Merchant Customer Exchange- a group of large retailers and banks who are developing a product called CurrentC. A mobile wallet similar Apple Pay or Google Wallet to that used QR barcodes rather than RFID to pass payment information. Notable retailers involved are Sears Holdings, 7 Eleven, Wal Mart, Rite Aid, Best Buy and Exxon Mobil.
MSR Magnetic Stripe Reader
NFC Near Field Communication also knowsn as RFID or Contactless. Uses a chip embedded in a card, fob or smart phone and an antenna that emits a low level electrical charge. The charge powers the chip, which then transmits the customer’s data to the antenna. There are two standards in use today for payments ISO 14443, which is used commonly for one way communication to transmit credit card data and ISO 18092 with is used for two way communication for EMV and couponing on Mobile Wallets
OEM Original Equipment Manufacturer-Generally in the payment world OEM refers to the company that makes a part or device that is sold by another company. For example MAG TEK makes an MSR for an Equinox terminal. Mag Tek refers to Equinox as an OEM.
OPOS OLE for Retail POS- a platform specific version of Unified POS, mainly used on Microsoft Windows operating systems
P2P In the payment industry, this refers to Point to Point Encryption. Customer account data is encrypted at the swipe and decrypted at either a retailers switch, a payment gateway or by the processor depending on the scheme. There are several schemes in play using various encryption methods.
PA-DSS Payment Application Data Security Standard. PCI Standards concering Payment and POS applications.
PCI Payment Card Industry. A council made up of termial manufacturers, processors, card brands and security experts from the payment industry. This group sets all the standards and practices regarding securing payments, applications and networks.
PCI -DSS Data Security Standard – PCI standards for payment card data security.
PCI-PTS PIN Transaction Security- PCI Standards on debit pin entry and encryption on atteneded and unattended payment devices. No payment device can be sold, injected with a key or accept pin entry with being PCI-PTS approved.
PKI Public Key Infrastructure a system developed by RSA that uses a public key certificate in a device that is signed against a private key kept on a secure host to authenticate applications, devices and some P2P schemes.
QR Code A Quick Response code. Resembles a barcode and can be imaged by a Smart Phone for advertising or for payment info. See MCX.
RBA Retail Base Application- Ingenico’s original terminal application, still in use. It is the more robust of the two that they offer. Some terminal features only work with this application.
RFID See NFC
RKI Remote Key Injection
RSA Rivest, Shamir and Adelman, developers of the most commonly used Public Key algorythm. See PKI
Saas Software As A Service
SDK Software Development Kit- Used to create applications to run on payment terminals.
SNAP State Nutritional Assistance Program – USDA Food Stamp Program
SRED Secure Reading and Exchange of Data. Created by the PCI Council to provide terminal manufacturers and ISV’s a secure criteria to use in support of P2P.
SVC Stored Value Card = Gift Card or Card issued for refunds
UIA Ingenico’s application that works with OPOS, JPOS and UPOS standard POS applications.
Unified POS See UPOS
UPOS Unified POS is a world wide ISV and retailer driven set of Open Standards developed with the National Retail Federation to provide vendor neutral software application interfaces (See API) for point of sale peripherals. The goal being to allow retailers freedom of choice in selecting hardware.
VHQ Verifone HQ- Estate Management Software
WIC – Off Line WIC redeemed via Smart Cards. WIC Prescription is written to the Smart Card at the State run clinic and is decremented by the POS as items are purchased without going up for auth at a host. Retailer creates a settlement file and submits to State for payment.
WIC – On Line WIC redemption using msr / PIN based system managed by a processor. Every transaction is set up to the processor for approval. Processor reimburses the retaler for the State.
XPI XPI is an application developed to add EMV support to Form Agent.

EMV Is Here: Is Your Customer’s Payment Hardware Ready?

Now that the holidays are over, the next big hurdle in payment hardware and software is right around the corner. EMV has an implementation milestone of October 1, 2015 for most retailers and processors to be EMV compliant.  The three dates below are from Master Card and Visa’s website.

October 1, 2015 – Counterfeit Card Liability Shift (MC and Visa): The party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date. If neither or both parties are EMV compliant, the fraud liability remains the same as it is today. This date excludes automated fuel dispensers.

October, 2015 – Account Data Compromise Relief (MC and Visa): On this date, if at least 95 percent of MasterCard transactions originate from EMV-compliant POS terminals, the merchant is relieved of 100 percent of account data compromise penalties.

October, 2017 – Fraud Liability Shift, Automated Fuel Dispensers. MasterCard liability hierarchy takes effect for automated fuel dispensers

By now, you would think that most retailers should be aware of the need to upgrade their POS and or Payment applications and hardware to meet EMV compliance, but I speak to retailers every day to which all this is a complete surprise. By now most POS and Payment App vendors and Integrators have made plans to upgrade their systems to accommodate EMV and have shared these timetables and plans with you, so if you have not started having conversations with your customers, the clock is ticking. Below is information that we have drawn from various sources aimed at helping you address EMV with your customers.

Frequently Asked Questions About EMV

What is EMV?

EMV is an open-standard set of specifications for smart card payments and acceptance devices. The EMV specifications were developed to define a set of requirements to ensure interoperability between chip-based payment cards and terminals. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. Today, EMVCo manages, maintains and enhances the specifications. EMVCo is owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa, and includes other organizations from the payments industry participating as technical and business associates. Information on the specifications and organization is available at http://www.emvco.com.

Why is EMV so much better?

  • Card authentication, protecting against counterfeit cards. The card is authenticated during the payment transaction, protecting against counterfeit cards. Transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.
  • Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards. Cardholder verification ensures that the person attempting to make the transaction is the person to whom the card belongs. EMV supports four cardholder verification methods (CVM): offline PIN, online PIN, signature, or no CVM. The issuer prioritizes CVMs based on the associated risk of the transaction (for example, no CVM is used for unattended devices where transaction amounts are typically quite low).
  • Transaction authorization, using issuer-defined rules to authorize transactions. The transaction is authorized either online and offline. For an online authorization, transactions proceed as they do today in the U.S. with magnetic stripe cards. The transaction information is sent to the issuer, along with a transaction-specific cryptogram, and the issuer either authorizes or declines the transaction. In an offline EMV transaction, the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized. Offline transactions are used when terminals do not have online connectivity (e.g., at a ticket kiosk) or in countries where telecommunications costs are high.

What do I have to do to be compliant?

This one does not have a single answer. POS Integrators, Payment Applications, Gateway Processors and the Hardware Manufacturers have developed a variety of solutions to meet the challenge ranging from fully integrated solutions that will work with some existing POS platforms, to what is referred to as “Semi Integrated” solutions that process the payment on the payment terminal with nominal interaction with the POS and many variants in between. In addition, the Hardware Manufacturers also can make available all the documentation and tools for those that have home grown POS applications. POSDATA can assist here by working with the Manufacturers to get the right Integration Kit for the application and also provide basic development support where needed.

Where do I start?

In most cases, the process is going to start with you the reseller. The POS software application will likely dictate the path as by now they will have outlined an EMV solution.  That solution may be to totally remove payments from their app partner specific third party Payment software or to provide “hooks” into the POS app to allow multiple third party solutions. They may also have chosen to provide an end to end solution. Integration and certification for EMV is a costly endeavor, so there may not be a wide range of choices for a particular POS depending on their size and install base. Same goes with payment hardware. You may find that an application may now only partner with one device manufacturer. There is also hardware out there that, while relatively new will not be supported by the manufacturer for EMV. Bottom line is, if you have not started having these conversations with your customers by now, they are behind the curve and are going to have to catch up.

Can I use my existing payment devices?

If the chosen POS/Payment application supports it. That being said, there are a lot of integrated payment terminals that are not being supported for EMV by the manufacturers. Some because they are not equipped with Smart Card readers, others because they have been recently “End of Lifed” and firmware application updates are no longer being developed for them. The breakdown below comes from the manufacturers. Please also note that while devices may be advertised as “EMV Ready” , “EMV Capable” or “EMV Certified”, additional licenses, updated OS and/or applications or certificates may need to be loaded before EMV transactions can be performed.

Verifone

Most MX product that was built with a Smart Card reader can be used for EMV, although upgrades and additional applications will be required. This is a matrix of the MX product that is EMV capable by model number. The number to look for is the 9 in the 7th position of the part number.  For example, a non-EMV MX 860 would be M094-407-01-R, versus the EMV MX 860 which is M094-409-01-R.  Also, there are no non-EMV models of the MX 915 or MX 925, only the EMV. In addition the current line of VX Pin Pads ( VX 820 and VX 805) are also EMV ready.

VeriFone Model PCI 1.3 Part Number – These products are EOL, but can still be used until 2017.  PCI 2.0 Part Number PCI 3.0 Part Number
MX 830 M090-309-04-R N/A N/A
MX 850 M090-209-01-R M094-209-01-R  Will be EOL at end of 2014 N/A
MX 860 M090-409-01-R M094-409-01-R N/A
MX 870 M090-109-01-R M094-109-01-R N/A
MX 880 M090-509-01-R M094-509-01-R N/A
MX 915 N/A N/A M132-409-01-R
MX 925 N/A N/A M132-509-01-R

Ingenico

Ingenico will support all iSC Touch models (250, 350 and 480) and the iPP 320 and 350. No Ingenico product that has been “End of Lifed” will be supported for EMV.

Equinox (Hypercom)

Equinox will be supporting the L5200 and L5300 only and well as the Apollo CFD. No Equinox product that has been “End of Lifed” will be supported for EMV.

PAX

Many PAX devices are EMV ready including the MT 30, SP30 and S300. Some PAX models did not come standard with Smart Card readers, so please contact us if you have any questions about specific models.

How do I dispose of my old payment terminals?

POSDATA offers a service called eWaste Disposal.  You simply provide a list of serial numbers of your old devices and as they are replaced in the field, you have them shipped to our facility. There we keep track of the devices received and provide reporting to you. We then disassemble the devices making sure that all keys and any other sensitive information is removed or permanently disabled and recycle all components including any hazardous materials they may contain in an environmentally friendly fashion. When we are done, you receive a comprehensive report on the items disposed of and a Certificate of Recycling.

 Closing Thoughts

This is going to be a very busy year in the payments industry. As you may imagine there will be quite a demand for replacement payment devices and all the requisite accessories and services. As you plan rollouts and upgrades this year, expect longer than usual lead times due to the volume. We here at POSDATA are here to help in any way we can to make your EMV transition as smooth as possible with a wide range of devices, services and solutions.