As I interact with our dealer and reseller partners or sit in on sales calls with end users, questions consistently come up regarding EMV. Here are the latest EMV updates as of Summer 2015.
Do I still need to use P2P Encryption since I am moving to accepting EMV cards?
The answer to this one is definitely yes. A large portion of transactions will still have to be approved “on line”, meaning that account number information will still be being sent up to the host for authorization. Without P2P encryption to protect it, that account data is still at risk as it travels through the network. Allen Friedman, Director of Payment Solutions at Ingenico says “Linking EMV and encryption creates and effective shield against card fraud and data breeches. Both are necessary and they complement each other”.
A recent NY Times/ National Small Business Association survey of 675 small businesses found that …
- 50 percent had been victims of hackers looking for Credit Card data.
- 68 percent of those hacked, were hacked more than once.
- Small businesses are being hacked at the same rate as large tier retailers, possibly higher as many incidents go undetected or unreported.
- Average attack on a small business costs over $20, 000.
A Point to Point Encryption scheme in conjunction with EMV substantially reduces the possibility of account info being
What does the coming Liability Shift really mean to the retailer?
After the October 2015 shift, liability falls to the party using the least secure technology. AMEX, Master Card and Discover will hold the merchant liable for any counterfeit or stolen cards accepted if the merchant is using a Non EMV device.Visa for now exclude stolen cards and will hold the card Issuer liable.
To put this in perspective …
- 25 percent of all transactions in the world take place in the US.
- 50 percent of all credit card fraud occurs in the US.
- Credit Card fraud has increased to represent 10 cents per every $100 transacted and is still growing.
- 10 billion dollars in Credit Card fraud is expected in 2015. Up from 8.5 billion last year.
All this fraud is going to find it’s way to the least secure merchants as EMV is implemented.
A few of the payment industry’s experts have also weighed in on liability and security…
- “Once the larger merchants adopt EMV, fraudsters will pick on the smaller guys unless or until they have migrated” – First Data Merchant Services
- “While many small merchants will say they are currently not expecting a lot of chargebacks from counterfeit cards, they should know that they will become a target once the liability shift occurs – unless EMV compliance has been achieved” – Vantiv
- “At some point, consumers will strongly embrace EMV as the secure way to pay as seen in foreign visitors who are hesitant shop in US stores that do not have EMV” – First Data Merchant Services
I also often hear asked what the return on investment or the ROI is for spending all this time and money. The simple answer is that there is not a simple answer. True, the liability shift is not a mandate and EMV is not mandatory to be PCI compliant. Also true is that many merchants do not see much fraud given the nature of their business or that the number of chargebacks a merchant is seeing today can be used as an indicator of future fraud activity. The fact that there seems to be little incentive in the form of lower processing fees is no help either, but think of it this way:
- Security standards are changing more rapidly and the crooks are getting smarter. Those old PCI 1 and 2 devices that you have may not be secure enough to fend off today’s attacks on their own. Keeping up with changing technology is part of the ”cost of doing business”. It’s not just EMV that’s bringing on these changes.
- Data breaches are increasing rapidly in the US and EMV paired with a P2P encryption solution and PCI mandated networking standards will make you more hacker proof and they will focus on less difficult targets. Bear in mind that the liability for data breaches is already something that the merchant is liable for already and a breach could stop a merchant’s ability to accept credit or debit payments.
- Once EMV is up and running, stealing card data is less attractive and counterfeit cards will be more difficult to use. This benefits all merchants in the long run.
Something else to consider is the risk level going forward as certain merchants are more exposed to fraud by the nature of their business and how prepared they are. Is the merchant…
- Dealing in a vertical that sells goods that often get returned for cash, sold on the street or sells gift cards?
- Located in a transient area such as tourist destination, near a major highway or high traffic area?
- One that has a large number of employees that handle credit cards and also has high employee turnover?
If so, it makes good sense to be as protected as possible.
I hope that this information helps as you speak to your customers about their upgrade plans. If you have any questions, please contact me (Bryan Jackson at this email or 972-514-4236) or your PosData Business Development Manager. We are more than happy to help.