It’s hard to go a week or two these days without hearing news of another major data breach. These breaches cost businesses and consumers billions of dollars every year. The financial cost to businesses that were breached increased 9% in 2014 to $145 per stolen record. And this doesn’t include the damage to reputation and the resulting loss of business. A data breach is something you simply can’t afford. With this in mind, I’m going to explain changes you will be seeing in 2015 with regard to credit card processing that will help protect your business and your customers.
Many of you are aware that in October of this year the credit card industry is offering to shift liability for credit card fraud away from you, the merchant, to incentivize you to adopt EMV technology. EMV stands for “Europay Mastercard Visa”. EMV technology was first implemented in Europe in 1995. EMV cards have a microchip embedded in them that creates a unique transaction code each time the card is used. EMV makes it virtually impossible to duplicate a card. But that’s where the technology stops. EMV protects the acquirers and card brands (Visa, Mastercard, AMEX, & Discover) from fraud but it has absolutely no impact on protecting you from a data breach (more on this in a moment). The card brands, acquirers, and credit card processors all began working with the large chains a few years ago on preparing for this shift. The credit card industry is now preparing to roll out this technology to small businesses, albeit 18 months behind schedule. We are currently working with all of your current processors to make this technology available by the 4th quarter.
Point to Point Encryption (P2PE)
As I mentioned, EMV does nothing to protect you from a data breach and as a merchant having all of your customers’ card data stolen would be far more damaging than having an individual use a fraudulent card in your store. A new technology known as point-to-point encryption (P2PE) virtually eliminates the chances of a data breach. With P2PE, the moment the card is swiped or put into the EMV reader, the card is encrypted by the hardware device and sent directly to the processor where it is decrypted for the first time. The processor then approves or disapproves the transaction and sends an approval or disapproval to the POS system. With P2PE, your POS has absolutely no credit card data to be stolen. P2PE is currently available in our latest software release, but it is currently only available with processing via Mercury Payment Systems. We are working with our other partners to offer this technology with them in the coming months.
What is this going to cost?
When you decide to move forward, the cost will depend on which processor you use and which hardware devices they certify. We have weekly meetings with our credit card processing partners on this topic and once we have firm information from them, we will pass it along to you.
We have already been told by all of our processing partners that there will not be any EMV certified signature capture devices until the 2nd quarter of 2016. They are all certifying non-signature EMV devices first and will make those available by October 2015. We will be coding to allow the use of these devices to accept credit cards (EMV and non-EMV cards). If you chose this option, your existing signature pad will be used for signatures only and not for credit card processing. We will continue to offer this dual device option moving forward, but we will also offer a single device option (signature pad with EMV reader) once they become available in 2016.
At this point it is important to keep in mind that neither of the above technologies are currently mandated, so you have the option of continuing business as usual until such time that you can budget and plan for the change. The October 2015 date, many of you have read about, is not actually a deadline, it is simply the date when the credit card brands agree to shift fraud liability from you to them on EMV transactions. This liability shift only applies to EMV cards processed as EMV transactions and does not apply to standard credit cards you accept. Keeping in mind that EMV technology does not protect you from a data breach, I recommend you consider P2PE as the first technology to adopt. This removes the credit card data from your system, reduces your PCI scope, and eliminates the chance of a breach due to stored credit card information.
What about my customer – the consumer?
There are still over 1 billion standard credit cards in use in the United States and issuers have only begun to replace these cards. In most cases, the issuer will initially activate the card as a “chip and signature” card to make the transition for the user as easy as possible. Chip and Signature means the consumer will sign for the transaction as usual. Eventually, all issuers are expected to migrate to “chip and pin” which means the consumer will have to enter their pin to use the card. We will be able to handle both situations from the beginning.
One of the hardest changes for the consumer is that with EMV, “swipe at anytime” goes away. With an EMV transaction, the card must remain in the EMV slot during the entire payment process. It will be very important to train your staff on this change.
Where and when can I get more information?
We plan to send updates at least once per month via email and once per quarter via mail through the end of the year. We will also be posting the most current information on our website at http://www.rm-solutions.com/emv
As the President & CEO of RMS, Brad Jones is an industry expert with a lifetime of experience working in and around independent pharmacy. He is committed to ensuring that RMS makes our clients the most profitable and customer-centric in the industry.