There are few places you’ll find more acronyms or terms that are just plain weird than in the world of credit card processing. EMV, E2EE, P2PE, NFC, FSA, Tokenization, PCI. What do they all mean? And most importantly, does it matter if your pharmacy is on board with each particular item?
While there’s no one size fits all for credit card processing, there are some best practices that might help if you find yourself in a position to make changes to your credit card processing setup.
EMV
What is it? Directly translated into “Europay MasterCard Visa”, EMV or “Chip and PIN” has become standard for many merchants in the U.S. First implemented in Europe in 1995, EMV cards have an embedded microchip that creates a unique transaction code each time the card is used. This is different than a standard magnetic strip on a traditional swipe transaction that contains constant and unchanging data. Basically, this technology prevents a card from being physically duplicated and used fraudulently.
Why do I need it? Although EMV has been around in the United States for a few years, as of the date this article was published, it is not required for U.S. merchants. Chip enabled cards will still process as a regular swiped transaction. However, this doesn’t mean EMV isn’t important. If a charge-back (basically a dispute of a processed transaction) occurs on an EMV enabled card that you swiped, you become liable for those funds. Additionally, customer perception of EMV matters. Despite the fact EMV does not protect card data from breaches, many customers see EMV as a more secure processing option. Even if charge-backs haven’t been an issue for your pharmacy, investing in EMV may be worthwhile. If you’re not currently processing EMV transactions, consider reviewing this option with your point-of-sale provider and making it part of your future business plans.
E2EE
What is it? End to End encryption or E2EE is the technology that actually protects customer card information. Card information is encrypted immediately at the time of the card swipe or insert and sent directly to the processor where it is decrypted for the first time. No card data actually touches your point-of sale system, or the computers in your store.
Why do I Need It? Because no card information is ever in your point-of-sale system, there’s no data to be compromised. It virtually eliminates the chances of a card data breach, like those experienced by countless notable retailers. It’s so important that you can’t set up a new credit card processing account at RMS that isn’t E2EE by default.
Validated P2PE
What is it? Validated P2PE uses the same basic technology that E2EE does. It just takes it up a level. The big difference is that Validated P2PE has been vetted and certified by the PCI Security standards council, validating all aspects of the credit card hardware, right down to the hardware serial numbers that you install in your store and the chain of custody of those devices.
Why do I need it? Validated P2PE is by no means a requirement. However, having a validated solution allows merchants to significantly reduce their scope for PCI Compliance. Many security assessors and IS departments prefer a validated solution. If you’re interested, you can learn more about P2PE here.
PCI Compliance
What is it? Remember those card data breaches that we discussed earlier? PCI Compliance was the credit card industry’s response. The PCI Security Standards Council was created to “enhance global payment account data security by developing standards and supporting services that drive education, awareness and effective implementation by stake holders.”
For merchants, PCI Compliance means completing many steps. From creating policies and procedures, to physical system security checks, network scans and completing a detailed self-assessment each year.
Why do I need it? Whether you are a multi-location independent chain, a hospital organization, or a single pharmacy location, PCI Compliance applies to your business. In fact, it applies to any business that processes credit cards. If you aren’t PCI Compliant and experience a breach, the liability for that breach could be assigned to your business.
If you’re not sure where you stand or where to start with PCI Compliance we recommend checking in with your credit card processing representatives for guidance and resources.
NFC
What is it? Near Field Communication, or NFC, is almost never referred to as such directly. Instead, you’ll hear words like ApplePay or AndroidPay or Tap to Pay. Basically, think of NFC as your blanket acronym for a credit card payment via mobile device or smart watch.
Why do I need it? When it comes to NFC payment processing, it’s all about knowing your customer base. Having this option is definitely nice for anyone who wants to use this convenience, but there aren’t other incentives for offering it or penalties for non-use.
Tokenization
What is it? Tokenization is a secure and compliant option for storage of credit card information for later and/or recurring use. Breaking down the process, you enter card information via an encrypted terminal or secure portal and receive what’s known as a “token” in return. This token is then stored in your point-of-sale system, attached to the customer record. Selecting this token as a method of payment when a card is not present will allow that card to be charged. The key takeaway is that the card information is not stored anywhere in your POS system or store network.
Why do I need it? Tokenization is the best way secure way to retain cardholder information for recurring payments like mail order, delivery, or simply a customer picking up an order for someone else. Tokenization follows the same trend as E2EE for removing cardholder data from the point-of-sale system and we expect it to be the primary option as solutions of this kind become more popular and desirable for businesses of all sizes. Security aside, tokenization is also crazy easy to use and very convenient for any number of reasons in daily pharmacy activities.
FSA
What is it? Flexible spending accounts have been around for a while, and so have unique requirements for processing FSA transactions. Through the lens of transaction processing for pharmacies, you need to work with an IIAS (Inventory Information Approval System) Certified point-of-sale system. These systems are able to determine what products are eligible for purchase with an FSA card, and which ones aren’t. When a customer uses an FSA card, only the FSA eligible total is deducted from the card and appropriate flags are sent with the transaction essentially proving the eligibility of the purchase.
Why do I need it? Despite the fact that the list of FSA eligible products is considerably smaller than it was when FSA purchase requirements were implemented in 2008, pharmacies still need to participate with SIGIS (The group that maintains and implements IIAS standards). This enables easy processing of prescriptions on FSA cards as well as OTC products like wound care and diabetic testing supplies. Pharmacies who do not certify through their POS provider to process FSA cards risk card declines and, as a result, lost revenue. At best, customers might be required to go through the extra step of requesting reimbursement from their provider, which isn’t ideal. Check with your point-of-sale provider for more information on FSA card acceptance
Did we miss something? Is there anything else about the credit card industry that’s stumping you? We’d love to hear about it and help answer any processing questions you may have.