May 18, 2015 |

EMV Uncovered

By Daniel P. Smith

RED_swipe_cardLost RiverWhat restaurants need to know about EMV and the looming liability shift


Take notice, pizzerias, the EMV liability shift deadline looms.

This October, restaurants must be equipped to accept EMV cards –– an acronym for Europay, MasterCard and Visa –– or risk financial responsibility for any point-of-sale fraud that occurs in their stores.

Unlike traditional magnetic-swipe cards, EMV cards, also called smart cards or chip cards, use an embedded chip to create a unique impression for every purchase, which heightens security and reduces the likelihood of fraud.

“EMV is designed to protect the integrity of the physical card … (and), ultimately, this is really about helping merchants,” says Mark Schulze, co-founder of the mobile POS system Clover, a First Data company.

Though EMV has captured headlines of late, many small merchants, pizzerias included, remain unprepared for the EMV liability shift if not completely unaware of the matter.

Though the global standard for much of the world, the United States is a latecomer to the EMV game. Many of the globe’s other leading markets, in fact, have been using EMV for the better part of a decade, a reality that has made U.S. businesses a fraud target. According to The Nilson Report, the U.S. is responsible for nearly 50 percent of the world’s card fraud despite accounting for less than one-quarter of its sales.

“As the rest of the world has gone toward this enhanced standard (EMV), we’ve found a narrowing of fraud” centered on the United States, Schulze says.

As criminals favor easy targets, Schulze says it’s not unrealistic that fraudsters will target merchants, including restaurants, relying on easily replicable mag-stripe cards.

“It’s logical to assume that if you’re lagging behind, the criminals will start frequenting your store,” Schulze says. “The impact of fraud … is a very real risk.”

In years past, card issuers took the hit when a criminal passed a manufactured or counterfeit card to a merchant. “The card issuers basically said, ‘They foiled our security, so this is on us,’” Schulze says.

Come October’s EMV liability shift, however, liability for fraud due to card theft resides with the party using the least secure technology, says Mike English, vice president of product development at Heartland Payment Systems. For instance, if a merchant continues using a magnetic-stripe terminal, then he will be responsible when a counterfeit magnetic stripe from a chip card or a lost or stolen chip card is used on that magnetic-stripe terminal.

Contrary to some alarmist headlines, EMV is not mandatory. There is no government requirement here, no regulatory mandate.

Merchants can choose to implement EMV acceptance or continue relying on magnetic-stripe card transactions. At present, card issuers are continuing to provide smart cards that also carry a magnetic stripe, so merchants – at least for the foreseeable future – will be able to accept payment either way.

Switching to EMV is a rather simple process, albeit one requiring time and money.

Immediately, a restaurant will need to purchase an EMV reader and, quite possibly, additional software. If a restaurant only needs a stand-alone terminal, costs can range from $250 to $500. If a restaurant already has a POS system, however, the costs to upgrade software and add an EMV-ready peripheral will vary widely among providers. (It’s worth noting that American Express’ Small Merchant EMV Assistance Program allows eligible merchants to earn a one-time $100 reimbursement from American Express on the purchase of an EMV terminal.)

Operators will also need to devote time and resources to training. Unlike swiping, the current norm in American society, consumers and restaurant staff alike will need to get accustomed to dipping. With EMV cards, chips cards are inserted, or dipped, into a reader and, much like an ATM visit, remain there throughout the transaction to allow communication between the reader and the card.

David Gilbert, president of hospitality group at Heartland and a longtime restaurant operator, suggests operators begin reaching out to their payment processors and POS providers now to gather information on equipment and software needs as well as costs.

“This is not just flipping a switch,” Gilbert says. “This process requires an investment and procedures, so better to get moving sooner rather than later.”

According to last October’s American Express EMV Preparedness Survey, more than a third of the small merchants surveyed said they would not upgrade their payment terminals to EMV or were undecided on doing so.

Undoubtedly, some operators will run a cost-benefit analysis, calculating the cost of purchasing new EMV terminals or retrofitting an existing POS terminal against the potential liability, particularly by reviewing information on the restaurant’s current chargeback write-offs due to counterfeit cards. That math will likely leave some on the sidelines — at least until smart cards become the national norm and consumer expectations force the shift.

Others, however, will make the move concerned that any breach will cost them customers or that ignorance to EMV will only put their restaurant further behind the payment technology eight ball, especially with NFC (near-field communication) and contactless payments on the horizon. Heartland’s Gilbert calls EMV “a building block of security technology for restaurants.”

“As consumers begin to understand what EMV means to them, restaurant operators will need to be aware of this and coordinate their movement accordingly,” Gilbert says.


EMV is only one piece of the security puzzle

EMV is not the end-all, be-all solution to card fraud, but rather one piece of a multi-layered approach that also includes encryption and tokenization.

In such fraud-reducing transactions, the EMV card is inserted into the terminal, encrypted and sent to a PCI-compliant data center, where the data is then decrypted, authorized and returned to the merchant as a single-use token.

While EMV and encryption remove a criminal’s ability to monetize card data, the encryption and tokenization combination removes card data from the business environment.

As operators investigate EMV equipment and software with their payment processors, Heartland’s David Gilbert suggests they also inquire about encryption and tokenization measures as well.

“Complying with EMV is a great opportunity for restaurants to simultaneously incorporate these other key security measures to nearly eliminate any risk of breach,” Gilbert says.

Chicago-based writer Daniel P. Smith has covered business issues and best practices for a variety of trade publications, newspapers, and magazines.