Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

EMV Posts

As a growing company, we are always reaching out to our customers, partners and prospects to learn what it is they are looking for in a full suite of security solutions. Updating our product offering to meet the ever-changing customer demand is part of our ongoing roadmap and development strategy. Over the last few months, I have had a lot of time to talk to our merchants. What I find most intriguing of all is the place where behavior and business intersect.

PCI Compliance Requires Change

When PCI was initially formed in 2004 merchants were not sure what to think. After all, what was the likelihood that the five existing security programs (Visa, Mastercard, American Express, Discover, and JCB) would actually be able to come together and develop a single set of compliance standards? Fast forward to 2013 and PCI is a strong and evolving organization, committed to ongoing standards creation in an effort to reduce fraud and theft. While there are still some merchants that are not aware of the PCI DSS (PCI Data Security Standard), the majority of the population is; and is compliant. It didn’t happen overnight. It took time, communication and most of all a modification to the behavior of our merchants.

Road to Acceptance

Merchants now had to maintain vigilance in guaranteeing credit card security or face significant fines. In an effort to reduce their own burden, they began asking questions like “Is my iPOS (integrated point-of-sale) provider complaint? iPOS providers had the daunting task of updating software solutions in an effort to provide merchants with compliant solutions. Merchants were forced to make upgrades and changes to their point-of-sale solutions and often felt that it was a plot conceived by the vendors to pad their own pockets (which was not the case). It took years for merchants to “accept” that PCI is not going away but today they have adapted to completing the audit forms, working with QSA’s (Quality Security Assessor), their processors and gateways. Compliance is now an “accepted” practice for those that choose to accept credit cards in their business.

EMV and Credit Cards

The next round of standards to be introduced is EMV. Once again, it is going to mean that merchants will have to make business decisions with regards to credit card processing, but more critically this time both merchants and consumers will have to actually modify their behavior. EMV (Euro Mastercard Visa) is designed to further protect consumers against fraud. It has been adopted in Europe and Canada in a variety of forms, but here in the U.S. we are just becoming exposed to it. EMV will dictate how consumers will interact with a merchant when paying by credit card.  Behaviorally though, American consumers do not like to be told what to do and how to do it.

The traditional behavior, in a restaurant for example, is quite simple. A waiter brings you your check, you review it and then hand a perfect stranger your card – a card that leaves your sight and goes into a back room for (you hope) processing the charge for your meal. EMV will now have a terminal where you will enter a PIN (personal identification number). You will no longer give your credit card to a stranger. You will interact with the terminal directly, in an effort to minimize fraud and theft. EMV, like PCI DSS, is an evolving standard. But this one may just take a little longer to catch on, as it will rely on both the merchant and the consumer to make behavior changes.

What do you think of interacting with an EMV terminal versus handing your credit card to your server?

.

We’re back from Hospitality Technology’s 9th Annual Hotel Technology Forum and wanted to share some of our observations from key sessions and discussions with lodging executives.

Tokenization and Encryption

Data security remains a hot topic and I had quite a few conversations about tokenization and encryption methodologies. People seem to be familiar and comfortable now with tokenization as a solution, but now the focus is on implementation plans and to what extent their environments can be taken out of scope. Large entity hoteliers are keenly interested now in how tokens are communicated back and forth, how easy tokenization fits into their existing systems, whether retrieval of original PAN data is truly needed, and more.

The “Prepping for the Next Phase of Payment Security” Session

This session, led by Wibecke Vinke,  brought a European viewpoint of EMV. The session focused on the ever-increasing interest in the EMV mandate. Based on the questions both in the session and after, there is still quite a bit of confusion over EMV. The confusion centered mainly around:

  • Whether there are actual penalties/fines for non-adoption (currently there are none)
  • Chargeback liability shifts (who is responsible for what?)
  • Chip and PIN or Chip and Signature – which will become most prevalent?
  • Timing (actual as opposed to published). Whether or not you have purchased an EMV terminal, the infrastructure needs to be in place to support those transactions. Infrastructure includes:
    • Banking backend systems and networks compliance
    • Processor backend systems and networks compliance
    • Gateway backend systems and networks compliance
    • Banks issuing of chip cards
    • Merchant’s equipment swap
  • Adoption (whether the liability shift is worth the expense)
  • Expense (how much purchasing new equipment will affect adoption)
  • Implementation (how easy will it be for merchants to get certified with EMV)
  • Integration with existing security solutions (what happens to tokenization and encryption?)
  • Security – how does EMV actually improve security? Are there any holes?

Hoteliers should know:

  • EMV is designed to help secure and authenticate the customers who have a card in hand. However, in hotel environments, card-present transactions only represent a portion of overall payment card data in messages. Typical hotel systems also have online reservation systems, back office card-not-present transactions, kiosk transactions, sales and catering transactions, as well as restaurant and retail transactions. So EMV is not a payment card data security silver bullet and it does not provide any PCI scope mitigation.
  • In October 2015, the liability shift for card-present chargeback and fraud is supposed to take place. For merchants to qualify for this liability shift, they will have to have 75% of their terminals be able to process EMV. The liability shift means that the entity who is responsible for EMV not functioning will be liable for the charge back and fraud charges related to these card-present transactions. For instance, if you buy an EMV capable terminal device, but your processor is not able to process an EMV transaction, the processor will be liable for a chargeback or fraud loss.
  • As of April 1, 2013, acquiring banks and processors were required to be ready to support merchant acceptance of chip transactions. This does not mean you can start accepting EMV/chip cards.  There are still many other entities and players in the backend systems that have to upgrade and update their systems to be able to even process an EMV transaction. Check with your processor or gateway on their progress and roadmaps for supporting EMV.

Actually, my favorite session at HTF was presented by Abby Lorden when she delved into various statistics and trends around the technologies hotel IT executives are currently using, what’s important to them right now and where there are gaps. Respondents were asked to rate both the importance of and their satisfaction with 16 key IT projects. PCI compliance ranked high in both, and this indicates that hoteliers understand the importance of security and are satisfied that the market has produced solutions that help address their needs. Another interesting finding was that cellular infrastructure ranked relatively low in customers’ importance and low in satisfaction indicating that the need to improve cellular infrastructure was not of prime importance. There was however a huge gap in Wi-Fi satisfaction. Based on customer surveys and complaints to hoteliers, customers are demanding greater bandwidth as the use of tablets and other mobile devices has skyrocketed. Accommodating customer’s ever-increasing bandwidth needs seem to be what many hotel budgets are earmarked for in 2013. You can view all the fascinating findings from the 2013 Lodging Technology Study on Hospitality Technology’s website here.

.

Google Advertisement