EMV (EuroPay, MasterCard and Visa), also known as IC, or Chip and PIN, has been generating a great deal of news in recent months and is poised to be the next generation’s leader in payment processing. Already the norm in Europe and recently adopted in Canada, the possibility of a conversion in the United States has been top of mind in the hospitality industry. Making EMV a global standard not only boasts a more secure way to pay, but has the added allure of standing to strengthen the future of mobile payments.
In August 2011, Visa (www.visa.com) put rumors to rest when it announced plans to migrate from magnetic stripe to EMV in the U.S. MasterCard (www.mastercard.us/mchip-emv) followed suit in January of this year. For hospitality operators, this signals that it will be necessary to budget for technology upgrades in the next couple of years, including new payment
“Right now we are in the transition phase so most companies are saying, ‘How do we accomplish our short-term goals while still keeping the future in mind?’” says Michael Hess, CEO of Tech Global Partners (www.techglobalpartners.com), a technology consulting firm based in East Greenwich, R.I. “One of the challenges is that nobody really expected it, and I don’t think most operators were planning for it.”
As a result, companies that recently upgraded technology may not be equipped for another change in compliance regulations and could still be lagging in the area of credit card security. One such business that might find itself in that situation is On the Border Mexican Grill and Cantina (www.ontheborder.com) in Dallas, Texas. The restaurant completely overhauled and updated its hardware last year and is not planning to upgrade again for at least six or seven years.
“We try to squeeze as much as we can out of our capital investments so we are on a seven-year refresh or longer,” says Chris Andrews, senior director of IT. “Visa and MasterCard often have ‘sunset’ dates that always get pushed out, so we will wait and see.”
Currently both Visa and MasterCard are requiring all acquirers or financial institutions to accept EMV by April 2013, and Visa will reportedly shift liability for a breach to non-compliant operators starting October 2015. However, both will offer incentives to those who begin accepting EMV before 2015, and Visa already announced it would waive an operator’s annual compliance fee if they process three quarters of all transactions via chip instead of magstripe.
“Retailers we are working with are saying there is still a lot of uncertainty out there and until they get clarification and things are formally set, they don’t want to place bets on what they [may or may not] need,” Hess says. “If I was making an investment for my business, I would either wait as long as I could, or make a small investment in a scaled down version for the next two or three years, and then upgrade.”
Roadmap to the future of payment security
In order to accept EMV payments, many operators will need to purchase new chip-enabled payment PCI PIN Transaction Security (PTS) terminals, and as long as the point-of-sale system is current, they may only need to upgrade the software, according to Trevor Warner, president of Warner Consulting Group (www.warnerconsultinggroup.com), a technology and telecommunications consulting firm that works with the hospitality industry. “This is the first step to giving someone an electronic identification, which will eventually transition from the credit card to the smart phone,” he notes. “EMV is a baby step to move in the direction of the mobile wallet.”
Operators who upgrade the terminal can choose to purchase hardware that also offers NFC (near-field communications) capabilities, which is used with Google Wallet and allows consumers to pay for purchases with a cell phone and more. Many hardware vendors in the U.S. have been supplying EMV technology globally, and already have terminals ready for deployment, including VeriFone (www.verifone.com), Ingenico (www.ingenico.com) and Vivotech (www.vivotech.com). Those who choose to only upgrade to the EMV functionality can also purchase units that allow the NFC functionality to be retrofitted.
“It concerns us most from a hardware perspective and that is a big capital investment,” says On the Border’s Andrews, explaining that restaurants with table service will have to reconfigure their procedures so customers can pay at the table. “We have to get the PIN pad out to the customer, so we will have to bring something to the table that is wireless. I imagine there will be some architectural redesign for that as well.”
Ultimate benefits in functionality and protection
The biggest drawback for operators is the up front cost in order to upgrade and comply, as the new terminals will be more expensive due to the new capabilities, according to Andrews. “Once you get past that, there are a lot of positives for merchants, consumers, and the banks,” he notes. “The security and anti-fraud benefits are great, and the chip is not one-dimensional like a magstripe, so it can hold multiple things, which open up integration with loyalty. It offers a lot of different paths.”
There are some components of EMV, such as the use of a PIN, that allow it to be a more secure method of payment. For example, if someone were able to get the card data, but not the PIN, then the data would be useless, and vice versa. But PCI compliance guidelines still need to be followed.
“With EMV, the idea is there are two pieces, and someone might get one, but they won’t get both,” says Hess. “So there will be some benefits on the compliance side, but operators still need to keep everything secure and be PCI compliant.”
In October 2010, the PCI Security Standards Council published guidelines called “PCI DSS Applicability in an EMV Environment,” which explain how EMV adds fraud reduction benefits, but PCI DSS is still required, says Bob Russo, general manager of the Council.
While EMV has proven itself as an effective fraud protection tool in the face-to-face transaction environment, it does not automatically satisfy all PCI DSS requirements. “In the coming months, the Council will release additional requirements and guidance on how organizations can utilize a PTS-approved terminal in conjunction with point-to-point encryption to reduce merchants’ PCI DSS scope,” Russo says.
Right now, many operators are waiting to see what the next steps are, and what will be mandated, as well as the dates on compliance with the new standards. However, they realize the investment is on the horizon. “We haven’t explored it yet because we haven’t been pressed,” says Andrews. “We will tackle it as it comes.”
Russo stresses that the key thing for operators to realize is that no single technology will secure payment data uniformly for everyone. “Payment security requires a holistic approach, addressing not just technology, but people and processes throughout the payment chain,” Russo concludes.