The Cost of Payments
We’re at an important inflection point in the payments industry — perhaps the most important in decades. There are a number of forces coming together at once to change the retail payments marketplace, perhaps none more significant than the combination of EMV (an abbreviation for Europay, MasterCard and Visa, the three organizations that developed the initial specifications) and terminal encryption/tokenization. A new global standard that helps protect transactions and credit cards from counterfeit fraud, EMV will become a necessity for all retailers after the October liability shift deadline. This shift affects the entire payments industry and transaction security in general. Terminal encryption/tokenization adds another level of security preventing card data from being stolen in transit.
EMV and Retailers
The financial costs of a data breach can be very damaging to a company’s growth and, perhaps more importantly, its reputation. The reality is that for the vast majority of businesses, it’s not a question of it will be a victim of data breach, but when. Data breaches impact 90 percent of small businesses, according to research from information security firm Trustwave.
As a retailer, it’s important to understand what the looming EMV liability shift will mean for your business. Today, if there’s a fraudulent transaction at your store, the financial institution that issued the card and authorized the transaction holds the liability. Starting in October, if a retailer doesn’t have EMV-enabled terminals and a customer uses a card that has an EMV chip, the merchant is responsible for any loss. This liability shift moves losses from financial institutions to merchants if they’re not prepared, creating an urgent challenge for retailers.
Retailers will want to quickly invest in point-of-sale (POS) technology that secures their data by enabling EMV transactions. For multilocation merchants, the process to become EMV-enabled can be complicated and time consuming. Retailers of all types and sizes need to invest in EMV to protect themselves and the ecosystem against counterfeit card activity.
How Secure Payments Work
The world of secure payments can often be confusing. It’s especially important to understand what specific equipment is needed to match any individual retailer’s needs. Furthermore, retailers need to consider how to educate their employees and customers on how to use an EMV card.
There are three key terms your business should embrace: chip-enabled cards, encryption and tokenization. The former is part of the counterfeit fraud prevention encompassed by EMV, while the latter two serve as a dual technology solution that can be installed on POS terminals to address other data security issues retailers may face. The three collectively represent a multilayered security solution, as focusing on only one or two points of entry can still leave your business vulnerable to attack.
1. Chip-enabled cards: As retailers prepare for the EMV liability shift, a key element to take into account when considering payment security investments will be to ensure a terminal can accept chip-enabled cards. A chip-based payment transaction occurs when a smart chip is embedded in a debit card or credit card. EMV capability can also apply to a personal device such as a mobile phone when it connects to an EMV-enabled terminal through a contactless (i.e., NFC) interface.
Late last year, the Payments Security Task Force released a study that found 47 percent of U.S. merchant terminals will be enabled for EMV chip technology by the end of 2015. This means that more than half of all retailers won’t be ready when the liability shift takes place. As chip-enabled cards become more prevalent, fraudsters are likely to zero in on the weak spots in the ecosystem — i.e., retailers that haven’t adopted EMV-enabled terminals. Can you afford to not offer your customers the most secure transactions possible?
2. Encryption: This technology protects data in use and “in transit” — i.e., from the moment the card is swiped until it reaches the payment processor’s secure processors. Encryption effectively safeguards retailers from thieves grabbing card data even before the transaction is processed.
Currently, in the majority of both EMV and non-EMV transactions, payment card information is sent from the point of capture to the acquirer/processor “in the clear” in an unencrypted form that’s easy for criminals to steal. Historically, when the majority of transactions traversed private phone lines, this was less problematic. However, a criminal’s ability to capture data in transit increases as more POS systems use internet technology for data transmission. Criminals can then steal millions of card numbers from unsuspecting retailers.
Even though EMV provides some level of protection, the payment card information still travels in the clear. During data transit, it’s possible for card data to be stolen and then used to create counterfeit magnetic stripe cards or used in a card-not-present environment. Encrypting every transaction at the POS renders the data unusable to thieves.
3. Tokenization: Tokenization is a critical component of ensuring a safe, secure digital wallet transaction, shielding a customer’s credit card or debit card data during transactions. In the tokenization process, consumers enter their card information into the digital wallet of a mobile device. Inside the digital wallet, the cardholder’s primary account number (PAN) is replaced with a unique, securely generated number (tokens). Therefore, the actual card number is never transmitted. Tokens live in token vaults. We see tokenization at play in payments solutions such as Clover Mini and Apple Pay, where the retailer receives a device-specific token as well as a dynamic, one-time-use security code used to complete transactions.
A Look Into the Future
While EMV is a global standard that plays a role in reducing counterfeit fraud, it isn’t an all-encompassing security remedy. There are many third-party security providers that offer comprehensive solutions to help ensure that each and every transaction is a safe, secure one. These service providers — and retailers themselves — must work diligently to stay well ahead of fraudsters’ next schemes.
No matter what’s next, retailers will need to continually look to strengthen their transactional security processes and protect their businesses.
Barry McCarthy is president, financial services, at First Data Corporation, a provider of payments solutions for merchants, financial institutions and card issuers.