In the payments world, we all know that security is one of the most important aspects of completing a credit card transaction. Take this situation for instance: A customer walks into a small retail store to buy some clothes. They pick out $500 worth of clothes and proceed to checkout with the cashier. This customer uses a stolen chip credit card they picked up on the sidewalk earlier that day to make their payment, and to their luck, the business has not implemented EMV acceptance at their point-of-sale. In this instance the customer is able to sign for the purchase and make off with the clothes spent with someone else’s money. This then leads to a chargeback initiated by the true owner of the credit card and the merchant is now out the $500 from the sale.
This may have had a major impact on the business to be out $500, but there have been situations where businesses have lost thousands of dollars because of a single fraudulent or counterfeit transaction. In fact, Verifone reported that 1.47% of revenue was lost to fraud for all businesses in 2016 which is 54% more than 2014 (0.68%). To avert something like this happening to your business, it is best to keep in mind these 3 security prevention measures (and PolyPay’s recommendations) when deploying your credit card terminal or POS system:
Like mentioned in the previous example, being able to accept EMV chip cards in 2017 is a must in order to reduce the scope of risk at the point-of-sale.
EMV technology was implemented in the US in 2015 through the ‘liability shift’, which leaves merchants (rather than the banks) liable for chargebacks related to chip card transactions that could not be processed on the credit card terminal via the chip. This shift acted as a push for businesses to adopt EMV since they could be negatively affected by chargebacks related to fraudulent transactions. Since then, Visa has estimated nearly 1.75 million merchant terminals of over 12 million in the US are ready to accept EMV transactions with nearly 75% of them being small to medium sized businesses. This number will increase dramatically over the course of 2017 with more than half of all businesses in the US expected to accept EMV by the end of the year.
As a reminder, EMV acceptance is not a secure enough solution by itself to prevent fraud and breaches. EMV is able to authenticate the card at the point-of-sale to prevent counterfeit and lost-and-stolen fraud, but it does not protect the cardholder sensitive authentication data. This is where encryption comes into play.
Encryption of Information
To further enhance the security of the credit card transaction process, it is crucial for a business to implement encryption technologies at their point-of-sale. This process is also known as point-to-point encryption (P2PE) or end-to-end encryption (E2EE). Each method uses an encryption algorithm to hide sensitive credit card information like the primary account number (PAN) when it is swiped, inserted, tapped or manually entered. This encrypted information is sent off for approval and can only be decrypted with the corresponding decryption system used by the acquirer (or processor).
This security technique, when implemented correctly, nearly eliminates the ability for a fraudster to access sensitive card information. Even if they did access it, the information is ‘de-valued’ because it cannot be decrypted except by the secure decryption environment. Businesses can rest easy at night knowing their customer’s card information is protected.
What makes encryption even better is that it will also simplify the process of becoming PCI compliant.
Another tool that businesses should utilize to enhance their security is through PCI Compliance. The Payment Card Industry Data Security Standard (PCI DSS) is a compliance requirement created by the major card brands (i.e. Visa, Mastercard, Discover) that distinguishes whether a business is taking the appropriate measures to protect cardholder and other sensitive information that is processed, stored or transmitted by the business. Compliance is determined after a business owner has completed a self-assessment questionnaire (SAQ) that reviews the security systems in place for their point-of-sale, Internet and other mediums.
PCI compliance may also include a Network Vulnerability Scan that occurs on a frequent schedule to monitor and protect potential weaknesses in current online systems. This only applies to some processing environments but is a great tool to help prevent a data breach.
If a business is not PCI compliant with their processing provider, it is likely they will be assessed a monthly fee until they become compliant. Non-compliance also leads to the greater chance of a data breach where a business can be substantially fined by the card associations, or worse – get run out of business.
We have consistently been asked why EMV is a required security measure that all businesses need to adhere by. The real answer is this: you are not required to accept EMV chip cards, but it is the best practice to avoid the risk of fraud and chargebacks. There are many businesses out there like auto repair shops that know their customers well and do not experience any chargebacks. These businesses may opt out of EMV acceptance because of the delayed transaction time, cost of adoption or simply because they personally don’t like it. We leave the power in their hands, but ultimately accepting EMV cards will better protect the business.
Furthermore, the task to enforce EMV to all businesses in the US is proving to be difficult and time-consuming. Between lagging equipment certification time frames and expensive EMV point-of-sale systems, businesses are fed up with the payments industry pushing this on their plates. For instance, restaurants were not even able to adjust tips for EMV transactions until October 2016 – a whole year after the 2015 liability shift. We feel the industry should have been more prepared to enforce EMV with the basic functionalities figured out ahead of time.
Finally, we get that PCI compliance can be a difficult process. Most business owners do not have the time to fill out a questionnaire once a year on how they accept and store payment information, yet they are willing to eat a non-compliance fee every for month they are not compliant. In the best interest of the business, we recommend taking the time to complete the questionnaire and avoid the extra fees. It may also help to understand where a security problem-area is!
It is still important that business owners keep security at top-of-mind when utilizing a credit card terminal or POS system at their business. Moving into 2017 we should all understand that card-not-present fraud is on the rise, but fraud at the point-of-sale is still prevalent. PolyPay can prepare you for 2017 with an EMV-ready device at a competitive cost. Reach out to us to find out more about the EMV-capable and encrypted solutions we can provide your business.