March 01, 2015
EMV Deadline
Wynn Salisch
MarionRoger
Recent headlines tell that U.S. banks are switching up the insides of your customers’ credit cards. What does this mean and what kind of questions should you be asking?
You are probably familiar with EMV – either you’ve traveled internationally and seen the technology in action, or you have hotels in Europe under your management. Perhaps you're involved with PCI DSS, data security or payment system technology.
EMV technology stands for Europay, MasterCard and Visa. Simply put: EMV credit cards will be equipped with a super-small computer chip that’s extremely hard to counterfeit. Traditional credit and debit cards’ magnetic stripes store unchanging data. Copy the mag stripe, and you can replicate that data over and over again because it doesn't change, making traditional cards prime targets for counterfeiters, who convert the stolen data to cash.
Contrast that process with EMV. These cards are read at the point of sale by inserting the end of the card featuring the chip into a payment terminal, rather than swiping the familiar magnetic stripe. Every time an EMV card is used for payment, the card chip creates a unique transaction code that can't be used again. The component of requiring a PIN goes a step further by also validating the user (whomever has the card in their possession) and so discourages lost and stolen fraud, i.e., where the card owner no longer has possession of the card. However, most issuing banks in the United States have opted for chip and signature rather than chip-and-PIN to save consumers and retailers transaction time.
While the type of fraud against which EMV is most effective accounts for less than half of all card fraud, the numbers are still huge. In 2013 alone, credit card and prepaid debit card fraud cost $157 billion. (One third of that is $50 billion dollars!) The 2014 fraud stats were not out at our press time, but the numbers are projected to be even higher.
After October 2015, if someone pays with a fraudulent chip card, and you’re not set up with an EMV card reader, the banks will no longer be liable – the liability passes to the merchant. That’s why it’s such a hot topic. How exactly will this affect your business? For starters, you’ll need a new processing device to read the information in the chip cards. This means adding new technology and complying with new liability rules.
One big question around the migration relates to the acceptance of PIN debit cards. Recently there has been development of a technical solution to implement EMV technology for PIN debit cards in a manner that is compliant with Regulation II of the Durbin Amendment to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
The industry has come together with a common AID, or application identifier. The solution assumes that all debit networks that wish to be represented in a Single Common AID on a card are in fact represented in the Single Common AID. Whether or not a given debit network is so represented depends on business arrangements between the debit network and other industry stakeholders. So one question to ask is: Does your payment partner participate in this system so that a guest paying via debit card can be handled?
Another question: Are the machines you're purchasing able to work in a secure environment? An area of confusion is the cardholder data requirements of PCI DSS standards in an EMV environment. The purpose of PCI DSS and the more recent P2PE (point-to-point encryption) is to protect sensitive static payment data used for magnetic stripe transactions both in storage and in transit during the merchant to acquirer segment of the payment transaction.
Encrypting cardholder data means transaction data stolen from a POS (point-of-sale) terminal or merchant/acquirer system is rendered worthless. However, theoretically the sensitive payment data stolen from an EMV transaction would be just as worthless (due to its dynamic rather than static nature, thus preventing a replay attack). So why don’t we skip PCI DSS and move straight to EMV?
In an EMV environment, stolen cardholder data would be useless for a fraudulent POS transaction – the criminal would not have (or be able to recreate) the corresponding, physical EMV card. However, stolen cardholder data could still be used for a fraudulent online transaction as long as the merchant’s website doesn't demand a card security code (CSC) in its payments process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN. This would allow construction of a mag stripe card which, while not usable in a chip-and-PIN terminal, can be used in terminal devices which permit fallback to mag stripe processing for foreign customers without chip cards, and defective cards.
That’s why the other key issue is security if you opt for the portable terminal (tableside at restaurants and in the bar area). Are there security vulnerabilities when data is transferred to the merchant’s POS system? The connection to the portable terminal may be encrypted Wi-Fi, or it could be commercial Bluetooth with secure pairing. These implementations are secure and proven. When evaluating the portable terminals’ security, talk with providers about what type of connection they use.
This may not be as in-depth an overview as you need, but it should help you start the dialogue with as you migrate. Tune in again next issue for more recommendations.
Wynn Salisch is the CEO and founder of Casablanca Ventures. His company represents the manufacturers of about 19 different credit card processing machines with hotel, restaurant and cinema clients. Marion Roger is a regular contributor to Hospitality Upgrade.
©2015 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.
It Pays to Buy Ahead
A Mobile Payments Alphabet Soup
A key trend that's really driving the mobile travel technology industry is the advent of near-field communications (NFC). NFC is a combination of hardware – in the form of a microchip in a smartphone – and software that enables your phone or tablet to act as an electronic wallet. Analysts at Forrester Research estimate that in-person mobile payments (which are completed via NFC technology) will reach $34 billion in annual transactions before the end of the decade, up from “only” $3.7 billion in 2014.
With NFC, consumers can access credit card information that is stored on their smartphones. In order for this to work, the merchant needs specialized hardware that can communicate with the NFC chip within the phone. Manufacturers of NFC-based mobile devices and their partners signal that we could see up to 300 million handsets in use, and NFC-based payments reaching a staggering $50 billion within the next three years.
NFC-ready POS terminals will enter mainstream deployment over the next few years. There were only about 3.9 million in 2011, and realistically the experts feel there will be more than 40 million in use by 2017. This will result in more than 50 percent of all terminals being NFC ready. In case you have not made the connection, Apple Pay® is NFC payment. Apple Pay works as follows: Simply tap your phone to the payment pad, wait a blink-and-you’ll-miss-it second for the beep, and you’re done and on your way. No handing over your credit card, no need to sign anything, and no receipt to deal with later.
Security breaches have created a hunger for a more secure way to interact with merchants. Apple Pay, according to the experts, is more secure than handing over a credit card for payment. The credit card number is never transmitted with the transaction; Apple Pay generates a one-time-use number for the transaction. So the original credit card is safe because you can disable payments remotely should your phone be stolen. Apple claims you don’t even have to cancel your credit cards.
Industry analysts estimate Apple has already reached 800 million credit cards on file as part of the iTunes® store. Thus there is no problem with adoption. The combination of trust, security and ubiquity were powerful enough for Apple to convince big name credit card companies such as American Express, Visa and MasterCard to sign up early – thus creating a mini-stampede. What’s the bottom line? When purchasing EMV terminals, ask about those that are dual capable for EMV and NFC.