Recently, I drove my son David back to college, from Denver to Tuscaloosa (Roll Tide!). This is about 20 hours of drive time, pure windshield time with my oldest son. I love to road trip. My soon-to-be 20-year-old slept a great portion of the trip, he denies it, but snoring he was; it gave me time to think. Work, life, more work, finances and work were the main topics, but inevitably my thoughts were to being drowsy, loopy or worse: nodding off and on at that accident on the side of the road. It was at that point I realized this is exactly where the industry is with EMV: falling asleep at the wheel.
For those of you that missed it, EMV (which unfortunately means Europay, MasterCard and Visa) is a solution that relies on a special chip in your credit card or debit card that makes the transaction more secure. In most of the world, this means chip and PIN, requiring a personal 4 to 6 digit number in combination with the chip/physical card. For real protection, you need to couple this with point-to-point encryption (P2Pe) and tokenization, thus removing all card data off your networks, computers and servers. If there is one thing you take from this article, let it be this: Do not deploy an EMV solution without P2Pe and tokenization. They are far more important to reducing your threat footprint and protecting data than EMV alone.
In 2012, several technology leaders in the hospitality industry got together in Lake Tahoe (be-au-ti-ful) for the CIO Summit, and Visa came out to get us up to speed on this new requirement. There was discussion on improved guest security, reduced fraudulent transactions from counterfeit cards, and of course, the dreaded “liability shift.” Visa laid out a great plan to protect the revenues for the card issuers and the merchant banks while shiftingthe majority of the risk to the hotelier or restaurant owner. Starting in October 2015, any transaction disputed where the card has a chip but the merchant could not process the transaction as EMV, automatically is awarded to the client. These disputes are like that check engine light; we know something is wrong, but in this case, no one can help fix it.
>>> TAKEAWAY
Do not deploy an EMB solution without P2Pe and tokenization. They are far too important to reducing your threat footprint and protecting data than EMV alone.
I'm not gonna lie,
I LOVED THE THOUGHT OF EMV, CHIP AND PIN.
More secure, higher likelihood of the actual guest at the front desk being the cardholder, supposed to reduce fraud as a result of loss or theft. I have seen this work all over Europe and in Canada. It is now seamless to the consumer and to the merchant, in most other places in the world.
Counting the dead bugs on my windshield during my overnight drive through Little Rock, reality set in. The rest of the world lives in countries where banking is much more centralized, often to one or two banks. In the United States we have the New York Subway Map of transaction settlement: tons of banks, plus a dozen credit card networks, 30 ATM networks, a bushel of processing companies, and a smorgasbord of partners at each level. Unscrambling this mess to make things even approach working, was/is a Herculean task.
And, well, um, there is no easy way to say this; the American consumer is lazy and stupid, at least when it comes to credit cards where they have zero reason to be diligent. The consumer has nearly zero liability for charges made on a lost or stolen card, so there is absolutely no incentive for our customers to protect themselves. Plus, most find it easier to remember their coffee order (Tall black with two shots: BlackEye) than to remember their PIN (1234 or 4321?), so when dipping their debit card into an EMV reader, many are left settling their bill via another payment method.
I see the lines at Target and Kroger where people are befuddled when the system prompts them to enter their PIN, and angry/frustrated when the clerk cannot do anything to force the transaction through.
Worse, guess what? Every retailer in the world is afraid of Amazon. The last thing the Walmarts of the world wanted was a harder path for customers to do business with them (thanks to one-click Amazon Prime). Gas station and convenience store operators chime in with demands that the cards be chip and choice vs. requiring a PIN. Chip and choice solves two problems for guests: No need to remember that really hard four-digit number, and the business can continue to conduct business as it did prior to EMV.
The card disputes are increasing at a dramatic rate. Guests on the “fringe” of legality have figured out that they can dispute large charges in non-EMV environments and have no backlash, except for getting a new card, which they are getting every month anyway with all the breaches. We are seeing hotels with $5,000 a week in disputes and climbing.
A sudden shift into the fast lane, leaving the tractor-trailer of chip and choice in the right lane, and U.S. card issuers are starting to force chip and pin, because even the big box retailers realized that the dispute levels with chip and choice are more than any crystal ball predicted (Walmart is suing over the debit PIN being routed to signature instead). MasterCard announced in February at the Elavon conference that all business cards would be chip and PIN by Jan. 1, 2017. I expect that AmEx and Visa will follow suit, first with business payment cards and all cards soon after. So, it’s time to start working on a mnemonic for your PIN, and a pay-at-the-table solution for your POS.
Moving out of cruise control is really hard for large hotel companies (brands). They are not prepared to be agile when it comes to common PMS and POS. (And, don’t get me started on common vaults.) Other than Starwood there is not a major brand solution for EMV/P2Pe/tokenization, and even Starwood has yet to have a cordless device to allow guests to dip their cards and enter the PIN. One major hotel chain has decided the problem is not worth the solution, and has halted all plans to deploy EMV in the foreseeable future. The impact to the company is around 10 percent of the cost to cure, but I am not sure that it has taken into account the amount of chargebacks impacting franchise owners. This large brand also mandates POS, again with no solution for EMV at this point.
Hotels are left with an overheated car, in Pottsville, Ark., on a holiday weekend. Hardware is not able to meet the needs of the guest, the brands are not ready for prime time, and the dates to get there shift like the sands in the Sahara; June becomes September and September is now December. The fact is, it is likely that the vast majority of hotels will not have an EMV solution prior to the end of the first quarter in 2017, and frankly I think July is a more realistic timeline. In short, Gomer is off until Tuesday, and then if he has to order parts, it might be a week or so to get the radiator fixed.
What is left for the next nine months is that drowsy head dipping, five-hour energy enhanced driving that you get at 2 a.m. when you are three hours out of Memphis and your Pandora is stuck playing Golden Earring’s greatest hits
JEFFREY PARKER IS THE VICE PRESIDENT OF IT FOR INTERSTATE HOTELS AND RESORTS.
©2016 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.