Retailers Get Ready – The Impact of EMV
If you’ve read any payment or retailer focused articles lately, you know that the upcoming EMV liability shifts promises to be one of the most significant issues facing retailers in 2015 if not the decade. Retailers are understandably hesitant to foot the bill for all new payment terminals when the jury’s still out on its long-term security benefits. Coupled with the upcoming mandate, retailers are being bombarded with new payment channels with the likes of BitCoin and CurrentC along with a revitalization of the NFC with ApplePay and Google Wallet. All these factors combined will make for a very interesting next year in the payment industry. Retailers need to know there are many different options for EMV implementation and you must find the one that optimizes your core business functions.
Payment Card Industry is the Wild West
There are an estimated 1.24 billion payment cards and 15.4 million POS terminals currently in use, worldwide. With thousands of payment processors, payment gateways, tokenization solutions, and now transaction authentication solutions all over the place, what are retailers to think? Is EMV the long-term security solution that will save the day? Allen Friedman, Associate Director at TSYS Acquiring Solutions believes, “the incredible financial toll that fraudulent card-present transactions exact on all parties in U.S. commerce, from consumers to merchants to card issuers, is one of the biggest problems the industry faces. It requires an immediate solution. That solution is the EMV standard. I would agree completely. While not a fail safe or perfect solution, EMV lays the foundation for complete standardization for all involved in the payment card industry. Annual costs of card fraud in the U.S. alone are estimated at $8.6 billion per year. The adoption of EMV would reduce that number significantly.
PCI Compliance is Never Fun, But Necessary
I regularly consult with companies in all industry verticals; guiding them through the labyrinth of payment security standards and requirements. In most cases, payment acceptance is not their core business. They just want it cheap, fast, and unobtrusive. The choices and regulations between these sometime competing payment technologies is overly burdensome to most small to mid-sized business. When given the choice, they would much prefer to offload not only the payment process itself but the difficulties and risks associated with accepting payment card data.
The EMV mandate certainly pushes the bar further in terms of reducing card present fraud within the industry however a direct and immediate benefit to retailers remains to be seen. The PCI council has long pushed the concept regarding payment card data of “If you don’t need it, don’t store it.” With breach after breach in the news today, this advice seems antiquated at best and frankly doesn’t address the real underlying problems. Within my practice, I regularly advise clients, “If you don’t need it, don’t take it.” In today’s market, the options for offloading or tokenizing payment card data are numerous and easy to implement. If payment processing is not a core element of a business, the risks and fines associated with doing it in house can far outweigh the benefits.
Fully Integrated Vs. Semi-Integrated Payment Environment
VAR’s (Value Added Re-Sellers), Integrators and merchants all have to assess EMV implementation and determine the level of integration. A fully integrated payment application is inseparable with the core POS solution. A single piece of software handles every aspect of the transaction. With a semi-integrated environment, the terminal or peripheral device used to capture payment card data is connected to the POS, but the application used to actually process card payments is on a separate device.
In a fully integrated environment, any changes to the POS will require recertification from the card issuer. This includes new hardware or upgrades and anything in your POS roadmap that affects your acceptance of payment cards. Recertification does cost a lot of money and the financial burden falls on merchants.
With Semi-Integration, the POS and associated acceptance channels can be changed as necessary without the need for payment application recertification. Semi-Integration takes core POS channels out of scope for EMV approval by card brands. Payment data transmission is limited to the payment platform and the processor. i.e. Data never touches the POS and that can potentially take POS applications out of scope for PCI.
At the end of the day, there are several different integration strategies that you must look at to satisfy Omnichannel payment processing. With Semi-Integration, you get the best of all worlds and maintain your freedom to choose payment solutions that are conducive to your processing environment. This implementation must be cost beneficial, but more importantly than any other aspect is securing your customers data, while remaining fully PCI compliant. Full Integration is problematic if you decide to use different payment applications for different channels, because most Full Integration solutions do not play nice in the layered technology approach.
Tokenization, Authentication, Oh My
The adoption of EMV has illuminated the power of tokenization and why it is so necessary for merchants. The recently created EMV tokenization guideline aims to solve the underlying problems by allowing retailers to remove payment card data from their environment. This is a great first step forward as a whole however at the time of this article, only ApplyPay is able to utilize this standard with its associated increased costs and fees. Retailers get the benefit of EMV Tokenization but at the cost of more fees and only for select iPhone users. The market needs better broader solutions.
Stay tuned, as we jump into Tokenization, Consumer Authentication, and all of the other nuances of EMV adoption. TokenEx is a tokenization platform that allows unlimited flexibility in how you access, store, and secure your data, while remaining processor agnostic. Follow us on Twitter and LinkedIn.