Busting Chip-and-Pin Upgrade Myths
In the wake of major retail security breaches such as those at Target and Home Depot, and shocking credit card fraud numbers ($16.3 billion worldwide), smart operators have taken a second glance at their security infrastructure.
Among their concerns is an October 1 liability change for fraudulent card charges. After October 1, fraudulent swipes of a chipped credit or debit card fall on the merchant instead of the bank. But despite that shift, even the most security-conscious restaurants seem to be holding off on EMV upgrades, commonly known as chip-and-pin processing.
If you didn’t know anything about EMV, well, you’re not alone. According to a Newtek survey of 990 business owners, 71 percent didn’t know anything about the deadline.
And according to a survey done by Wells Fargo/Gallup, just 31 percent of small businesses have chip-and-pin technology, and only 29 percent say they intend to change anything before the October 1 liability deadline. But 21 percent say they never plan to upgrade.
That 21 percent might just have the right idea. EMV—which stands for Europay, MasterCard and Visa—looks more and more like an awkward baby step toward a truly secure point-of sale-system. The October 1 deadline is being met with apathy by many businesses for several reasons.
First and foremost, the cost is a concern. Upgraded chip-and-pin units cost between $150 and $600; throw in the other software upgrades, time to get it all working, and training employees on the new system and that is no small expense.
Secondly, the security measure just doesn’t go far enough. Despite the “chip-and-pin” moniker, the U.S. version is chip-and-signature. That means while spoofed cards from breaches like Target will be useless, a stolen card is just as easy to use fraudulently.
Third, very few thieves are going to risk criminal charges to get lunch. The vast majority of fraudulent charges are online or spent on big-ticket items like electronics.
Fourth, only one third of people will have EMV capable cards by the October 1 deadline. Most new cards will have a chip, but the long life of credit cards means many consumers won’t have one for years.
“The restaurant will only be responsible for fraudulent charges made in the restaurant with a EMV-enabled chip card,” said Jessica Bryant from POS vendor NCR.
Finally, it’s slow. Restaurants looking to speed up the line will be aghast at the 15-20 seconds of additional transaction time.
“After EMV implementation, consumers will need to ‘dip’ and hold their payment cards in the payment terminal and the card must stay in the terminal for the entire transaction,” said Bryant. “This will have an impact on speed of service.”
Chipotle has said it won’t be upgrading to EMV, and it’s no wonder when throughput depends on every second. Bryant suggested that retailers looking to upgrade should push for NFC payments first, especially with the rise of ApplePay and other mobile payment options.
Bryant also wanted to bust some of the myths out there surrounding EMV, and there are many:
- Myth 1: Implementing EMV in your restaurant is required.
Fact: If you are a restaurant operator, no government agency or industry association is requiring you to implement EMV. This is not a deadline.
- Myth 2: EMV is required for complying with PCI Data Security Standards.
Fact: While EMV can be one component of your data security, it is not required or mandated by PCI DSS, nor will implementing EMV make you PCI compliant.
- Myth 3: Once you implement EMV, you will no longer be able to accept credit cards with magnetic strips
Fact: Regardless of whether or not you have implemented EMV, you’ll be able to take all cards in your restaurant through the same terminal.
- Myth 4: EMV protects your restaurant from a data security breach.
Fact: Implementing EMV alone will not protect your restaurant’s system from being hacked. While EMV protects you from counterfeit card use, it’s not the end-all-be-all of restaurant security.
- Myth 5: EMV will rapidly achieve mass adoption by both credit card issuers and other restaurants.
Fact: Industry experts are saying it will take 3-5 years in order for EMV to reach full acceptance in the U.S., and actually in Europe the adoption took much longer.
- Myth 6: If you don’t implement EMV, you won’t be able to accept credit cards after October 1.
Fact: Even if you do not implement EMV-enabled payment devices by October 1, your business will run the same as it did on September 30, aside from the liability shift.
- Myth 7: Transitioning to EMV is as simple as plugging in a new payment terminal.
Fact: Making your restaurant EMV ready can involve a lot of discussions, questions and planning about different things: your POS system, your payment processor and the right kind of terminal devices as well as training staff.
- Myth 8: You do not need to need to worry about PCI requirements if you use EMV.
Fact: EMV chip technology improves the security of processing credit card transactions, but does not remove your requirements to comply with the Payment Card Industry Data Security Standards.