Plotting a Coursefor EMV Compliance

PCI compliance...EMV compliance—by now, you’ve heard repeatedly that your store or restaurant must be EMV-compliant by the recently passed October 1, 2015 deadline—or else. You know that a lack of compliance puts you at risk of financial liability for fraudulent card-present transactions as well as possible penalties and sanctions imposed by the card networks. You understand the other benefits of boarding the EMV train. Now, all you want to do is to achieve EMV compliance, and all you want to know is how to get there.

In this eBook, we’ll explain the facts and lay out a roadmap to follow so that your business is EMV-compliant AS SOON AS POSSIBLE—and is protected in the event of a security breach by being fully PCI compliant.

2

Plotting a Course for EMV Compliance

Let’s get started.

How the Liability Shift Affects Transactions,Where PCI Comes In—and Some Myth-BustingIn general, as of October 1, 2015, liability for card-present transactions (transactions completed in a brick-and-mortar establishment rather than online) moves from the card issuer to the merchant—that is, unless the merchant has upgraded its POS hardware and software to accept chip cards manufactured in line with the EMV standard. However, the similarities in the way the liability shift impacts transactions stops here, because EMV parameters differ from card brand to card brand.

For example, starting on the liability shift date, MasterCard will exempt merchants from 100 percent of account data compromise penalties if at least 95 percent of MasterCard transactions that originate in their stores are handled on EMV-compliant POS terminals. By contrast, as of that same date, Visa will simply hold “whichever party is the cause for a chip-card transaction not occurring”—in other words, a merchant whose terminals are not EMV-compliant—responsible for any losses stemming from fraudulent transactions occurring in its store(s). American Express will transfer liability for “certain” types of fraudulent transactions away from the party that has the most secure form of EMV technology.

3

Parameters also differ when it comes to the relationship between EMV compliance and compliance with the Payment Card Industry Data Security Standards (PCI DSS). On October 1, 2012, Visa began providing PCI audit relief to merchants if more than 75 percent of their Visa transactions originate from EMV-compliant POS terminals. MasterCard started offering the same, using the identical parameters. But beginning on October 1, 2013, only American Express released merchants from PCI DSS reporting requirements if their “POS locations—where at least 75 percent of their transactions occur—are enabled to process American Express EMV-based contact and contactless transactions.”

It’s important not only to understand how PCI compliance “touches” EMV compliance, but also to dispel a few common PCI compliance-related misconceptions. Unless you know the truth behind these three misconceptions, achieving EMV compliance will be difficult, if not impossible.

Reality: Software vendors and other entities that develop payment applications are subject to different data security standards than merchants. As a payment application (PA) provider, your POS company MUST be compliant with the latest version of PCI PA-DSS (PCI PA-DSS Version 3.1). But to be fully PCI compliant, you—the merchant—MUST meet all of the merchant requirements of PCI DSS 3.1 to achieve POS compliance from your side.

Myth: My POS provider is PCI-compliant, so I’m PCI-compliant.

Myth: PCI DSS is only a recommendation and not a requirement.

Reality: PCI DSS are mandates enforced by all payment brands. Every entity that stores, processes, or transmits any information recorded on credit and debit cards must adhere to the standards. Those that do not are subject to fines and the enforcement of more stringent PCI DSS compliance requirements (and the accompanying costs). Suspension or expulsion from card processing networks for non-compliance with the PCI DSS is also possible.

Myth: My operation doesn’t process many credit card transactions, so I’m exempt from compliance.

Reality: No matter the number of credit card transactions you process in your store or restaurant, PCI DSS requirements apply. So, too, do the consequences of non-compliance.

4

Now that you understand how the EMV liability shift affects transactions and where PCI comes into play (we’ll cover more of the latter later on in this eBook), it’s time to get on the road to EMV compliance. Let’s break it down into six steps.

Examine Your Existing Hardware

Terminals and peripherals: Make a list of the POS equipment you have, so you can do a fair comparison when you shop for new hardware that handles EMV transactions. Do you have standalone terminals with separate magnetic stripe readers and/or PIN pads? Do you have a pre-configured, “canned” software package that works with your existing POS terminals (or electronic cash register, if you still have one?)? Is your POS configuration a more customized one?

Mobile payments: Is your operation equipped to accept mobile payments? If so, and if mobile payments are processed on your POS terminals using near-field communications (NFC), you’re at an advantage EMV-wise because NFC is an enabling technology for contactless chip card payments. If you don’t accept mobile payments, consider doing so. Increasingly, consumers want to make mobile payments from NFC-enabled smartphones and may defect to a competitor if you don’t offer a mobile payment option. Now is a great time to go mobile if you’re already upgrading for EMV. Why upgrade again in the next few years—and pay the financial price—if you can do it all now?

1

Navigating the Bumpy Road to EMV Compliance

5

Approach Payment Processors and POS Vendors About Options

Vendors and payment processors have been working diligently to develop EMV-compliant hardware and software, including:

Non-integrated POS: These comprise standalone terminals and peripherals—e.g., a POS terminal with a separate PIN pad.

Semi-integrated POS: In a semi-integrated environment, the terminal or peripheral device used to capture credit card data is connected to the POS application. However, the application used to actually process card payments resides on a separate device.

Fully integrated POS: In fully integrated POS configurations, no separate device hosts the payment processing application, all elements are “linked” with each other.

2

Get a Handle on Terminal Certification Requirements –EMV Level 3 Certification RequiredEMV-enabled terminals and accompanying POS software must be certified by EMVCo, an organization that manages, maintains, and advances EMV specifications and handles testing and similar tasks related to EMV.

Level One and Level Two Certification: Level One and Level Two certification testing assesses and attests to the security of the technology in question, as well as to its interoperability with other hardware/software brands. Apps designed to facilitate EMV adoption must also be evaluated and vetted via Level One and Level Two certification testing.

Level Three Certification: Level Three Certification testing involves assessments of every type of transaction a given terminal can perform to ensure the unit’s integrity. These assessments are performed by the payment processor, acquirer, and, if applicable, the independent software vendor (ISV).

3

Regardless of whether you have a stand-alone terminal, a generic point of sale solution, or a customer specific solution, you’re going to need an EMV Level 3 Certification. A couple of things to keep in mind about Level 3 approval:

1. Level 3 Certification can take anywhere from four to eight weeks to finalize.

2. Any changes made to your solution will force the provider to go through a recertification.

Consult with your payment processors, acquirers and ISVs for advice about what’s involved for you to become EMV Level 3 certified.

6

Select and Purchase New Hardware

In doing so, consider:

Budget: By most estimates, the price of EMV-compliant hardware can range from $100 to nearly $1,000 per terminal, depending on the extent of equipment needed. Software upgrades are extra and can raise the price considerably.

Business needs and wants: Make a list of features and components that you must have versus those that would be nice to have. For example, there are two kinds of chip cards: chip-and-PIN, and chip-and-signature. Chip-and-PIN cards are verified by reading chip and the entry of the customer’s PIN; chip-and-signature transactions, through reading the chip and the cardholder’s signature. Issuers decide which type of cards to distribute. Most chip cards issued in the U.S. are of the chip-and-signature variety, but a majority of those issued abroad are chip-and-PIN cards. If you cater to many visitors from abroad, POS technology that accommodates chip-and-PIN is a must-have; otherwise, it may be “nice to have.”

Future growth: Your EMV-compliant system should be scalable, so as to minimize additional expenditures down the road.

4

7

Ensure Proper Staff Training

Implementing any new equipment means training staff on how to use it—and EMV-compliant POS hardware is no exception. Instruct employees to enter transaction amounts before customers insert their credit or debit cards into the card reader. Employees must also be told to insert EMV cards chip end first, with the chip side facing upward, and to leave cards in the terminal for the entire duration of the transaction. Tips must also be entered at this time rather than manually added after the actual transaction has been processed. This poses a problem for table service restaurants. For traditional pay-at-the-table establishments, a rugged tablet POS device that is EMV-enabled is the best solution. Most, if not all, terminals and EMV-enabled devices emit a sound to indicate that a transaction is complete.

5

Educate Customers

Making the switch from swiping their cards to inserting them into a terminal, (and allowing them to remain throughout the transaction), is a big change for most consumers, making customer education about EMV a “must.” Consider using signage to communicate the step-by-step EMV transaction process—for example:

Step 1: Insert your card chip-first, with the chip side up.

Step 2: Enter your PIN or add your signature when prompted.

Step 3: Leave your card in the terminal until you hear the beep.

Step 4: Don’t forget to remove your card when the beep sounds.

Additionally, ask all staff members to encourage customers to use the new EMV-compliant technology, and to walk them through the process step-by-step if they appear at all uncomfortable about it. Customers’ comfort level with performing chip-card transactions will also be higher if employees can properly answer their questions. Role-playing exercises that show staff members the best way to respond to questions should be incorporated into employee training.

6

8

Clearly, migrating to POS technology that can handle EMV transactions is an important step for retailers and restaurant operators alike. However, as mentioned above, EMV is only a piece of the larger PCI puzzle and achieving PCI compliance doesn’t mean simply deploying an EMV-enabled terminal or terminals. It also entails adhering to another 12 requirements designed to enhance data security throughout the entire transaction, from the card reader to the POS server, and from the moment transaction data is captured at the POS to the time of settlement. These 12 requirements, which should be accounted for when upgrading hardware and software on the road to EMV compliance, encompass the following:

1. Install and maintain a firewall to protect cardholder data. This prevents hackers from gaining access to the network on which cardholder data travels from payment terminals to the point where transactions are processed.

2. Do not use vendor-supplied default passwords for any store system or network. Generate your own passwords. Change them regularly.

3. Safeguard stored cardholder data. Encryption is one way to do this.

4. Encrypt transmission of cardholder data across open public networks.

5. Protect all systems against malware. Regularly update anti-virus software and programs.

6. Develop and secure systems and applications. Create and follow a schedule of maintenance for each one.

7. Restrict access to cardholder data by business need-to-know. If an employee’s responsibilities do not necessitate access to cardholder data, configure your software so that that individual cannot view such information. For example, while a restaurant manager would need to see customers’ card numbers for certain business purposes, a server or runner would not.

8. Develop and implement rules and policies that govern user-specific and guest-access to your systems.

9. Restrict physical access to cardholder data, for example, by locking up hardware (laptops, etc.) that contains such data.

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

12. Develop and maintain a policy that addresses information security as it pertains to all staff members.

Understanding the Bigger Picture: EMV and PCI

ConclusionMigrating to EMV and then to full PCI compliance is a process that doesn’t have to be painful! Working with experts can save you (a lot of) time, (tons of) effort and—for sure—down-the-line costs.

Fortunately, as EMV/PCI/POS experts, we’re here to help you every step of the way. For more information and to get the answers to all your EMV and PCI questions, call us today at 877-968-6430.

www.pdqpos.com | www.touchdynamic.com