As the EMV liability shift gets closer, VARs should work to prepare merchants to support this new payment type in mobile POS and other solutions.
Two key events stand to make POS security more complex this year: the adoption of mobile POS solutions and the impending October 2015 Europay, MasterCard, and VISA (EMV)-related “liability shift.” Merchants who have not deployed contact chip technology at the point of sale will take on additional liability for counterfeit transactions if a chip could have prevented the fraud.
According to the vendors interviewed for this story, the biggest security threats continue to come from hackers or others who are trying to obtain or tamper with cardholder data. “Nearly every single payment security breach over the last few years involved data being stored or transmitted unencrypted within the merchant’s payment system and usually involved the front-end POS solution,” says Shan Ethridge, vice president and general manager, North American financial services group, Verifone. “Without a doubt merchants need to find a way to support electronic payments without capturing card information within the POS system itself.”
One entry point for these hackers: the WiFi network at the store. “Many merchants are still sharing their networks with their customers,” says Dan Dufault, vice president of sales and marketing at UP Solution. “But this creates a huge security hole for their business because unidentified people or groups can easily access the network and scan for any business-related or private information at any time.”
Merchants are keenly aware of the potential for data breaches and their consequences, which is why EMV is so important. “Most tier-one merchants are already well down the path of implementing EMV payment acceptance solutions, which, with encryption and tokenization, will help enhance security in both mPOS and fixed terminal environments,” says Scott Holt, vice president of marketing and solutions, Ingenico Mobile Solutions. “Many SMBs have not yet started their EMV transitions. SMBs should look to partner with an EMVcertified mPOS platform that includes hardware, software, and support.”
For most merchants, vendors recommend moving to semi-integrated POS solutions that decouple payment data from the POS and enable encrypted delivery of the data from the payment terminal directly to the merchant’s processor. This reduces the possibility of card data breaches while also removing the POS from the scope of PCI.
“VARs and ISVs play a critical dial role in delivering solutions that not only minimize the exposure of sensitive information, but also use many of the security best practices and technology available in the market today,” says Marc Castrechini, vice president of product management, Cayan (previously Merchant Warehouse).
EMV Liability Shift Looms
The adoption of EMV in the U.S. could potentially take a decade or more, but the liability shift coming up in October is a critical step, particularly for smaller merchants who might otherwise leave themselves open to eating fraudulent charges. “As larger merchants adopt EMV, cardholder data no longer has value for the reproduction of cards,” says Castrechini. “It is likely that the fraudsters and thieves will migrate to the next point of least resistance, which could mean small and midsize retailers. Here’s why: Because mass data will not be available through a single major outlet, fraudsters will likely shift their strategy to collect from many smaller targets.”
VARs should work with smaller merchants to educate them about the potential impact of the EMV liability shift. “They also need to inform them of the reality that issuers will be distributing EMV cards in large numbers to cardholders in coming months, which is going to prompt a change in consumer behavior,” Ethridge says. “As consumers are encouraged and begin to use EMV at large retailers, they will want to use EMV everywhere.”
Smaller merchants may see security breaches as a big-box store problem; it will be up to VARs to bring many of them around on mobile POS security and EMV. “What they need to understand is how the shift in liability will work and what penalties they risk facing if they don’t comply,” Holt says. “Maybe they think they’ll just take the hit and pay the penalties, but for a smaller business those penalties can add up fast.”
EMV acceptance at the POS requires end-to-end certification through the merchant or POS acquirer, which can be time-consuming and complex. Work with acquirers now on getting those certifications for EMV transactions. It’s important for the VAR to be able to implement both contact and contactless EMV solutions.
“Solutions providers should be proactive in checking with their vendors to ensure their mobile POS solutions are EMV-compliant and also certified by all the major processors; not all of them are,” Holt says. “Solutions should also offer end-to-end encryption and tokenization, and every merchant should enable those features, as they may be optional.”
VARs should also talk to merchants about the new application possibilities EMV presents. Companies can adopt more customer-facing payment solutions like mobile POS or pay-at-the-table systems at restaurants. “While this may not be a comfortable and accepted way to process transactions in the U.S., EMV is actually a better way to secure the transaction and have a safe card payment environment for both merchants and customers,” Dufault says. “Therefore, VARs and ISVs should be aware of EMV’s advantage and be able to explain the benefits of EMV to their merchants.”
Quiz Your Vendors
The EMV standard already provides security improvements over mag-stripe, but many merchants are choosing to go above and beyond because of the recent high-profile data breaches. VARs and ISVs should check with their vendor partners to ensure that they offer multi-layered security solutions and find out how those layers are applied. Do their mobile POS solutions provide end-to-end encryption? Do they provide tokenization?
Find out where cardholder data is stored, and determine if their EMV solution has been certified to industry and card-brand security standards. Further, make sure the EMV solution is already certified by the major processors.
“EMV provides an opportunity to provide yet another layer to some of the proven technologies in the market, such as tokenization and encryption,” Castrechini says. “VARs and ISVs should be asking their vendor partners about their layered approach to security and only consider options that make security the top priority.”
Make sure you have a handle on how your vendor partners are specifically handling EMV within their mobile POS solutions. “EMV does present a number of challenges to the mobile POS market that will require some new and different thinking for merchant/customer behavior or technological solutions,” Castrechini says. “This might include contactless payments or new hardware options, such as mobile EMV PIN pads. With the value of EMV’s security promise, it will be interesting to see how these challenges are solved as the EMV deadline approaches and technologies adapt to it.”
Smaller merchants might be less concerned about EMV and mobile POS issues, but VARs should work with tier-three and smaller tier-four merchants to ensure they take the risks seriously. “These merchants are just as exposed to potential breaches — in some cases more so — as larger merchants, but they generally have fewer financial resources to withstand the impact of such an event,” Ethridge says. “ISVs and VARs today generally support a simple encryption approach that is susceptible to sophisticated cybercrime tools. But the more they know about the threat of data being taken and the risks in how that data can be used, the more likely they are to provide stronger encryption methodologies to their merchants and educate them on industry standard and industry-preferred encryption methodologies.”
It will be important to start that education as soon as possible. “Adaptation of mobile POS systems to use EMV, and then implementation of those solutions with EMV, are challenging tasks that will likely take some time to completely solve, at least at the start,” Dufault says. “For example, additional time is likely to be needed for testing and certification processes. Thus, VARs and integrators need to start preparing for EMV and mobile POS solutions as soon as possible.”