September 22, 2015 08:10 PM
On October 1, 2015, Visa, MC, Discover, American Express and debit transactions performed at retail establishments will see a shift in liability as it relates to who will be responsible for paying for chargebacks for counterfeit cards. As of October, the liability for these transactions will be incurred by whomever is the least prepared to accept EMV-enabled payment cards between the bank that issued the credit card, the convenience store and the payment processor. If you don’t implement EMV, the merchant does not automatically incur liability for all fraudulent electronic transactions. The liability shift applies to whoever is not able to process EMV transactions. If the issuer does not provide EMV capable cards or the acquirer is unable to process EMV transactions the liability will apply to them instead of the merchant. For the liability to shift to the merchant, an EMV card must be processed at the site by an acquirer that supports EMV transactions on a payment terminal that does not support EMV.
Unlike most retail locations, which will see the liability shift take place all at once, the shift for petroleum and convenience retailers will be split into two dates. Transactions performed at POS terminals, tablets, kiosks or car wash tunnels will incur the liability shift in 2015 while pay-at-pump transactions performed at the dispenser will incur in 2017. Petroleum retailers must therefore decide if they want to upgrade their stores twice within a couple years or wait to implement at once focusing on the date for pay-at-pump transactions. However, retailers that chose to defer their EMV implementation until 2017 will incur the liability for any fraudulent transactions using an EMV capable card that take place in POS terminals between October 2015 and when their EMV solution is deployed.
Retailers that process debit transactions may see a change on how these transactions are processed. In order to comply with Durbin’s routing requirements custom code was required on the cards themselves, the pin-pads, and the payment applications. If any of these components are not updated with the appropriate code and configuration, POS systems may process these transactions as credit transactions instead which would restrict the ability to offer cash back or fuel using debit specific pricing.
While EMV increases the security of electronic payment transactions, implementing EMV alone will not protect your convenience store from being hacked. EMV helps protect you from counterfeit card use, but it’s not the end-all, be-all of convenience store data security. There are measures that you can put into place that are not provided by EMV – such as encrypting credit card data as it passes through your network – that will safeguard your convenience store from a data breach as well as give you greater peace-of-mind.
With the threat of credit card breaches looming over the industry, it is important to consider a layered security approach that decreases the risk of a credit card breach and ensures that your business and your shoppers’ card information are protected. EMV and Point-to-Point Encryption (P2P) are two separate technologies that address different security concerns and require independent implementations. Unfortunately, EMV alone will not protect your convenience store from being hacked. While EMV helps protect you from counterfeit card use, it’s not the end-all, be-all of payment data security. EMV focuses on securing credit card counterfeit fraud while P2P focuses on securing track and account information in store systems. EMV transactions without P2P will expose track equivalent data and account information in the clear to payment applications. The key benefit of implementing P2P is that it reduces the risk of criminals targeting and stealing credit card data as its being process between store systems and the credit card processor.
As a merchant you must decide if you want to implement P2P capabilities in addition to EMV and confirm that your payment host, selected pin-pad model and POS solution will support a common encryption scheme required for implementation. It should be noted, that implementations where payment traffic is split between multiple hosts may not be able to fully secure traffic between all networks. Also, P2P technologies are currently only available for indoor pin-pads and are not available for outdoor payment terminals.
Making your convenience store EMV-ready can involve a number of discussions, questions and planning about a variety of entities including: point-of-sale (POS) systems, payment processors, pin-pads and outdoor payment terminals. There are many complexities associated with implementing EMV, both technical and operational, so it is crucial that you understand the impact that EMV technology will have on your operation; be prepared to train your staff appropriately and assist customers with using their EMV credit cards. If you have not started the planning process, you should do so as soon as possible.