Thinkstock

EMV Explained

Underline Image

The October deadline looms, but decisions to become EMV-compliant should be based on business metrics rather than fear of hackers.

By Kevin Hardy July 2015 Technology

Whispers of an EMV migration have circulated in the industry for years, but come Oct. 1, all restaurants will face new Europay, Mastercard, and Visa (EMV) standards, representing a shift away from the magnetic swipe cards and chip-and-PIN cards that have been the standard in America for decades. The new format will be chip-based cards, generally considered more secure and widely used across Europe.

Those who choose not to upgrade their technologies to comply with EMV will be accountable for fraudulent purchases from Oct. 1 onward—a significant liability shift away from issuers and banks to merchants. Point-of-sale providers are doing their best to prepare their restaurant clients, though some restaurant owners are opting not to make the switch, betting instead on the fact that fraud typically occurs at large merchants such as Target and Home Depot. For those restaurateurs that do want to make the transition, experts suggest they move soon, rather than waiting for October to roll around.

A Necessary Switch?

In a changing marketplace, Jordan Bernstein, a senior associate at legal consultancy Michelman & Robinson, cautions against getting swept up in the marketing blitz of EMV. He says operators should only purchase new payment systems from trusted vendors.

“It’s very simple: Every single operator or merchant out there has some form of terminal point-of-sale system transaction device,” he says. “My advice would be to call that vendor and say, ‘If my machine is not EMV-ready, what are the steps for me?’ I don’t think operators should start messing with somebody who’s soliciting [them]. … Just go back to the people you have.”

But not everyone is convinced that restaurants—particularly small independent operators—should be rushing to become EMV-ready. Many believe restaurants have a relatively low risk of fraudulent card activity. And, experts say, EMV compatibility won’t necessarily guard against all types of fraud.

Laura Knapp Chadwick, the director of commerce and entrepreneurship at the National Restaurant Association, says most hackers are stealing credit card data to create fake cards and purchase high-priced retail goods—not dinner at a restaurant—or to resale for a profit online.

The first thing operators should do is determine how many chargebacks are received in a year for fraudulent purchases. Even if a restaurant is liable for a chargeback after the EMV deadline, Chadwick says that cost is still likely less than the cost of migrating to an EMV payment system. Those chargeback numbers, she says, should drive decisions on whether to make an upgrade. “It shouldn’t be fear-based,” Chadwick says. “It should be business-case based.”

EMV cards, which can be used with a signature or with a PIN number, are generally considered more secure than magnetic stripe cards. But Chadwick says other technology like encryption and tokenization—in which one-time tokens, not actual credit card numbers, are exchanged to fund purchases—are equally important in protecting credit card information. It’s also important to understand that high-profile data breaches wouldn’t necessarily have been avoided with just the addition of EMV-compatible equipment. “If you take all three—EMV, tokenization, and encryption—and package them all together, you will have the most secure system,” Chadwick says. “Data breaches, which is what everybody talks about when it comes to Target and Home Depot, those are back-end, not front-end. With payments issues, it’s like peeling an onion. It’s layer after layer. How do all these things fit together?”

Tony Lucca, who operates 1905 Bistro & Bar and El Camino in Washington, D.C., says his decision not to transition to EMV-compliant technology was a simple cost-benefit analysis.

“Do I want to invest in all this new technology and infrastructure when the risk of fraud is so low?” he asks. “Specifically, what you’re protecting yourself against is someone coming in with a fake card, and people don’t really use fake cards at restaurants.”

While EMV has been around for years in other parts of the world, what’s rolling out now equates to first-generation technology in America, Lucca says, and he expects payment technologies will continue to rapidly advance here. So, rather than make the EMV change, Lucca is keeping his eye on other segments of the payments space, such as mobile payments and digital currency, which he thinks may be better investments for his restaurants.

“EMV is a step, but it’s not a leap,” Lucca says. “And the industry is leaping ahead. So at this point, it’s not something I’m going to do.”

“It’s very different for a small retailer than it is for Target,” he adds. “For hackers trying to get this information, they want millions of cards. They don’t want a couple hundred cards.”

Unseen Risks

The attitude of business owners such as Lucca is at odds with that of POS providers, leading people such as Sam Zietz, founder and CEO of POS supplier TouchSuite, to claim small business owners are not taking EMV seriously. “We’re reaching out to them; my competitors are reaching out to them,” he says. “It’s kind of like, ‘The sky is falling, the sky is falling.’ Well, pretty soon, it’s going to fall.”

And that could create a bottleneck in the supply chain as operators rush to make the October deadline. “They’re all waiting until the end,” he says. “It’s going to be a supply and demand issue.”

Zietz cautions that many businesses that have made updates may still not be EMV-ready. Some EMV machines sold within the last couple of years include a slot to insert the chip-based cards, but have no circuits inside to read the cards. Other companies are selling equipment that could one day be ready, but that doesn’t yet have the software to back up the hardware.

“Take out an EMV card. If you can’t accept the transaction as a chip card today, your device is not ready,” he says. “A lot of business owners think they’re compliant, but they’re not.”

Bernstein, the associate at Michelman & Robinson, says that could result in major consequences for businesses that don’t make the upgrade. He expects many restaurateurs will learn the hard way, only making the switch after they’ve eaten the cost of fraudulent transactions.

“It’s a significant threat or potential liability,” he says. “Some statistics that I’ve seen say there is approximately $9–$10 billion worth of card fraud that goes on every year. That leaves any merchant pretty susceptible. And I’d be surprised if any merchant who’s been operating for that long hasn’t had some card fraud transmit through their system.”

There are other risks to sticking with only the old mag-stripe technology. American consumers are more worried than ever about credit and debit card security, says Jeremy Gumbley, chief technology officer of payment solutions provider Creditcall. “There are a number of risks you could analyze and break down. And I think customer perception is a big one,” Gumbley says. “Because using a chip card versus a magnetic stripe card is a very big difference. ... It soon starts to become very visible to the consumer that it’s a different kind of transaction.”

The fact that EMV has been around for so long in other countries is a good sign for American businesses and customers, Gumbley says, because hackers and developers alike have already tested its strengths and weaknesses. But that doesn’t mean it’s foolproof.

“There is always a potential that at some point in the future, somebody could discover some kind of flaw,” he says. “We’ve seen that. We’ve seen that with Apple Pay. With any solution, there is always going to be an entire industry of criminality finding chinks in the armor.”

That’s why Gumbley urges restaurateurs to view an EMV upgrade not simply as a one-time investment. “It requires maintenance. It requires ongoing support. And it’s important the [restaurant] is behind that.”

Security Versus Compliance

It’s still unclear how quickly customers’ preferences may change. If they view EMV as a much more secure technology, they may avoid certain businesses that only accept magnetic stripe cards. (For the near future, even EMV-enabled merchants will still be able to accept the old mag cards.)

“As a restaurant operator—if I’m a single-business owner—I’m probably going to be paying attention to the cards coming in my front door,” says John Pearson, director of data security and compliance for POS provider NCR.

Pearson says there’s plenty of confusion surrounding EMV, especially within the small business community. He says it’s important for restaurateurs to understand the full scope of security.

“Any small-business owner that is looking to invest an IT dollar in improving his systems should first look at security before looking at compliance,” Pearson says. “And EMV is neither a security nor a compliance issue. If they have one IT dollar to spend, they should spend it on the security of their networks instead of spending it on the payment processing system.”

The complexity and confusion associated with EMV and payment security led David Case, general manager of Snappers Seafood in Boynton Beach, Florida, to rely on his POS vendor for support. TouchSuite recently completed upgrades to antiquated POS systems at his two restaurants so the systems are now EMV-compatible.

“I wouldn’t even attempt to try to do it in-house,” he says. “There’s just too much of a learning curve.”

He feels more secure with the upgrades and suggests other independent operators consider a similar move.

So far, the nation’s biggest merchants seem to be embracing the EMV migration, according to a March report from the credit card comparison site CardHub.com. The study found that the 10 largest credit card issuers are on track to get EMV-enabled cards to most customers by the October deadline.