The answer for most of us in the restaurant business is……yes and yes. Whether you are running a QSR or fine dining location we have clients out there using this “integration timeline” for most of the major POS carriers as an opportunity to abuse a loophole in the system. There are a lot of questions and confusion as to why EMV is being implemented and why most of the POS systems we use cannot accommodate such a simple task as an integrated EMV solution with tip-later functionality (having the client tip on the receipt in lieu of a machine as they do in Europe- what’s in place currently at your sites if you do not have an integrated EMV solution). My hope in this article is to bring clarity to EMV and present what solutions are available in the meantime.
Why EMV, Why Now?
This is an explanation from the Heartland engineering team presented on a call with the National Restaurant Association: “Protecting yourself against counterfeit fraud is one of the main benefits to implement EMV because it’s virtually impossible to recreate the chip. The October 1, 2015 shift has caused some serious headaches, but the ultimate goal is to fix the payment ecosystem by heightening card security. There is, however, a glitch—if your equipment isn’t EMV-compatible, then use of a fraudulent EMV card can go undetected.
Here’s how it works: Fraudsters take the magnetic stripe information from a stolen EMV card and create a non-EMV forgery. However, the magnetic stripe information still identifies the card as EMV. If one of these forged cards is presented and swiped on an EMV-enabled terminal, the magnetic stripe data tells the terminal that this is an EMV card and notifies the cashier to dip the card in the EMV slot. The cashier would then attempt to dip the card and notice the absence of the chip. Fraud averted. With an EMV reader, fraud is virtually impossible unless your terminal tells you to override and swipe—which would then put the liability on the issuing bank.
EMV cards also decrease the chance of a data breach before hackers can get into your system and steal card information to make fraudulent cards. Chip cards store data in a more sophisticated, secure way than the magnetic stripe. If a hacker broke into your business’s EMV-enabled system, they would only obtain an encrypted version of the data—completely useless to fraudsters. The U.S. was the last developed country to adopt EMV. But the alarming rise in fraud in this country made implementation essential. Other countries have seen a decrease in fraud since EMV’s arrival.
Disputes—What’s Different After October 1, 2015?
EMV has designated dispute codes. The kind of fraud that EMV solves has always existed, but most merchants weren’t aware because it was the responsibility of the card issuer. Now the party with the least secure technology is liable, so merchants are seeing more of these codes on their chargeback statements. If a merchant doesn’t have a working EMV reader, then they can’t dispute a chargeback that appears under this code—even if the merchant has evidence the customer was present.
Another issue is “friendly fraud”—also called chargeback fraud. In this instance, customers fraudulently use the chargeback process to secure a refund. Consumers illegitimately dispute a transaction with the bank instead of contacting the merchant for a refund. In short, there’s nothing “friendly” about this type of fraud.
Another common type of fraud is presenting gift cards that are actually EMV cards. Fraudsters are stealing numbers and instead of making magnetic stripe credit cards, they’re making gift cards. In essence, the sooner you can process EMV cards, the better protected your business will be.
Best Practices If You Don’t Have EMV
If you decided not to update your equipment, there are some best practices and ways to identify counterfeit cards. Make sure the receipt matches the card and verify the last four digits, expiration date and name. Also, compare the signature and facial features to the cardholder’s ID. Bottom line: The safest bet to protect yourself from chargebacks is to upgrade to EMV. If you do have an EMV terminal, always process chip cards as chip transactions and swipe non-chip cards. If a card is declined, ask for another form of payment—do not re-swipe or override.”
What options do I have?
The next set of questions are: How much will this cost me? Does my POS system have an integrated solution available? Why is my credit card processor not doing anything to protect me?
The answers are very simple- the card brands: Visa, MasterCard, Discover, and American Express have implemented EMV in the United States and it has shifted liability to you the business owner/ restauranteur. This shift in liability occurred October 1st, 2015. What does this mean? It means that as an operator if you accept credit cards that have a chip you must have an EMV enabled device to void yourself from the liability. If you do not have an EMV enabled device you accept the liability if the client’s card has been compromised, or if that client takes recourse through their bank in the form of “friendly fraud”. On operations, this creates havoc in terms of profit/loss and accountability of labor/ staff allowing this type of fraud to occur by not following best practices.
I will provide four recommended solutions to take while considering what options are available and best course of action to follow if you decide to hold out on making the jump to EMV. Ultimately yes EMV is here to stay and you should take a serious look at whether or not your current setup can accept an integrated EMV solution. Most multi-unit operators have Aloha, Micros, Focus PosiTouch or some form of “High End” POS solution available to accommodate reporting, operations, inventory, labor costing etc.
“As the U.S. payment card industry hurtles toward its EMV destiny on Oct. 1, the process for certifying EMV-compliant point-of-sale terminals is moving along well, albeit with one exception. That exception is point-of-sale systems. POS systems, which are available in myriad configurations with software from one company, hardware from another and payment processing from a third, face the challenge of uniting these disparate components into one service that meets the technical standards for EMV transactions.” Quote from Digital transactions article by Ken Woodward. On the back end, the Card Brands (mentioned above) implemented a certification process that requires each Credit card processor to individually certify themselves with each card brand and certify EMV Terminals to integrate with a POS solution (hardware and software- creating a secure environment between the three “pieces”). This certification is both costly and involves significant development work on both sides, the lead time paying expedited fees can run approximately 8 months or more. In essence, this certification timeline created a “gap in coverage” from when the EMV liability shift occurred and where we stand now with most of the major POS companies not having a solid integrated solution in place with the exception of Focus POS and Positouch.
What to do in the meantime while integrations and development take place: Solution one entails taking a look at your credit card processor and what partnerships they have in place/programs they have available to cover you in the meantime. Solution two involves looking at your restaurant’s disputes and deciding whether right now is the time to act and implement an out of scope solution until your POS system has an integrated terminal. Solution three is to weigh the incoming disputes towards the cost of an integrated solution and decide whether or not it is worth spending the money to implement such a program. Solution number 4 is to take a complete look at your entire setup and decide whether a new pos solution is a viable option. Most of the POS solutions out there can be loaded on your existing hardware, saving time and money and have a fully integrated EMV solution available. You have to review each scenario on a case by case basis and make a decision from there, asking a professional in the payments and restaurant consulting space is your best viable option to weigh the positives and negatives of each solution. There is not a one size fits all approach as each operator has their own individual needs and wants, and need a solution catered to their operation.
Are you out of compliance? Can you be charged a fine? The answer is no, but remember you are accepting the liability of people abusing the swipe only method you are currently using now. It’s always wise to take a look at this and weigh out the costs with someone who understands risks involved. Factors include type of restaurant, geographical location, and type of clientele and type of POS system. Once these items are reviewed a decision can be made to continue operations the way they are or find a way to implement some type of EMV solution. Please feel free to reach out to me anytime with any questions or if you would like a consultation with your current setup.
Author: Ryan J. Ovanesian, Heartland
Ryan J. Ovanesian