EMV Cards Still Not Usable at POS of Many Stores
By Bryce Austin
As of Oct. 1, 2015, point-of-sale systems in retail stores were supposed to be able to accept Europay
Mastercard Visa (EMV) credit cards for payment at checkout. Prior to that date, the bank issuing the plastic
took the loss in cases of fraudulent transactions. Now the onus is on the retailer when a counterfeit credit card is used at their stores’ checkout lanes.
Merchants are not liable if they have upgraded their POS terminals to accept cards that have an embedded microchip – a small metal square on the front of the card that adds a higher level of security to the transaction when used in chip-enabled terminals.
As of today, not all grocery stores are ready. One of the reasons is because the technology required to do it is expensive. Some grocers went into the switch thinking that new card readers would solve the problem, but there is more to it than that. The back-end systems need to support EMV as well, and many of those systems are antiquated and need a significant upgrade (or a complete replacement) to be compatible with EMV.
When grocers will be ready depends on the individual grocer. Very small grocers have a lower hurdle to overcome than larger ones, as the amount of existing infrastructure that the smaller grocer has is likely much less.
I would encourage all grocers to take the transition to EMV seriously. EMV cards make it much more difficult for criminals to use fraudulent (copied) credit cards in their stores. Now the liability for these transactions has moved from the credit card issuers to the grocers. For shoppers, the EMV credit card experience is slightly longer than the traditional “swipe” method (with mag-stripped cards), but the difference is minor.
It is very interesting to note that the massive retail breaches of the last few years would have had little to no mitigation from EMV technology. Those breaches involved back-end systems that would not have been more secure with EMV cards. The problem that EMV cards solves is that copying a traditional stolen credit card onto a new physical swipe card is something that anyone with a minor amount of technical knowledge and a small amount of money can accomplish. It is the same technology that hotels use to encode cards for their room keys. EMV cards are much, much more difficult to copy onto a physical card. That being said, with increasing online commerce (including the grocery sector), EMV cards do not make card-not-present transactions more secure.
Should retailers partner with a third party? Being PCI compliant is similar to building a store to pass a fire code inspection. There are many aspects of separate, unrelated systems that have to be addressed. A third party that has experience with the cybersecurity aspects, the physical security aspects and the processes/procedures of handling credit card information will be a useful ally in achieving PCI compliance at an organization.
Basic cybersecurity “best practices” will go a long way to make a computer network more resistant to hackers. Reviewing firewall setting, having operating system patching procedures, and having strong anti-virus/anti-malware protection will go a long way to keep systems secure. These are all also part of PCI compliance requirements. Background checks of staff are also critically important in the fight against credit card theft – EMV or otherwise.
Bryce Austin, CISM, is CEO of TCE Strategy, a Minneapolis-based information technology firm.