Plotting a Course for EMV Compliance

Similar documents
What is EMV? What is different?

EMV and Small Merchants:

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

How To Protect Your Restaurant From A Data Security Breach

Introductions 1 min 4

Credit Card Processing, Point of Sale, ecommerce

PCI DSS COMPLIANCE DATA

What Every Business Should Know About PCI Compliance

A Brand New Checkout Experience

A Brand New Checkout Experience

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

Credit Card Processing Overview

P R O G R E S S I V E S O L U T I O N S

Chip Card (EMV ) CAL-Card FAQs

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

CardControl. Credit Card Processing 101. Overview. Contents

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

SellWise User Group. Thursday, February 19, 2015

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

How To Comply With The New Credit Card Chip And Pin Card Standards

EMV: Preparing for the shift

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Preparing for EMV chip card acceptance

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Mobile Near-Field Communications (NFC) Payments

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

University Policy Accepting Credit Cards to Conduct University Business

What Merchants Need to Know About EMV

Introduction to PCI DSS

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

U.S. House Small Business Committee. On Behalf of the National Grocers Association. October 6, 2015

PAI Secure Program Guide

EMV in Hotels Observations and Considerations

The Comprehensive, Yet Concise Guide to Credit Card Processing

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI Compliance Overview

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

PCI DSS Compliance Services January 2016

Practically Thinking: What Small Merchants Should Know about EMV

Project Title slide Project: PCI. Are You At Risk?

PCI and EMV Compliance Checkup

Frequently Asked Questions

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

NEWS BULLETIN

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

SECURITY FIRST: CLARITY ON PCI COMPLIANCE

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Your Reference Guide to EMV Integration: Understanding the Liability Shift

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard

Trends in Merchant Payment Acceptance

Need to be PCI DSS compliant and reduce the risk of fraud?

Beginner s Guide to Point of Sale

Target Security Breach

EMV mobile Point of Sale (mpos) Initial Considerations

Understand the Business Impact of EMV Chip Cards

Langara College PCI Awareness Training

PCI: It Never Ends. Why?

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Cash & Banking Procedures

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

OpenEdge Research & Development Group April 2015

welcome to liber8:payment

Sage ERP MAS I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

mobile payment acceptance Solutions Visa security best practices version 3.0

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

John B. Dickson, CISSP October 11, 2007

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

PCI DSS Compliance Information Pack for Merchants

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Table of Contents. Overview. What is payment processing? Who s Who. Types of Payment Solutions. Online Transactions. Interchange Process

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry Data Security Standards

La règlementation VisaCard, MasterCard PCI-DSS

PCI Compliance is More Than a Matter of Dollars (and Sense) Are Your Clients Properly Protected Against Lost or Stolen Data?

Secure Payments Framework Workgroup

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

Accepting Payment Cards and ecommerce Payments

2.1.2 CARDHOLDER DATA SECURITY

Payments Transformation - EMV comes to the US

EMV and Restaurants What you need to know! November 19, 2014

OpenEdge Research & Development Group April 2015

Payment Card Industry Data Security Standards

Payment Card Industry (PCI) Data Security Standard

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

Transcription:

Plotting a Course for EMV Compliance

Plotting a Course for EMV Compliance PCI compliance...emv compliance by now, you ve heard repeatedly that your store or restaurant must be EMV-compliant by the recently passed October 1, 2015 deadline or else. You know that a lack of compliance puts you at risk of financial liability for fraudulent card-present transactions as well as possible penalties and sanctions imposed by the card networks. You understand the other benefits of boarding the EMV train. Now, all you want to do is to achieve EMV compliance, and all you want to know is how to get there. In this ebook, we ll explain the facts and lay out a roadmap to follow so that your business is EMVcompliant AS SOON AS POSSIBLE and is protected in the event of a security breach by being fully PCI compliant. Let s get started. 2

How the Liability Shift Affects Transactions, Where PCI Comes In and Some Myth-Busting In general, as of October 1, 2015, liability for card-present transactions (transactions completed in a brick-and-mortar establishment rather than online) moves from the card issuer to the merchant that is, unless the merchant has upgraded its POS hardware and software to accept chip cards manufactured in line with the EMV standard. However, the similarities in the way the liability shift impacts transactions stops here, because EMV parameters differ from card brand to card brand. For example, starting on the liability shift date, MasterCard will exempt merchants from 100 percent of account data compromise penalties if at least 95 percent of MasterCard transactions that originate in their stores are handled on EMV-compliant POS terminals. By contrast, as of that same date, Visa will simply hold whichever party is the cause for a chip-card transaction not occurring in other words, a merchant whose terminals are not EMV-compliant responsible for any losses stemming from fraudulent transactions occurring in its store(s). American Express will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. 3

Parameters also differ when it comes to the relationship between EMV compliance and compliance with the Payment Card Industry Data Security Standards (PCI DSS). On October 1, 2012, Visa began providing PCI audit relief to merchants if more than 75 percent of their Visa transactions originate from EMV-compliant POS terminals. MasterCard started offering the same, using the identical parameters. But beginning on October 1, 2013, only American Express released merchants from PCI DSS reporting requirements if their POS locations where at least 75 percent of their transactions occur are enabled to process American Express EMV-based contact and contactless transactions. It s important not only to understand how PCI compliance touches EMV compliance, but also to dispel a few common PCI compliance-related misconceptions. Unless you know the truth behind these three misconceptions, achieving EMV compliance will be difficult, if not impossible. Myth: My POS provider is PCI-compliant, so I m PCI-compliant. Reality: Software vendors and other entities that develop payment applications are subject to different data security standards than merchants. As a payment application (PA) provider, your POS company MUST be compliant with the latest version of PCI PA-DSS (PCI PA-DSS Version 3.1). But to be fully PCI compliant, you the merchant MUST meet all of the merchant requirements of PCI DSS 3.1 to achieve POS compliance from your side. Myth: PCI DSS is only a recommendation and not a requirement. Reality: PCI DSS are mandates enforced by all payment brands. Every entity that stores, processes, or transmits any information recorded on credit and debit cards must adhere to the standards. Those that do not are subject to fines and the enforcement of more stringent PCI DSS compliance requirements (and the accompanying costs). Suspension or expulsion from card processing networks for non-compliance with the PCI DSS is also possible. Myth: My operation doesn t process many credit card transactions, so I m exempt from compliance. Reality: No matter the number of credit card transactions you process in your store or restaurant, PCI DSS requirements apply. So, too, do the consequences of non-compliance. 4

Navigating the Bumpy Road to EMV Compliance Now that you understand how the EMV liability shift affects transactions and where PCI comes into play (we ll cover more of the latter later on in this ebook), it s time to get on the road to EMV compliance. Let s break it down into six steps. 1 Examine Your Existing Hardware Terminals and peripherals: Make a list of the POS equipment you have, so you can do a fair comparison when you shop for new hardware that handles EMV transactions. Do you have standalone terminals with separate magnetic stripe readers and/or PIN pads? Do you have a pre-configured, canned software package that works with your existing POS terminals (or electronic cash register, if you still have one?)? Is your POS configuration a more customized one? Mobile payments: Is your operation equipped to accept mobile payments? If so, and if mobile payments are processed on your POS terminals using near-field communications (NFC), you re at an advantage EMV-wise because NFC is an enabling technology for contactless chip card payments. If you don t accept mobile payments, consider doing so. Increasingly, consumers want to make mobile payments from NFC-enabled smartphones and may defect to a competitor if you don t offer a mobile payment option. Now is a great time to go mobile if you re already upgrading for EMV. Why upgrade again in the next few years and pay the financial price if you can do it all now? 5

2 Approach Payment Processors and POS Vendors About Options Vendors and payment processors have been working diligently to develop EMV-compliant hardware and software, including: Non-integrated POS: These comprise standalone terminals and peripherals e.g., a POS terminal with a separate PIN pad. Semi-integrated POS: In a semi-integrated environment, the terminal or peripheral device used to capture credit card data is connected to the POS application. However, the application used to actually process card payments resides on a separate device. Fully integrated POS: In fully integrated POS configurations, no separate device hosts the payment processing application, all elements are linked with each other. 3 Get a Handle on Terminal Certification Requirements EMV Level 3 Certification Required EMV-enabled terminals and accompanying POS software must be certified by EMVCo, an organization that manages, maintains, and advances EMV specifications and handles testing and similar tasks related to EMV. Level One and Level Two Certification: Level One and Level Two certification testing assesses and attests to the security of the technology in question, as well as to its interoperability with other hardware/software brands. Apps designed to facilitate EMV adoption must also be evaluated and vetted via Level One and Level Two certification testing. Level Three Certification: Level Three Certification testing involves assessments of every type of transaction a given terminal can perform to ensure the unit s integrity. These assessments are performed by the payment processor, acquirer, and, if applicable, the independent software vendor (ISV). Regardless of whether you have a stand-alone terminal, a generic point of sale solution, or a customer specific solution, you re going to need an EMV Level 3 Certification. A couple of things to keep in mind about Level 3 approval: 1. Level 3 Certification can take anywhere from four to eight weeks to finalize. 2. Any changes made to your solution will force the provider to go through a recertification. Consult with your payment processors, acquirers and ISVs for advice about what s involved for you to become EMV Level 3 certified. 6

4 Select and Purchase New Hardware In doing so, consider: Budget: By most estimates, the price of EMV-compliant hardware can range from $100 to nearly $1,000 per terminal, depending on the extent of equipment needed. Software upgrades are extra and can raise the price considerably. Business needs and wants: Make a list of features and components that you must have versus those that would be nice to have. For example, there are two kinds of chip cards: chip-and-pin, and chip-and-signature. Chip-and-PIN cards are verified by reading chip and the entry of the customer s PIN; chip-and-signature transactions, through reading the chip and the cardholder s signature. Issuers decide which type of cards to distribute. Most chip cards issued in the U.S. are of the chip-and-signature variety, but a majority of those issued abroad are chip-and-pin cards. If you cater to many visitors from abroad, POS technology that accommodates chip-and-pin is a must-have; otherwise, it may be nice to have. Future growth: Your EMV-compliant system should be scalable, so as to minimize additional expenditures down the road. 7

5 Ensure Proper Staff Training Implementing any new equipment means training staff on how to use it and EMV-compliant POS hardware is no exception. Instruct employees to enter transaction amounts before customers insert their credit or debit cards into the card reader. Employees must also be told to insert EMV cards chip end first, with the chip side facing upward, and to leave cards in the terminal for the entire duration of the transaction. Tips must also be entered at this time rather than manually added after the actual transaction has been processed. This poses a problem for table service restaurants. For traditional pay-at-the-table establishments, a rugged tablet POS device that is EMV-enabled is the best solution. Most, if not all, terminals and EMVenabled devices emit a sound to indicate that a transaction is complete. 6 Educate Customers Making the switch from swiping their cards to inserting them into a terminal, (and allowing them to remain throughout the transaction), is a big change for most consumers, making customer education about EMV a must. Consider using signage to communicate the stepby-step EMV transaction process for example: Step 1: Insert your card chip-first, with the chip side up. Step 2: Enter your PIN or add your signature when prompted. Step 3: Leave your card in the terminal until you hear the beep. Step 4: Don t forget to remove your card when the beep sounds. Additionally, ask all staff members to encourage customers to use the new EMV-compliant technology, and to walk them through the process step-by-step if they appear at all uncomfortable about it. Customers comfort level with performing chip-card transactions will also be higher if employees can properly answer their questions. Role-playing exercises that show staff members the best way to respond to questions should be incorporated into employee training. 8

Understanding the Bigger Picture: EMV and PCI Clearly, migrating to POS technology that can handle EMV transactions is an important step for retailers and restaurant operators alike. However, as mentioned above, EMV is only a piece of the larger PCI puzzle and achieving PCI compliance doesn t mean simply deploying an EMVenabled terminal or terminals. It also entails adhering to another 12 requirements designed to enhance data security throughout the entire transaction, from the card reader to the POS server, and from the moment transaction data is captured at the POS to the time of settlement. These 12 requirements, which should be accounted for when upgrading hardware and software on the road to EMV compliance, encompass the following: 1. Install and maintain a firewall to protect cardholder data. This prevents hackers from gaining access to the network on which cardholder data travels from payment terminals to the point where transactions are processed. 2. Do not use vendor-supplied default passwords for any store system or network. Generate your own passwords. Change them regularly. 3. Safeguard stored cardholder data. Encryption is one way to do this. 4. Encrypt transmission of cardholder data across open public networks. 5. Protect all systems against malware. Regularly update anti-virus software and programs. 6. Develop and secure systems and applications. Create and follow a schedule of maintenance for each one. 7. Restrict access to cardholder data by business need-to-know. If an employee s responsibilities do not necessitate access to cardholder data, configure your software so that that individual cannot view such information. For example, while a restaurant manager would need to see customers card numbers for certain business purposes, a server or runner would not. 8. Develop and implement rules and policies that govern user-specific and guest-access to your systems. 9. Restrict physical access to cardholder data, for example, by locking up hardware (laptops, etc.) that contains such data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Develop and maintain a policy that addresses information security as it pertains to all staff members. Conclusion Migrating to EMV and then to full PCI compliance is a process that doesn t have to be painful! Working with experts can save you (a lot of) time, (tons of) effort and for sure down-the-line costs. Fortunately, as EMV/PCI/POS experts, we re here to help you every step of the way. For more information and to get the answers to all your EMV and PCI questions, call us today at 877-968-6430. www.pdqpos.com www.touchdynamic.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information