For almost two decades, interest in a chip-based payment standard such as EMV has barely reached a simmer in the United States. Recently however, some of the card brands have increased awareness resulting in collective interest across the United States in the smart chip standard. In addition to financial institutions, merchants of all sizes, including small business owners, should understand the current state of EMV in the U.S. and the impact of this standard.

While there are many “flavors” of chip-based payment standards, to date the majority of EMV implementations globally have focused on chip + PIN enablement. Whatever the format, smart chips are the basis of the technical standard behind more than 1.24 billion payment cards and 15.4 million point-of-sale (POS) terminals, with almost all of those cards and acceptance devices residing outside the United States.

Small Business Implications of Smart Card Adoption in the U.S.

Payment industry experts generally agree that a chip-based standard will come to the U.S., but the predictions of when and in what form vary dramatically. While pundits say the U.S. is far from ready, there is a distinct possibility that the change may come sooner.

Smaller merchants, as well as larger businesses, have many decisions to make. Once a sufficient number of financial institutions begin issuing smart cards, merchants need to decide whether to process the cards using EMV technology or to accept financial liability and responsibility for fraud losses. Either way, small business owners that choose to wait for widespread implementation will be at a disadvantage when the standard is accepted.

Savvy businesses are starting their education process now and are beginning to formulate plans for adoption. Merchants that take the necessary steps to select the tools to future-proof their investment will be in a better position to evolve as their business needs and the industry changes.

Smart Card Acceptance 101

Understanding the changes will require some learning. It is important to understand what the new POS devices can and can’t do, and there are many device options on the market. Many manufacturers and payments players are adding new functionality to EMV-enabled equipment, making their equipment more innovation-agnostic.

Merchants will need to coordinate with their acquirer or processor to accommodate the transaction messaging for EMV-based payments. Because more data is sent to the acquirer from an EMV-compliant transaction than from a magstripe-based transaction, both message types will need to be supported.

Business owners and operators and their acquirers in coordination with smart card acceptance, can determine whether to require a PIN, a signature or neither for cardholder authentication in a credit or debit transaction. The Durbin Amendment gave merchants the authority to make this decision, and for the first time it is now being phased-in for magstripe transactions.

Overall, as EMV is deployed, there will be procedural changes at the POS. For example, most EMV-enabled POS equipment will include contactless technology, allowing merchants to accept contactless and mobile payments, which provides a higher level of convenience for customers and speeds up check-out time. Some of the new smart chip-enabled POS devices will help drive loyalty and repeat business by pushing coupons and special offers to mobile phones, allowing consumers to redeem offers through the device. Additionally, while smart cards won’t solve every security problem, they will go a long way toward boosting customer confidence at the POS.

Next Steps for Small Business Implementation of EMV

While no one really knows when all of this will come together in the U.S., one thing is certain – some form of chip-based payment standardization is coming. Clearly the need to reduce fraud and increase security exists, and now some of the industry’s largest players are starting to put incentives in place to encourage merchant, acquirer and financial institution migration.

The small business is a key player in this very serious game. Business owners and operators should conduct a full assessment to understand the impact of EMV and participate in industry discussions, not only to get educated, but to have the opportunity to influence how the payments ecosystem moves forward with smart card implementations.

Third-party POS software providers understand the business strategy of becoming EMV-compliant. By engaging the POS provider experts and assessing what a smart chip enablement plan would look like to upgrade consumer-facing POS devices, small businesses can plan ahead while staying in synch with payments provider readiness for smart card processing. Finally, consider ways to reduce fraud and data theft risks as part of a comprehensive payments security plan.

While there is no mandate for EMV adoption, both Visa and MasterCard have indicated that a liability shift will apply to merchants who have not upgraded their POS terminals to process EMV card transactions and fraud occurs. Thus, when evaluating their overall payments transaction security needs, savvy businesses are increasingly realizing the value of taking a multi-layered approach to data security and fraud prevention—incorporating a combination of recommended end-to-end encryption and tokenization technologies—with the ability to better manage vulnerabilities throughout the payment processing sequence.

Now is the time to get educated to fully understand the issues and the choices ahead.

Smart Card Photo via Shutterstock

From Small Business Trends

EMV: The Upside Of Smart Card Adoption, Will Small Businesses Be Ready?

What Payments Types Are Right for Your Business?

Imagine a customer waiting in a long line to pay, only to realize at the register that the retailer doesn’t accept the payment type presented. No one wants that to happen to them, and businesses don’t want to turn that customer away during the holidays or any other time. The good news is that, depending on your current capabilities, you may not need to overhaul your system to add or support new payment types.

Online or in-store, every customer purchase results in an interaction at the point of sale. Small business owners should not be afraid to call their payments processing partner to talk about what might be best for their business.  Accepting the right mix of payments and having reliable, efficient and secure equipment helps create a positive experience for both customer and business all year long.  For instance:

Give your gift cards a boost ~ Christmas is second only to birthdays when it comes to giving gift cards. In addition to providing great last-minute holiday gifts that extend the life of gift-giving seasons, prepaid gift cards create additional foot traffic, help generate brand awareness, increase same-store sales and add revenue from “uplift” on card redemption.

If you already offer gift cards, consider whether encouraging customers to reload will help keep your card in the top of their wallets. Gift card malls are increasingly popular places for customers to purchase cards.  Another trend that is beginning to gain popularity is virtual “gifts.” Check with your program provider to find out whether it makes sense for you to get your card into the gift card malls and/or online.

Mobile payments are almost here ~ The mobile revolution is touching nearly all aspects of modern life, from how we play to how we pay. Google Wallet offers a fast, easy and simple way for consumers to pay with their phones. Updating your point-of-sale equipment to accept mobile payments is easier than you think. It may be a matter of adding a peripheral device to your existing system, which will help merchants to be ready once mobile commerce reaches critical mass.

Use social networking to sell ~ Social networking sites like Facebook present a huge opportunity to expand gifting programs to new channels. The eGift Social solution allows consumers to use Facebook to send virtual gift cards to friends and family. Consumers can choose to have their eGifts delivered as a Facebook post, sent via email or have a physical gift card mailed directly to the recipient.

Evaluate and upgrade point-of-sale (POS) and other equipment ~ Can your POS system handle the increased holiday traffic? An upgrade can mean greater flexibility in accepting payments and being ready for innovations in payments—potentially lowering infrastructure costs, decreasing customer wait times and making transaction processing more reliable and secure.

Take a multi-layered approach to reducing risk ~ Layered payment security is critical to helping protect sensitive payment card data. Because there is no single approach to security that can prevent or eliminate card data theft and fraud, four trends have been identified impacting payments that, together, are already shaping the way businesses protect their payments and customers, while also reducing the cost of complying with the Payment Card Industry Data Security Standard (PCI DSS).

From Small Business Trends

Ring Up Point of Sale Success Year Round

PCI DSS establishes minimum data security measures for organizations around the world that hold, process or exchange cardholder information from any of the major card brands. The standards are reviewed every two years, and were most recently revised in October 2010.

According to a study by the National Retail Federation and First Data, 86 percent of small- and mid-sized business respondents said they care about keeping customer card information secure and feel card data security is important to their business. But while most (66 percent) are aware of PCI DSS, only 49 percent had completed a required self-assessment at the time of the survey.

Protecting cardholder data can seem expensive and a bit overwhelming to small business owners, most of whom already wear many hats. However, the financial and reputational costs of a breach can be significant – in some cases jeopardizing your business altogether.

But where to start? Hopefully you already limit physical access to cardholder information and keep anti-virus software up to date. Here are additional ways you can significantly increase data security while managing compliance costs:

Encrypt Sensitive Data
Probably the single most important measure that a business can take to protect cardholder information is to encrypt card data immediately after the card is swiped at the point of sale. The information should stay in an encrypted state while it is transmitted to the payment processor.

This step means the transaction is never transmitted in plain text in the frame relay, dial-up or Internet connection, where the potential exists for interception by fraudsters. If the data does get siphoned off once it is encrypted, it is virtually useless to thieves.

Reduce Your “CDE”
Every computer system, filing cabinet and application that uses or stores sensitive card data, including encrypted data, is part of the overall cardholder data environment (CDE) and within the scope of PCI DSS compliance. In other words, the more places you have data, the more places you need to worry about protecting.

Limit – and even shrink – the scope of your CDE by restricting the use of cardholder data to only those applications directly pertaining to payments (e.g., transaction authentication, daily settlements and chargebacks).

Embrace Tokenization
Tokenization is a “layered” complement to encryption. Cardholder data is sent to a centralized and highly secure server (vault) after authorization, and a random unique number (the token) is generated and returned to the business’ systems for use wherever the cardholder data would normally be used.

The token is specific to the card and can still be used to process returns, track spending habits and other business functions, but the number itself has no value for fraudsters. This can dramatically reduce the impact of a potential data breach.

Tokenization can also help reduce the scope of the CDE because there is no cardholder data present. Businesses that replace cardholder data with tokens in all their enterprise applications can significantly reduce the scope of their CDE, and subsequently reduce the scope and cost of PCI DSS compliance and annual assessments/quarterly scans.

Work With a Third Party
Another way to shrink the environment that’s subject to PCI compliance is to hand over the responsibility (and liability) for storing card data to a third-party service provider. For instance, a business can send encrypted card data to the payments processor for authorization, and when the authorized response is returned, a tokenized number is also sent to the business.

This approach layers encryption and tokenization while also shrinking a business’ CDE to the smallest possible footprint: the POS system that holds live, pre-authorization card data.

Raise Your Hand
Businesses have a responsibility to protect their customers’ data, but you don’t have to do it alone. Talk to your payments provider about solutions and experts that can help your business get and stay compliant. Remember, PCI DSS is a minimum standard, and finding the right partner(s) can help you make smart decisions about how to best safeguard your customers – and potentially your business.

From Small Business Trends

Save Money, Lessen Risk by Simplifying PCI Compliance