CrossCheck Blog

CrossCheck Blog

Check Processing & Payments Information

EMV and the Tyranny of Payments Acronyms

Posted by Tom Lombardo | Wed, Aug 19, 2015 @ 01:00 PM

EMV-CompliantDoes it ever seem like corporations and the government come up with acronyms just to confuse you?

It sure seems like it when it comes to payment processing. And when the government hangs out a big hairy threat to your business, a bunch of acronyms can make the problem much worse.

Here’s your biggest threat right now: If you don’t comply with new credit card processing standards by October 1, YOU become liable if a customer’s credit card number is stolen at your place of business.

In other words, as of October this year every single hacker on the planet becomes YOUR personal problem.

Unless you install the solution.

And what would that be?

All you need is a PCI-validated P2PE POS system that’s EMV ready.

Isn’t that helpful?

Now that you know what to do, we can just stop writing and you can go on your merry way, right?

Wrong. We’ve been in the payments industry for three decades, and we still have to look up acronyms like that, same as you do.

Translation for Entrepreneurs

Here’s what it means.

“PCI” refers to the Payment Card Industry Security Standards Council. It was created in 2006 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. so they could work together to fight hackers.

They’re not part of the government, but the government relies upon them to make recommendations if the law might be able to help with their security efforts.

They’re the ones who came up with the big hairy threat to make you liable, and Congress made it law, so now you have to deal with it.

They’re not after you, of course. In fact, the PCI and Congress are trying to protect your business and your customer’s data, which brings us to the next acronym: P2PE.

The literal translation is “point-to-point encryption.”

You know what “encryption” means – that’s when you take a digital piece of information, like a credit card number, and use a secret method to scramble it into a bunch of nonsense. Anyone who gets the nonsense gets nothing. But someone else who also knows the secret method can decode the nonsense back into the credit card number.

“Point to point” means the encrypted data travels from your business – the first point – to the payment processor – the second point.

Acronyms that Help Progress

But the “point” inside your business has moved.

It used to be the card reader where your customer swiped the card. Then Target, Home Depot and nearly forty other businesses – including small and mid-sized ones just like yours – were hacked by a virus called “Black POS.”

“POS” means “point of sale,” and in the payments industry that refers to the card reader.

The Black POS virus stole credit card numbers in the fraction of a moment they traveled from the customer’s card into the card-reader’s memory. The hack cost hundreds of billions and several executives were fired for failing to detect it.

So the point of sale has to move, and it is moving from your card reader into the card itself.

Which brings us to “EMV.”

Literal translation: “Eurocard, MasterCard and Visa.”

Actual meaning: It’s the name the industry has given to credit cards that have a computer chip built into them. Old fashioned card readers can’t work with the chip. (Thought most EMV cards also have a magnetic stripe for backwards-compatibility.)

The chip is the key, because it’s the new “point” in your store where the transaction begins. In this system, your customer will stick their card into the reader. This is called “dipping,” a term that might replace “swiping.”

Dipping takes a little longer than swiping, so be sure to have your customer leave the card in there until the payment is processed.

That’s needed because the chip and the credit card company will have an encrypted communication to authenticate the sale. During it, no payment information is transferred – no credit card number moves across the wires.

Instead, a verification code unique to this single transaction is generated and passed. Stealing it is pointless, because it’s for that purchase only. But the processing company can use it to figure out who made the purchase and which merchant gets paid.

It’s not full proof – nothing is – but it’s much better that what we have now.

Acronyms that Hide Shortcomings

They’ve been doing it like this in Europe for a decade.

But to understand how they do it, we need another acronym: “PIN,” which means “Personal Identification Number,” and we know you’ve heard that one before.

In Europe, after the card is dipped into the reader, the customer inputs a 4-digit PIN that triggers the creation of the code for that single transaction.

Adding a PIN makes it even more secure, because the chip on the card won’t do anything until it gets it.

But our law requires a “chip and signature” method, to the mystification of many in the payments industry.

In the U.S., your customer isn’t required to put in a PIN number.

Instead, your customer is only required to sign their name on a screen, similar to the way many POS devices work now.

When asked why it deleted the PIN layer of security, the PCI explained that it went with the chip-and-signature method because, they felt, Americans didn’t want to remember another PIN number.

We don’t? Not even for significantly greater payment security?

They probably should have asked first because, needless to say, this decision has not given rise to widespread confidence in the switch. For example Andrew Szente, vice president of government affairs at the Retail Industry Leaders Association, a powerful Washington, D.C. based trade group, told the Wall Street Journal, “It is absolutely a concern, and we believe [chip-and-signature] are a half-measure.”

But it’s still the law, and half the cards in the country will have an embedded chip by New Year’s Eve.

The Bottom Line

To protect yourself and your business, you need to be able to accept EMV cards by October 1, 2015 – fifty days from this writing.

That means buying a new device for dipping rather than swiping.

If you do that, then the credit card company is once again liable if someone hacks your system and steals credit card numbers.

If you don’t do it and you get hacked, you’ll be liable – definitely not worth the risk. Remember, most of the companies hit by Black POS were small- and mid-sized.

You are not immune, and you are not off the radar, so comply as soon as you can. Your local CrossCheck representative can probably help you.

And while television and the movies are starting to have fun with the fact that hand-written notes on paper are completely un-hackable, you should still concern yourself with security when accepting paper checks. Some of our auto repair clients accept up to 70% of their revenue in the form of checks.

You can have us guarantee that revenue so that even if a check is returned, you get paid anyway. It costs less than most credit card processing, and if you have questions about your service agreement we’re here for you 24/7/365. Learn more here.

Check Guarantee Insider's Guide

 

 

Written by Tom Lombardo