EMV Payment Technology & The Flower Business: FAQs
Most retailers know that there is a technology related to processing credit cards called "EMV" and a deadline in October 2015. They also know that they are hearing a lot of scary sounding stuff, mostly from people that want to sell them stuff.
EMV is important, but it's less important for florists than most other retail. Here are florist-specific answers to some frequently asked EMV questions.
What is EMV?
EMV stands for Europay, MasterCard and Visa (the companies that developed the technology). It involves a new-and-improved credit card format that adds a computer chip (that cannot be counterfeited) to the existing magnetic stripe (which is easily counterfeited). The EMV process also requires the cardholder to remember a secure PIN, and a special EMV payment terminal (replaces your existing swiper) that reads the chip and lets the customer enter their PIN.
Why is it Being Introduced?
Card-present transactions (the kind where the merchant swipes the credit card) are currently considered to be among the most secure kind of transaction. Unlike a phone order (which requires only knowledge of the card number and expiration date) a card-present transaction requires a physical authentication token in the form of a card.
The problem is that traditional credit cards can no longer be considered secure tokens. It is relatively easy to create counterfeit cards using stolen credit card numbers. EMV attempts to address this weakness and make card-present transactions more secure.
How is it More Secure?
EMV cards by themselves are far more secure than traditional magnetic stripe cards because of the addition of the secure computer chip. The chip makes them almost impossible to counterfeit.
The EMV process also introduces multi-factor authentication by requiring a second authentication factor. It requires "something you have" (a physical token in the form of a chip card) and "something you know" in the form of a secure PIN. Without those two things the transaction cannot complete.
Who Does It Protect?
First and foremost it is designed to protect the holder of a compromised credit card. Imagine Peter Jones uses his Mastercard to make a purchase on an e-commerce website that is subsequently hacked, leaking his card number. A counterfeiter then puts that number on a fake credit card and uses it to start making purchases that appear on the statement of Peter Jones. EMV makes this impossible.
EMV also protects everyone in the payment chain (merchants, banks and credit card companies) because they don't have to cover the fraudulent activity on Peter's card.
How Does It Protect Me?
The way things are right now it makes no difference to the merchant. Pre-EMV merchants are working with a flawed system given to them by the banks and credit card companies and are not responsible for losses caused by the weaknesses of that system. Pre-EMV banks and credit card companies will cover the losses generated by a counterfeit card.
After the October deadline things change.
What Happens at the October Deadline?
EMV offers a secure process that protects all parties, including merchants, but a merchant doesn't have to use EMV. After the October deadline, however merchants that don't use EMV will be liable for losses that EMV would have prevented.
Think back to Peter Jones and the counterfeit Mastercard. Pre-deadline the merchant is not liable. After the October deadline, a merchant that chooses not to use EMV will be liable because the loss would have been avoided had they been using EMV technology. If someone uses Peter Jone's counterfeit Mastercard to make a fraudulent purchase it is the merchant that now has to pay Peter Jones back.
What Doesn't Happen At The October Deadline?
Existing processes will not stop working. You can continue doing exactly what you are doing now, but there is a shift in liability.
"Don't expect a big bang in October of 2015," says Doug Johnson, vice president of risk management policy for the American Bankers Association. "In terms of rollout, we expect about 50 percent of banks and retailers to be completely transitioned over. It's going to take a little time to adapt."
VP, Risk Management Policy for the American Bankers Association
Existing processes and systems are no less secure. A secure payment system does not become any less secure after the deadline. A system that has never been breached is no more likely to be breached after the deadline.
What Kinds of Transactions are Protected?
EMV only protects in-person card-present transactions. Transactions that you currently swipe will become transactions where you insert the card into the reader and the customer will enter their PIN. These are the only transactions EMV protects.
What About Phone Orders?
EMV does nothing to secure phone orders. Remember – EMV technology requires the physical presence of the chip card, the EMV terminal, and a cardholder than can enter a secure PIN. None of this is possible over the phone.
What About Orders on my Flower Shop Website?
Same as above – EMV does nothing to protect e-commerce transactions.
Does EMV Prevent Data Breaches?
It doesn't. EMV is primarily about preventing the use of counterfeit credit cards. If your payment application (POS system) stores credit card numbers EMV does not help secure them. Stored credit card numbers are made no more or less secure by EMV and/or the October deadline.
How Important Is It?
It depends on the nature of your business. If for example you sold a lot of high-value items (like electronics) paid for with card-present swiped transactions EMV really helps. EMV means that it is much harder for a criminal to buy thousands of dollars worth of electronic equipment for resale on the black market.
For florists it is different. First of all EMV is never going to protect the 70%-90% of your volume that goes through the phone or your e-commerce flower shop website.
EMV can only protect the credit card portion of your in-person sales. For almost all flower shops this is under 20% of their total volume.
A florist is also unlikely to get hit with either a single huge charge or a rash of smaller charges. If there was a strange spike in the volume of card-present sales you would likely notice (and/or be notified by the credit card companies as they became of the fraud) very quickly.
Your single biggest charges are likely to be weddings. It would be very damaging if a large wedding or event sale was charged to a counterfeit card and you had to over it, but it is also unlikely. It would be very risky for a criminal to have the kind of extended engagement with a merchant they were trying to defraud. The point of a couterfeit credit card is really to get in and get out as quickly as possible.
When it comes to the EMV transition merchants in general and florists (who have relatively little to lose) in particular need to be careful. Things like "shift in liability" sound scary, especially when mentioned in conjunction with the looming October deadline.
This will be exploited by fear-mongering vendors with a strong profit motive. The people that sell EMV hardware? This is a gold rush for them, and they will do everything possible to get you to buy. Merchant service providers? Many of them will be using EMV to try and sell new hardware and lock you into long term contracts. POS vendors? They are likely to try and force you to buy upgrades and commit to long-term contracts.
Be careful. In all of these cases the cost of rushing to a bad decision can far outweigh the risk you are trying to avoid.