Shift4 Vendor Spotlight: Major Changes Coming to the Payments Industry
The widespread use of credit cards in the U.S. has made them the target of criminals looking for a quick way to make money. The payments industry is changing rapidly to adapt to and counter these threats. Several new payment card technologies designed to limit fraudulent credit card activity have begun to roll out around the globe and are now beginning to appear in the U.S. Over the next couple of years, we are going to see a drastic change in how we accept card-based payments as these technologies increase card security, and maybe entirely change the way we pay for things.
Point-to-Point Encryption (P2PE)
Current PCI requirements state that when sensitive cardholder data (CHD) is stored, it must be strongly encrypted. While this secures the CHD at rest in a database, it leaves it vulnerable in transit and especially vulnerable to malware designed to “sniff” card numbers stored on short-term computer memory. While PCI does require that merchants protect their system from invasion of malware, the ever-changing nature of technology makes it difficult and expensive to guard against all threats preemptively. The most recent security technology to come to market is Point-to-Point Encryption (P2PE), which encrypts CHD within the magnetic card reader or keypad as it is being entered into the system, and then sends it – still encrypted – to the gateway or processor. The POS or PMS cannot decrypt this data, and furthermore, decryption cannot occur within the merchant’s premises. Simply put, with P2PE in play, the merchant’s card data environment (CDE) is reduced to the terminal device only, and with secure, tamper-proof devices now readily available, breaches of CHD in transit could be a thing of the past. (And PCI audits should be much simpler, too!)
EMV/Chip and PIN/SmartCards
While P2PE will greatly improve the card data security for all merchants, another new standard is being added to the mix to attempt to further limit fraudulent card use – EMV. EMV stands for EuroPay, MasterCard, Visa. These card associations got together in Europe and defined a new style of payment card, often called the SmartCard or chip card. The SmartCard contains a chip, similar to the SIM cards that are used in smart phones, that securely stores account information.
In an EMV transaction, the SmartCard is inserted into a card reader and must remain there as the terminal converses with the chip on the card throughout the transaction. Account information and issuing bank instructions are exchanged at the start of the transaction. Then the terminal pairs that information with instructions from the card association and finally writes an update back to the card at the end of the transaction. This processing method requires specialized hardware devices. Device manufacturers started including SmartCard readers in their PIN debit devices some time ago, looking forward to the October 2015 liability shift imposed by the card brands. (On that date, all U.S. merchants not using EMV will become liable for fraudulent transactions processed by their business.) However, in F&B and hospitality, where debit has not historically had much traction, the devices will be all new.
Shift4 has already added support for EMV in Canada where merchants were all supposed to be using Chip and PIN by October 2010. But some merchants are still struggling to get it implemented. The delays are due mostly to the convoluted EMV-certification process. According to EMV rules, each combination of terminal device, POS/PMS, processor, and card brand must be individually certified for EMV. That means one processor may have to complete dozens of certifications to cover all of the devices in use by its customers – and each certification may take up to six months! Fortunately, Shift4 provided some much-needed assistance by proving that because our technologies can control the payment device and provide the text for the printed receipt to the POS/PMS, Shift4 could stand in place of the POS/PMS in the certification process. Processors such as Global Payments approved Shift4 to pre-certify all of our POS/PMS partners, simplifying the process for all involved. We are already laying the groundwork for similar things to happen in the U.S.
Unfortunately, the U.S. market is much more complex and has more players that will need to be certified than we faced in Canada. Also, Visa has indicated that a PIN will not be necessary for U.S. cards. The U.S. won’t be the first to do away with the PIN; Mexico and Brazil have already adopted EMV with a chip-and-signature approach. However, it will require some getting used to for consumers and merchants alike.
Contactless (NFC) Payments
When most countries adopted EMV, contactless payments using near field communications (NFC) chips were not yet widely accepted and were not given much thought. However, when contactless technology started gaining popularity shortly after EMV was rolled out to Canada, it forced another round of certifications and hardware purchases. Visa has pushed for the U.S. to adopt contactless and EMV at the same time to avoid a similar situation here. Some merchants think these technologies are interchangeable, but EMV and contactless are in fact very different. With EMV, the card remains in the reader and communicates to the terminal during the entire transaction. With contactless, on the other hand, the terminal communicates to the card just long enough to gather the card information.
Although they are able to read the same card, NFC doesn’t have the same write-back capabilities as EMV, since the card is not “in communication” throughout the transaction. Importantly, NFC does not allow debit. So perhaps this is a way for Visa to stack the deck against debit and promote the use of the Visa Network?
So why the push for contactless? This push may come more from the card issuers. Contactless uses NFC as a way for the chip in the card to communicate with the terminal. With more and more smart phones coming pre-equipped with NFC chips, the SmartCards may become unnecessary. This will save the card issuers money, as they won’t need to manufacture and distribute plastic cards – especially important as SmartCards are more expensive to produce than magnetic stripe cards.
So there we have it. The changing face of card payments may include payment terminals controlled by Shift4. These terminals will use P2PE to create an extremely limited CDE for the hotel, handle EMV and NFC to simplify PCI audits, and lower interchange fees in the process. We’ll see more change in the next two years than we have seen in the payments industry in the last two decades! Hope you all are starting to prepare…