August 2, 2016 - There are some very basic steps you can take towards making your payment processing solution compliant with PCI and EMV. Payment Card Industry (PCI) and Europay, MasterCard and Visa (EMV) compliance are concerns of any payment processing solution today.
$20,752 is the average cost to a small business due to hacking, up from $8,600 in 2013 (National Small Business Association)
It’s essential for small businesses to have an end-to-end payment solution in place that allows for PCI and EMV to be addressed. Cyberattacks are no longer just a problem for large, global enterprises they are a problem for any company of any size with a payment processing solution. Businesses of all sizes can take steps to protect customer information. This was the case for long-time, Banyan customer Franchise Entertainment Group (FEG).
Franchise Entertainment Group (FEG) is Australia’s premier home entertainment group encompassing such iconic brands as Video Ezy, Blockbuster and EzyDVD. FEG’s DVD rental kiosk solution needed to integrate a new EMV-compliant hardware and gateway for payments and have supporting infrastructure. They also needed their team trained on processes to support ongoing compliance.
Here are some of the steps FEG took towards becoming PCI and EMV compliant. Sometimes it is as easy as ABC. Don’t be intimidated by hackers, be prepared.
‘A’ Always be aware of your vulnerabilities
Your business and the customer experience revolve around the point of transaction. It’s where revenue is made and where you can build trust. Whether your point of transaction is a point-of-sale (POS) system or a vending machine, or DVD rental kiosk like FEG, always be aware of points of vulnerability surrounding your devices. Criminals can steal data in a number of ways like inserting “malware” onto the payment system to steal credit card data. Mag stripe readers are at greater risk for data breaches than chip readers. There are several other points of vulnerably shown in this illustration.
‘B’ Bring on a partner that has expertise in PCI and EMV compliance
As the payments landscape continues to evolve, standards and compliance are insurance to your business and your customers that operations will continue to run smoothly and securely. Whether you’re starting out, or scaling up, it can be hard to keep up with the latest standards. You can vastly simplify any PCI concerns about your payment processing environment by going with EMV. However, it’s not without its challenges, especially if current business processes rely on the availability of data obtained directly from the credit card. So don’t go it alone, work with a partner that has expertise in this area. Here are some key learnings from FEG’s integration of EMV.
How you can identify the customer
For FEG, the situation required the payment system to identify the customer (the human) based on the credit card they presented. In a non-EMV world, that is generally accomplished by reading the card data and matching it against data already stored. Similarly, data obtained via a token for the card can also be matched against previously stored data. Conversely, with an EMV situation it’s unlikely you’ll have access to the card data nor you will not have access to the card number. Further, many providers have yet to implement a tokenization routine for EMV-based transactions. We solved for this by partnering closely with the payment provider to develop their technology to support both a limited card read (name, bin, and last 4) as well as a tokenization solution.
What you can do to support recurring billing
Another challenge is recurring billing with an EMV solution. This mirrors the first problem, because you will not have access to the full card information, and the payment processor must provide some means to effectuate a follow-on payment or refund when the card is not present. In FEG’s case, the payment processor had a secondary API that allowed for those payments to be processed, which we had to implement in parallel with the card reader integration.
Consider the impact of network and infrastructure changes
There may be network and other infrastructure related changes that you’ll need to make in order for the EMV transactions to flow through the environment, depending on the solution that is chosen. For example, some card readers may connect directly from the endpoint to the payment processor without first passing through a central enterprise service. Additionally, if you have a large network of terminals, finding a suitable set of hardware could be a challenge. In most cases the hardware needs to fit in existing devices or mounts, and it can be expensive to replace a large number of hardware units. At this time options are limited, as the hardware is mostly available directly from the payment processor as opposed to being able to choose from a set of generally available hardware.
‘C’ Continuously improve to comply
For FEG, finding the right partner put them on the path to PCI and EMV compliance. Their payment processing solution is fully compliant with PCI standards and the team has been trained on processes that will enable them to support evolving requirements to maintain their certification. Additionally, they have a complete, multichannel strategy that enables customers to reserve movies online or from their mobile device.
The PCI Security Standards Council (SSC) announced a significant advancement in its efforts to foster small-business cybersecurity: A set of payment protection resources that acquirers can use to educate and empower the small merchants they serve to fight cybercrime. It’s all about creating a better understanding of the real risks that go along with the method(s) merchants rely on to process payment transactions. To learn more about how EMV can help reduce fraud check out the Merchant Guide: Stepping Up to EMV Chip with PCI.