I recently sat down with Patrick Gallagher, Director of Retail IT for a global fashion brand based in New York City. In this video interview he describes the various EMV certification processes businesses can choose from, and why it’s crucial for all retailers to be compliant by October 1, 2015. I’d love to know what you think, and hear about your EMV recertification process!
Carrie: Today I’m joined by Patrick Gallagher, the Director of Retail IT for a major international retail brand based in New York City. Thanks for joining me, Patrick!
Patrick: Sure, thanks for having me.
Carrie: I hear that you’re in the middle of a big EMV recertification process right now, so maybe you can tell our viewers a little bit about what EMV is.
Patrick: EMV, basically, is the new standard of security for pay card and credit card processing companies. As you’ve seen, a lot of the new cards that are coming out now, in addition to their magnetic strip on the back of the card, you also now have a chip, a computer chip, embedded in the card. And that is where all of the credit card data is now stored as opposed to that magnetic strip. Previously the mag strip was prone to skimming and counterfeit, and now that’s being locked down by storing all of the credit card data on that circuit on the card.
Carrie: And there’s a big deadline for U.S. companies to get on board with this new technology, so what should small businesses consider when they’re ready to get EMV compliant?
Patrick: Well, the deadline that you’re referring to is what they’re calling the Liability Shift, and it’s October 1 of this year, so there’s not a lot of time for retailers to act if they haven’t started this process already. But basically what it means is, after that date, if there’s a fraudulent credit card activity on your system and you are not EMV certified, you will be liable for any charge-backs that happen for that. If you are EMV certified and there is a fraudulent or counterfeit situation on your system, that liability now shifts back to either the card issuer or the credit processor. So there’s a big factor of insurance there. So that’s basically the main reason to be compliant with EMV by the deadline.
The other factors include just . . . Think about your consumers. Consumers aren’t stupid, and they’re aware of EMV. They’re getting the cards with the chips in them now, and your business reputation can suffer if your customers are still forced to swipe their card as opposed to dip it for the chip. You become suspect then. So it’s good to educate your customers, tell them why you’re switching, tell them what EMV is. And basically it’s going to foster a reputation between you and your customers by showing them that you’re prioritizing their security. So it’s good for both reducing fraud at your level in the store, and also for the customer.
Carrie: So how long and costly is this process of EMV recertification?
Patrick: Well, that depends on what type of retailer you are, I guess. There are different solutions for EMV capability, and some of these fit for certain types of retailers and some of them don’t. So basically the two that would be the best solutions for small businesses are what’s called a standalone solution and another one called a semi-integrated solution.
The standalone solution is strictly just a device that’s sold to you by your payment processor that comes out of the box and sits on the counter and takes credit cards, and that’s it. It just charges people’s credit cards. There’s no integration with your own systems, but it is EMV certified, and out of the box, you’re ready to go. There’s no certification process that the retailer would have to be involved in, so it is the easiest and cheapest and fastest to implement solution.
So that’ll work if you’re like a newsstand or a Bodega type situation where you’re just cranking out customers. But if you’re a small business who’s running more of a boutique and you’d like to have more visibility to your inventory, to statistics like average dollar sale, if you’d like any outward facing visibility about customer data and loyalty, anything for the customer to enter on your device, that’s going to require some more customization, and then you would go to what’s called a semi-integrated solution, because the data that’s being fed into the payment device is now going through your POS system and back and forth. They’re communicating back and forth.
Now for that, you would more than likely have to be involved in what’s called Level Three certification. And what Level Three certification is, is that’s the certification of all of the different pathways to the card brands. And once you get your new EMV certified device, now you have to test the path to AMEX, the path to MasterCard, the path to Visa. And what happens is you get what’s called a tool kit with test cards, and you have to test every basic type of transaction that’s possible on that device: a return, a sale, an even exchange, for each individual card, AMEX, MasterCard, Visa, Discover, that you take. Now these can be hundreds of test cases. Our tool kit, I think, has up to 300 test cases that we all have to submit. Once these are all submitted, your payment processor validates them, that they’re all EMV certifiable.
Once that process is finished, the processor then hands off all the test results to each individual card issuer. So now AMEX is going to validate your tests. MasterCard is going to validate your tests. Visa is going to validate your tests. And this is the process that takes the longest length of time. So the more complex the solution, the longer the certification process and also the more expensive it is. The shorter solution, especially the standalone solution right out of the box, you don’t even have to be involved in Level Three certification because it’s already done. But, you also lose that custom ability to your device. It’s very “what you see is what you get.” And you’re just married to the idea of using the product that your payment processor provides.
So there’s pros and cons to both solutions. Really, the best thing you can do is audit your system, talk to your payment processor about what type of a retailer you are and what you’re expecting, and let them guide you to what solution you can go to. Now that the Liability Shift for October 1 is coming up on us, a lot of processors are offering deals like, “We’ll give you a free device if you sign up with us,” so there are promotions. There are discounts on devices because the processors want you to sign a contract with them. So there’s a lot of different options. Just talk with your processor and find out what’s right for you.
Carrie: All right. Well, thank you so much. I’ve learned a lot about EMV and the certification process, and I know that our viewers have too. Thank you to Patrick Gallagher for joining me today. If you have any questions about anything we’ve discussed, please go to in.credibly.com and shoot me an email!