The restaurant industry has begun preparing for a big change in credit card technology and policies that will affect retail merchants in October 2015, both in economic terms and in operations.
Major credit card companies have announced incentives for merchants to change their point-of-sale systems by October 2015 amid a backdrop of credit card fraud that affected millions of department store shoppers, especially those at Target and Neiman Marcus, during the winter holidays.
Such changes would allow restaurants to accommodate the EMV standard that is widely followed outside of the United States and are aimed at better protecting merchants and issuers from fraud losses at the point of sale.
EMV, named after its developers (Europay, MasterCard and Visa), requires cards that have embedded microprocessor chips that store and protect encrypted user data instead of the magnetic strip widely used in the U.S. The chip in the card generates a one-time code for each transaction, which makes it more difficult to a counterfeit. Another layer of security can be added with a personal identification number, or PIN, or a signature, but currently, that layer is not required.
However, many in the restaurant industry are not convinced that the payment standard is the fraud solution some are touting it to be. “EMV technology protects against counterfeit cards to some degree, but it’s not a silver bullet for fraud,” said Liz Garner, the National Restaurant Association’s director of commerce and entrepreneurship.
Garner also noted that because of the investment required for operators, the restaurant industry is hoping for a more secure solution, including the possible inclusion of a PIN requirement.
“There is no reason there should be a payment device out there that the merchant can’t ask for a second layer of security on, especially in a world where we have passwords for everything, from an ATM withdrawal to signing in to an Internet account,” she said. “The worldwide standard is chip-and-PIN cards. Without issuing cards with PINs, it makes very little sense from fraud prevention and a lost-and-stolen type environment.”
David French, senior vice president for governmental relations at the National Retail Federation, said in a recent webinar that the chipped cards cost the issuing companies between four and 10 times as much as the long-used magnetic strip cards, and new chip-enabled hardware could cost the retail industry between $20 billion and $30 billion in total.
Card issuers are offering various incentives to merchants that comply with the EMV standard by October 2015. They include the elimination of the requirement that merchants with chip-enabled terminals annually validate compliance with the Payment Card Industry Data Security Standard, as well as protection from fraud liability.
Credit card companies are also warning of penalties for merchants who have not made the investment in chip-enabled technology. Policies vary among companies, but they all include further shifts in fraud liability from the card issuer to the merchant.
Garner noted that the merchant community already bears a third to half of the fraud losses, depending on the type of transaction.
The bigger picture
The NRA’s Garner said EMV compliance isn’t a complete solution and noted that the October 2015 timeline is “unrealistic.” She said it took Canada, with an economy smaller than that of the United States, seven to 10 years to move to a new level of card technology.
At large restaurant chains, changes in POS technology usually take about 18 to 24 months for acquisition and implementation. The companies then have to certify with their card processors that they are meeting their standards, she said.
That’s why organizations such as the NRA are seeking extensions of the deadline as the industry explores additional ways to increase data security. “We’ve asked the [financial services] industry to consider a more realistic timeframe,” Garner added, as well as consider more layers of cyber security.
In February, more than a dozen leading retail trade associations, including the NRA, announced a new cyber security partnership to focus on information sharing, card security technology and customer trust. Liz Garner, the NRA’s director of commerce and entrepreneurship, said in an interview that the organization has been observing data security for some time.
The group’s goal is to bring together all points in the payments chain — credit card processors, companies, equipment manufacturers and banks — to increase security for customer data.
“There’s much more that can be done to prevent overall fraud in the system,” Garner said. “The cyber security working group is definitely a step in the right direction to get all financial stakeholders to the table.”
“The restaurant industry has long sought a constructive, open dialogue with the financial services industry on the path forward toward creating a more secure payments environment for all stakeholders in the payments system,” Dawn Sweeney, the NRA’s president and chief executive said.
Sweeney said protection of customers’ financial and personal data is paramount to the industry, adding that “there is a shared responsibility between the financial sector and the retail sector to solve these issues together.”
The next piece of cyber security equation, Garner noted, is protecting data as it moves through the system, which she said is “absolutely critical.” The NRA’s role in the cyber security working group will address those issues as well, she said.
“There are a lot of pieces to the puzzle when we talk about data security and fraud prevention in general,” Garner said. “But we have absolutely got to do it to restore consumer confidence in the payment system.”