Hospitals, barber shops, clothing retailers, movie theaters, hardware stores. What do they all have in common? For one, they likely represent the small-to-medium-sized businesses you serve. Secondly, they all need point-of-sale (POS) devices to process credit card transactions. Oh, but there's a catch. Now, the legacy systems that clients may currently have in place don't cut it, and the consequences for failing to upgrade could be dire. As of October 1, 2015, all U.S. merchants are required to be Europay Visa Mastercard (EMV) compliant. What does that entail, and what's it got to do with you? We reveal the channel opportunity for IT solutions providers.
Why the Switch to EMV?
Goodbye swipe. Helloooooo "chip and dip!" If you've purchased groceries in the last month or two and your credit card has an embedded computer chip, you know that magnetic stripe technology is facing its end of life. Why? In an effort to cut down on credit card fraud and data breaches, the United States has now adopted a global payment standard based on more secure smart chip technology. According to the Aite Group and as published in a First Data whitepaper, the U.S. alone has experienced about $8.6 billion in card fraud. In transitioning to EMV cards, or cards with the computer chip, the hope is that this unsettling figure is reduced. Unlike with the magnetic stripe, the transaction code stored on the chip changes with each new purchase, so hackers can't exploit data gained in one successful POS attack to further compromise cardholders' identities.
What Does EMV Compliance Mean?
With change in technology, comes change in policy and regulation. Whereas before, the payment processor or issuing bank (depending on the card carrier in question) was responsible for covering the losses of consumers whose cards were compromised, as of October 1, 2015, the party that is least EMV-compliant in counterfeit transactions will now be held liable. How is EMV compliance achieved? In basic terms, card issuers send EMV smart-chip cards to cardholders, and merchants offer POS terminals that support EMV technology. As of right now, credit cards are being made with both the magnetic stripe and chip technology since it is expected that stores will be slow to adopt EMV technology, a decision that's putting these merchants at risk with the new liability shift. Note that EMV compliance is different from PCI compliance. EMV compliance only applies to in-store purchases where the card is present. More on the relationship between the two later.
Why Must Growth-Driven MSPs Have the EMV Compliance Conversation with Clients?
Whether you resell POS devices or not, you have no choice but to understand the EMV dialogue. Let's take this first scenario. If you already sold clients legacy POS terminals, with this new mandate, those SMBs will rely on you to help them become EMV compliant. You'll have to upgrade their current payment systems to EMV-enabled devices. If you don't and consumers suffer a breach or credit card fraud, those merchants that didn't buy the new technology from another hardware vendor or Value Added Reseller (VAR) will be expected to cover the costs. Depending on the scope of the breach or fraud and the merchant in question, financial consequences and tarnished reputations could be severe enough to put your clients out of business. And even if they are able to recover, the likelihood that they'll want to continue doing business with you is slim if you never had the EMV compliance conversation with them in the first place.
Clients aren't just looking for another vendor or supplier. They can get that anywhere and probably for a much cheaper price. MSPs that have taken their services to the next level recognize the extra value of becoming their clients' trusted IT advisors. Regardless of whether or not you provide customers with POS hardware, because your business partnership revolves around maximizing data security, growing clients' annual revenue and driving their profitability, it's your job to make sure all affected SMBs become and remain EMV compliant. In turn, your careful attention to their needs will increase their trust in you, which can only help down the road with customer retention, cross-sells and upsells.
How Can MSPs Offer EMV Compliance Guidance?
So how do you have the conversation with clients? Present them with the facts and hard data! They may know about the new payment standard and role they play in it, but could still be fuzzy on the details and delay making the switch due to implementation barriers. Show them the way! Use your blog or dedicated email sends to teach merchants what they need to know in order to be compliant. You could even create an FAQ section on your website like CreditCards.com did in this post. Never assume it's information they already understand and therefore, pointless to send out. Even if they are fully aware, they'll appreciate you for looking out for them and will remember you having their backs.
There are tons of great resources out there for you to leverage in sharing this content with clients. For instance, this Data Protection Report article details the different ways consumers can pay for goods using EMV technology and how secure each method is, while also informing readers about separate incentives individual card issuers are offering merchants who are EMV compliant. Be sure to educate clients on the eligibility requirements for each of these incentives. What about the future of EMV compliance with mobile payments? While we didn't discuss the mobile angle here, the same First Data whitepaper mentioned above states that "U.S. mobile payments will reach $214 billion in gross dollar volume in 2015, up from $16 billion in 2010—a 68 percent compound annual growth rate between 2010 and 2015." Will your clients know to consider mobile capability when evaluating POS devices to switch to? Then, there's the matter of deciding whether or not to offer both contact and contactless connections, the difference being that with contactless, users' cards don't have to come in physical contact with the card-reader. As Business Solutions Magazine describes, the consumer "simply waves or taps the card within close range of a contactless-capable reader, energizing the chip and allowing the exchange of data via radio frequency (RF) in a process known as near field communication (NFC)." Clearly, the EMV ecosystem and terms and conditions are complex. As these implications and considerations continue to unfold, make sure you stay on top of the latest developments and share them with your clients. Even if it's just simply retweeting or forwarding a helpful and relevant article, stay informed and pass on that knowledge to clients. For more information, check out this step-by-step guide to using social media to reach prospects and clients by sharing original and third party content.
How do EMV and PCI Compliance Differ?
I'm so glad you asked! As stated above, they are not substitutes for one another, but both necessary to have. You can consult the PCI Security Standards Council website for a more detailed explanation, but with PCI, security controls are implemented to protect credit card data throughout the whole transaction process (not just during the swipe or dip) and are applied even when the physical card isn't involved, such as in online purchases or payments made over the telephone. The EMV chip increases cardholder data security upon payment, and PCI Security Standards add another layer of defense by protecting that data once it's stored on your clients' networks. Both forms of compliance are crucial in maintaining data ingegrity.
To learn more about how to offer PCI compliant services, check out our recent blog post, 3 Ways a PCI Compliance Tool Can Help Grow Recurring Revenue, and download our webinar!
By Gretchen Hoffman
By Gretchen Hoffman