Throughout history payment mechanisms have continued to evolve to account for the need to balance user convenience, data security and the costs from merchants, processors and card schemes. This is why the world originally transitioned from cash, to cheque, to plastic. It is also driving the current move into a contactless world, including payment by near field communication cards, mobile phones, watches and “card-not-present” transactions made online and over the phone. While some countries such as Kenya are seeing a shift straight from cash to mobile payments, most economies are now supporting a smorgasbord of payment options for consumers and businesses alike. But while globally the payments world has become increasingly easy for those wanting to make a payment, it has become exponentially complex for those managing them. And the world is about to get even more interesting.
The body that sets the standard for credit cards, EMVCo has been gradually shifting credit card related fraud liability in the APAC region back onto merchants who don’t have chip-card reading capability. For Point of Sale, the shift occurred between 2006 and 2010. For ATMs, the deadline for transition was October 2015, with China, India, Japan and Thailand coming inline by October 2017. This is a major shift in the market as globally, up until October 2015, banks had borne the brunt of liability from credit card fraud which is estimated to cost USD16 billion annually.
While many APAC countries have significantly transitioned to the EMV standard PIN enabled chip cards, others around the world including the USA, are lagging well behind. Early adopters of the new standard, such as Malaysia have seen card fraud dramatically decrease as a result. Those that haven’t are now scrambling to get on board with the new technology and payments ecosystem required to support it. Retailers are inevitably feeling the impact with credit card fees already being a significant cost for retail operations. Weighing up the cost of changing to the new standard should be counter balanced with the risk of not changing.
"In such a competitive market, operations with non-compliant terminals are going to find it increasingly difficult to survive"
One risk is that this is a global occurrence and trans-border differences are now being highlighted. US travelers without PIN encrypted cards have reported difficulties in making payments in other countries where it is an accepted standard. The EMV shift is also likely to see consumers become increasingly wary of organizations that aren’t meeting the new standards, particularly as banks and card providers are doing their part in educating customers when issuing compliant, chip enabled cards. While the acquisition of certified chip-enabled card readers is an obvious requirement in making the transition, there are wider implications for most businesses. Data security is a major aspect of this as credit card details need to be stored and securely managed at every point of the transaction process.
This includes ensuring you are dealing with Point of Sale and back office systems that can appropriately support the new EMV payment ecosystem and protocols. Staff training is another important aspect; ensuring appropriate device training and security protocols are established to minimize the opportunity for fraud occurring in the first place.
But not all payments are made in a supervised environment. Unattended or self-service payment is a major market trend particularly for 24/7 operations such as petrol and train stations. The need to meet EMV and Payment Card Industry (PCI) security compliance in these businesses is even greater. Not just because the risks are generally higher around unattended card payments but because the reputational risk of failure is also exponentially greater.
In such a competitive market, operations with non-compliant terminals are going to find it increasingly difficult to survive. They are likely to be avoided by customers who understand the security risks and targeted by those who are looking to capitalize on exactly that opportunity. If a breach does occur, then business cost is not limited to covering the related fraudulent transactions but the wider and longer-term impact of the reputational damage.
The recently announced extension to EMV compliance for the US domestic Automated Fuel Dispenser industry from 2017 to 2020 reflects the additional complexities of providing compliance in these environments. It signals an increasing convergence of hardware, firmware, software and cloud technologies in making a payment transaction. In managing encrypted chip card payments, these components not only have to work effectively together but the layers of security must be certified and maintained across each one, individually and collectively. For all of us, as consumers, the implementation of EMV standards should signal the start of a more secure era of card-based payments globally. It will also see many businesses closely examining their data security and related technology in terms of payment management and that can only deliver a safer environment for us all to operate in.
Invenco is a global provider of self-service payment solutions with a range of products including outdoor payment terminals, electronic payment servers, payment switches, and cloud services. Headquartered in Auckland, New Zealand, Invenco also operates offices in Malaysia, USA and UK.