An important deadline is nearly here for all retailers who accept credit cards in their bricks-and-mortar stores.
By October 1, you'll be expected to have upgraded your card terminals to accept so-called EMV cards--short for Europay, MasterCard, and Visa. These are the most advanced generation of credit cards, equipped with small microprocessors that secure point-of-sale transactions by encrypting the personal information of the cardholder.
If you haven't upgraded to newer machines, generally speaking you'll be on the hook for any fraud that happens with these cards after the deadline. Take a breather, though. The implementation won't happen overnight, and many financial companies are just beginning to issue the cards, with about 120 million in consumers' hands so far. While all card-accepting merchants are expected to transition by the deadline, the truth is by the end of 2015, financial services research group Aite Group says just 59 percent of retailers will be EMV equipped. It expects a more complete rollout to take two years.
The majority of store owners are unaware of the shift, however, according to the Wells Fargo/Gallup Small Business Index from July. What's more, only 31 percent of retailers said their terminals could now accept the new standard, and less than a third said they planned to make the necessary changes before the deadline.
The U.S. is the last major world economy to adopt the standard, which has been in place in about 80 other countries for years. But the new cards are worth the effort of changing terminals. In the U.K., for example counterfeit fraud, which is the most common type of credit card crime, has fallen by nearly 60 percent since it implemented EMV in 2005. (The U.K., however, requires users to enter personal identification numbers, or PINs, with its credit cards, which has greater security advantages. In the U.S., such numbers will be required only for debit cards.)
Here's what you need to do to prepare.
1. Purchase a new terminal.
If you haven't done so, you'll need to contact your payment service provider. Starting in October, the liability shifts to you for fraud that occurs on chip cards, if you haven't done the necessary upgrade. The new terminals require you to dip your card in a slot, not swipe, as the older terminals that accept magnetic stripe cards do. If you have a lot of terminals, that's going to be a sizable investment, on the order of $250 to $300 per machine.
While the swap will pretty much be plug and play for most smaller merchants, larger small businesses with complex software systems, including CRM and inventory control, will have to integrate the new terminals with those networks. To get a sense of how massive an expense it could be, Target has reported it would pay $100 million for its own upgrade. Meanwhile, the typical small retailer holds onto its terminal for six years, Aite says, so depending on where you are in the cycle, you could have to replace a terminal you just bought.
That was the case for Luciana Torous, owner and founder of craft tea shop 3 Leaf Tea in Auburn, New York. Torous opened her shop just three weeks ago, and had previously purchased a terminal that accepted only magnetic stripe cards for $150. Then her service provider sent her an email, describing the upcoming shift to EMV. So she forked over $300 for the upgrade.
"I did not want to be penalized, so I figured I'd get the new one, so I wouldn't have to worry about anything," Torous says.
2. Prepare to educate your customers.
People are creatures of habit. And cardholders are used to swiping. The new card readers require consumers to insert their cards in a terminal slot, and the verification process takes up to eight seconds. Consumers can also forget to retrieve their cards at the end. You'll have to run interference.
3. Protect your online sales.
Online purchases are likely to be the next target. Criminals are always looking for the next soft spot. Online sales, called card not present transactions, can't be secured by the new technology. So criminals are likely to look to exploit security holes here. While many online retailers require the three or four digit security code on the back of a consumer's card to complete a sale, known as a certification verification value (CVV) code, many others do not. So if you don't currently require a security code, consider tweaking your system.
Online sellers of prepaid cards and electronics, be especially alert, as these potentially high-value items will be especially appealing targets. "Any merchant that is selling high-risk goods will have to be prepared, because they will be a favorite target of criminals," says Julie Conroy, research director for Aite.