CHICAGO – Last week during the NACS Show, TechEdge speakers and payment experts Linda Toth, director of standards at Conexxus; Kara Gunderson, POS manager at CITGO Petroleum; and Mike Lindberg, payment solutions director at CHS/Cenex; presented an education session on EMV, payments and data security.
During the “Leveraging Data Security Technology” session, Toth kicked off the EMV discussion by explaining that while it is not a card brand mandate, it is a common-sense mandate and there are many reasons why merchants should deploy EMV. She indicated that with the high rate of card compromises, consumers will seek out places to use their chip cards, which they perceive to be more secure, while avoiding merchants who are not capable of accepting chip cards. She advised that fraudsters will increasingly target merchants who do not have EMV-capable solutions installed, as fraudsters seek to keep revenue flowing in a declining population of non-chip merchants.
Gunderson added that while the outdoor EMV liability shift has been deferred three years to October 1, 2020, merchants still may be on the hook for liability as of October 1, 2017. She explained that excessive fraud-to-sales ratios and excessive amounts or number of chargebacks would put the responsibility for all lost/stolen fraud and outdoor EMV counterfeit fraud on the merchant. She said that penalties and fines could be imposed on top of the chargeback liabilities.
Toth noted that for all of these reasons, “Now is not the time to take your foot off the gas with regard to EMV,” adding, “2020 will be here before you know it.” She said that EMV “Is one layer of a multi-layer approach to securing card data and being EMV capable does not mean you are PCI compliant.”
Lindberg added that “PCI compliance is a continuous process and not a one and done,” adding that merchants must “continuously access their environments and analyze them for vulnerabilities—because the fraudsters are, remediate by fixing those vulnerabilities and report compliance annually to acquirers and card brands.”
Gunderson reminded the audience that as of January of this year, merchants must now show proof of their PCI DSS compliance. She and Lindberg offered several resources for merchants to get started on PCI, such as the resources at pcisecuritystandards.org and www.conexxus.org/content/conexxus-resources. “We’ve both been in your shoes and had to start somewhere,” she said.