COVID-19 has accelerated adoption of various contactless payment methods. In many respects, this conversion to contactless is what futurists have been foretelling for years. Now the time has arrived. However, as you consider the benefits of contactless payments, you should also understand the risks and costs of various forms of “contactless.” If you choose to offer a contactless payment solution, do so with your eyes open and with the appropriate balance of benefit, risk and cost for your particular venue.
EMV credit and debit cards conform to an international standard leveraging an embedded chip or NFC (Near Field Communication) antenna to provide identifying information. This process is significantly more difficult to compromise than the previous MSR (Magnetic Stripe Reader) cards which required a simple rewriting of basic card information on a card’s magnetic strip. EMV cards are inserted (or dipped) into chip readers or tapped to an NFC capable device by the customer for payment and therefore qualify as card-present transactions.
Since the use of EMV cards dramatically reduces the fraud exposure for credit card companies, EMV service fees are significantly less than card-not-present transactions, such as online shops or cell phone payments. It is important not to confuse card-not-present transactions with the term “contactless payment.” An EMV NFC (also known as “tap”) card, for example, is both contactless and card-present whereas a cell phone payment is contactless and card-not-present.
The important thing to realize is that card-not-present transactions have significantly higher merchant processing fees than card-present transactions as a result of their different security profiles. Processing costs for card-not-present transactions can be as much as 100 basis points higher than card-present transactions.
Additional information may be gathered from a consumer during a card-present transaction to reduce further the likelihood of a fraudulent transaction. Outside the United States, a PIN is generally required on credit transactions (chip-and-PIN), while U.S. cards generally require a PIN for debit and may require a signature for credit (chip-and-signature). Furthermore, EMV outside of the US requires that the credit card stay within the possession of the consumer throughout the transaction. Since Europe has been ahead of the U.S. when it comes to payment methods, you can expect the practice of handing a credit card to a server for processing away from the table will soon be discouraged or eliminated—not to mention that it is inefficient from a labor standpoint.
The rollout of EMV in October 2015 shifted the liability for fraudulent transactions from the card issuers to the merchants. Merchants that do not employ EMV equipment for payments in their business operate without a liability shield. Any fraudulent transactions or chargebacks are the responsibility of the merchant and no longer covered by the card brands. This exposure is especially high in the hospitality business as restaurant or hotel legacy POS (Point of Sale) systems generally have an MSR slide built onto the POS terminal. Due to the liability shift, the merchant’s use of this integrated slide to process an EMV card, instead of using an EMV-certified terminal, will severely increase their exposure to fraudulent transactions and chargebacks resulting in revenue loss.
The Impact of COVID
The pandemic has had serious repercussions within the hospitality industry, and restaurateurs have scrambled to implement processes that increase consumer confidence and reduce potential exposure. This has resulted in an increased use of smartphones or other online ordering and payment apps. These apps may be web-based, reside on a smart device, or be an integrated payment wallet such as ApplePay or Google Pay. While reducing consumer anxiety about virus transmission from touch, it is important that the merchant fully understand the impact of deploying these payment methods.
Online and smart device transactions are not considered EMV transactions because the identity of the cardholder cannot be adequately determined through the processes defined in the EMV guidelines. Therefore, liability exposure to fraudulent transactions and chargebacks still exists for merchants that employ these technologies. Some mobile wallets, like ApplePay, perform secure tokenized transactions and have special arrangements with major payment processors to receive and decode these transactions. However, even though the tokenized communication of the card details may be effectively encrypted, a thief may still enter a stolen card’s details into a mobile wallet resulting in a fraudulent transaction and eventual chargeback.
Just because an app offers payment does not mean that the app developer has implemented best security practices in the development of the back-end systems that process the payment. If a developer has not had the experience of qualifying a device for EMV certification or has not been PCI (Payment Card Industry) certified to DSS (Data Security Standard) or PTS (PIN Transaction Security) standards, then a merchant should expect that their customer’s credit card and other personal data is not being securely stored. In that case, there is an elevated danger of the customer’s data being hacked and stolen.
Additionally, since all online and smart device transactions are by definition card-not-present transactions and therefore more susceptible to bad actors, the processing charges for these transactions are significantly higher than card-present and EMV transactions.
It is important to find a balance between ensuring a great customer experience with multiple payment options while simultaneously protecting revenue, reducing costs and safeguarding customer’s personal information. The following are recommendations to assist in that decision:
- Deploy EMV terminals within all of your locations and ensure that card-present transactions are processed through them and not through MSR devices.
- Invest in a mobile EMV terminal platform to eliminate the handling of a consumer’s credit card by waitstaff. Payment with a mobile EMV device reduces exposure risk for both wait staff and customers and is expected to become required by EMV in the future. Favor platform providers that build their own terminals instead of app developers that resell a generic Android device. Developers that have not been through a certification process are more likely to store consumer data in an insecure manner.
- Deploy a smart device or online payment solution for consumers that are not within the restaurant. Ensure that the solution provider has built and certified EMV devices and/or are PCI-PTS or PCI-DSS certified. It is best if the payment solution integrates seamlessly with both your in-house mobile terminal platform and your POS platform. Importantly, ensure that you are able to control refunds, voids, deposits and reporting through your EMV terminal platform and POS system.
While EMV is not required of restaurant operators, it is here to stay and is now table stakes for securely accepting payments in the hospitality industry. Ignoring EMV means ignoring the inevitable fraud that will occur without it, and today’s restaurants just cannot afford that.
Michael Weaver is the Chief Technology Officer of TableSafe, a company that provides the only mobile EMV payment solution designed to be left with the guest at the end of the meal, thereby removing the server from the payment process. Michael began his technology career in the 1980s and was a Management Consultant with Coopers & Lybrand in New York and Seattle. In 1998, he developed foundational technology for the e-discovery industry and launched Applied Discovery (ADI), the premier internet-based legal forensics company. He sold ADI in 2003 to legal database giant LexisNexis, a subsidiary of Reed Elsevier, now RELX Group. Since then, Michael has architected products requiring large capacity, highly scalable, transaction processing in a variety of industries. He holds a B.S. in Mechanical Engineering and M.B.A. in Finance and Operations Management. Michael joined TableSafe in 2014.