The October 1, 2015, deadline to migrate to EMV credit-card transactions has come and gone, but there is a lot of information you should know in order to stay compliant. We break everything down for you so you can understand exactly what happened.
The migration entailed a few critical steps and required changes in both the hardware and software that business uses to make credit transactions. If for some reason you haven’t moved over, here is a guide of everything you need to do:
Out With the Old, In With the New
For most small business owners, you’ll likely start with the same businesses and resources you used to initially set up your merchant accounts. As such, you’ll talk to a merchant acquirer that supports accepting payments from the big four brands. A representative from each should be able to walk you through options based on your current hardware deployment, store count, POS capability and sales volume.
But before you pick up the phone or send an email, take a look at your current credit-transaction equipment, and ask yourself if any substantive changes need to be made. Consider the following options when auditing your hardware:
- A one-to-one hardware replacement: If your business simply needs to swap out your non-EMV terminal(s) with those that are EMV-capable, then you can likely keep it simple and keep your costs down.
- Upgrade your existing system: If you’ve been considering an investment in a more robust payment system than your current one, perhaps with inventory or customer-loyalty functionality, coupling it with an EMV-capable solution may give you the best return on your investment.
- Consider adding mobile or contactless payments: In addition to chips, EMV security standards have also been implemented in mobile payment solutions created by Visa, MasterCard and American Express that use NFC. With Apple Pay and Android Pay, doing one upgrade that brings all of these capabilities to your business might be a great long-term investment.
Once you decide on your business’ needs, call your merchant acquirer and/or payment processor to help you understand your options. Once you know what kind of hardware you need, the next step is planning for how much time will be needed to deploy and certify it.
Wait, There’s a Certification Requirement?
Every EMV-enabled terminal must be certified by EMVCo and by the card brand(s) whose payments you want to accept. The size of your business and the complexity of its payment system will dictate how the certification affects your company.
With that being said, unless you have thousands of stores running incredibly complicated software, it’s likely that your business does not have to play a substantial role in the testing process.
How Do These Tests Work?
EMV testing is divided into three levels.
Levels 1 and 2 are handled by EMVCo and deal with certifying payment equipment at the hardware and software levels. Each certification is meant to ensure not only the security of the device, but also interoperability standards between brands, customer verification methods (CVMs) and other aspects of EMV deployment. This also applies to apps that are designed to facilitate EMV adoption.
As a small business owner, unless you code your own kernel-level applications for your terminals, you shouldn’t have to worry about Levels 1 or 2.
In contrast to hardware and software, Level 3 is an end-to-end certification conducted between the merchant and the brand, with checks made with your processor, acquirer and any ISV(s) you are working with. It checks the integrity of the payment chain by testing every type of possible transaction that the terminal can do.
Depending on the types of transactions and CVMs you want to process, you could be looking at upwards of a few hundred tests, especially if you accept all four brands.
Will My New EMV Equipment Have to Be Certified?
For Smaller Businesses
If your business’ payment-system implementation is relatively simple with few or no customizations, then most of the Level 3 certification may not apply to your business. This includes simple implementations like single terminals, as well as specific, pre-made software packages that are certified to handle EMV transactions without heavy customization.
Be sure to contact your payment processor and acquirer for more info about what qualifications your business is required to perform.
For Larger Businesses
If you run a larger business that uses a customized processing setup, then you may have to play a more active role in your business’ Level 3 certification.
If your business falls into this group, you should talk to your payment processor, ISV and acquirer for guidance. They will be more than happy to offer advice on what you’ll need to complete certification.
How Much Time Will Level 3 Certification Take?
Again, depending on the degree of customization and complexity of your payment system, the timeframe for completing Level 3 certification can be as little as two weeks or as long as eight months.
In order to accelerate your business’ certification, work with your ISV to make sure that your customized software is ready for testing before you start the testing process.
Will Level 3 Certification Cost My Business? If So, How Much?
As mentioned earlier, not all merchants will have to take an active role in the certification process. For those that do, however, Level 3 certification can be costly, anywhere from a few hundred to tens of thousands of dollars.
Yes, it’s a scary figure, but consider what goes into it.
To complete some aspects of testing, it’s necessary to schedule time with your processor, acquirer and sometimes even the brands themselves to test compatibility. These figures also reflect the cost of testing equipment, required man-hours and development costs that may be needed to bring your ISV’s custom software up to spec. This ensures the integrity and security of all accepted types of EMV transactions for you and all of your business partners.
To help offset these costs, some payment processors have assembled testing kits to help businesses that are required to perform testing. Others may have to work with independent testing vendors, which offer debugging or quality-assurance services if need be.
The bottom line is this: If you think your business is large enough to warrant a substantial active role in Level 3 testing, contact your acquirer and payment processor for guidance.
How Much Do the EMV-Capable Terminals Cost?
EMV terminals are already on the market and come in forms ranging from the simplest card processors to POS systems that can run loyalty programs from a tablet. While the seemingly endless options make it too much to cite specific prices, we can make some educated guesses based on freely available information online.
A normal, card-only terminal will likely cost anywhere from $100 to $500. The final price will be contingent on features such as available memory, screen size, operating system and even connectivity. For restaurateurs, there are portable card-only terminals that can connect via Bluetooth, Wi-Fi or even through a cellular connection.
Integrated POS terminals may run into the thousands of dollars. While not as simple as a stand-alone terminal, many modern POS terminals offer advanced capabilities, including inventory management, customer statistic management and other functions.
Whatever you do, be on the lookout for promotions from acquirers, processors and even the brands themselves. Each has already spent money in order to implement EMV and make everyone’s payment system more secure, and they will likely be willing to work with you to ensure your lasting business.
What Should I Look for When Choosing a Terminal?
Choosing the right terminal will vary from business to business.
For example, if your business has only one stationary location where you accept payments, you may not need a wireless terminal with lots of memory or detailed screens. Likewise, if you run a restaurant that seats more than four tables of four, then investing in portable terminals that link to a host might be a good investment.
Either way, consider the features your business needs against the cost required to purchase them. Remember that you want to keep your payments secure, but you also want to be as cost-effective as possible while doing it.
That being said, even though U.S. cardholders will likely use Chip-and-Signature to verify their purchases, strongly consider investing in a PIN-capable EMV terminal for the long-term. We can’t predict what will happen, but the possibility of issuers adopting PIN-only cards in the coming years is a very strong possibility.
Some issuers are also electing to enable contactless EMV, which works using NFC (near field communication) technology. Contactless EMV payments are designed to make payments a breeze by allowing customers to simply tap their cards against a terminal. It’s a payment method worth considering if your business deals with rapid, smaller transactions.
Another consideration is if your business serves a lot of international customers. If you’re able to accept Chip-and-PIN transactions, that could mean the difference between a big sale and no sale at all.
Another possibility—and quite an immediate one—is mobile payment acceptance. The major card brands have invested heavily in creating standards for mobile payments, and both Apple and Google have gotten their payment systems on a variety of smartphones. If your business serves a mobile-friendly demographic, the ability to accept convenient mobile payments may set your business apart from the rest of the crowd.
The Next Steps
If you’ve been following along, you should be well-versed on everything EMV. For those that are ready to make the migration, check out our step-by-step guide to EMV migration. For even more EMV background, see our guide on what happens if you don’t migrate to EMV.