Pharmacy POS Credit Card Security in 2015 – March Update

Last month, we provided the first of many updates about what to expect this year as the credit card industry undergoes some pretty big changes.  Credit card fraud and data breaches continue to be major concerns for retailers big and small, so it’s important to understand the changes you will be seeing in 2015 that will help to protect your pharmacy and your customers.  

If you read last month’s update, you may notice that not much has changed since that very first letter. This month, in addition to emailing and posting this letter online, a copy will also be mailed to all RMS customers.  We encourage everyone to take a moment to read through this letter for all of the latest information on EMV, Point-to-Point Encryption and more.  

EMV

Many of you are aware that in October of this year the credit card industry is offering to shift liability for credit card fraud away from you, the merchant, to incentivise you to adopt EMV technology. EMV stands for “Europay Mastercard Visa”. EMV technology was first implemented in Europe in 1995. EMV cards have a microchip embedded in them that creates a unique transaction code each time the card is used. EMV makes it virtually impossible to duplicate a card. But that’s where the technology stops. EMV protects the acquirers and card brands (Visa, Mastercard, AMEX, & Discover) from fraud, but it has absolutely no impact on protecting you from a data breach (more on this in a moment). The card brands, acquirers, and credit card processors all began working with the large chains a few years ago on preparing for this shift. The credit card industry is now preparing to roll out this technology to small businesses, albeit 18 months behind schedule. We are currently working with all of your current processors to make this technology available by the 4th quarter.

Point to Point Encryption (P2PE)

As I mentioned, EMV does nothing to protect you from a data breach and as a merchant having all of your customers’ card data stolen would be far more damaging than having an individual use a fraudulent card in your store. A new technology known as point-to-point encryption (P2PE) virtually eliminates the chances of a data breach. With P2PE, the moment the card is swiped or put into the EMV reader, the card is encrypted by the hardware device and sent directly to the processor where it is decrypted for the first time. The processor then approves or disapproves the transaction and sends an approval or disapproval to the POS system. With P2PE, your POS has absolutely no credit card data to be stolen. P2PE is currently available in our latest software release, but it is currently only available with processing via Mercury Payment Systems. We are working with our other partners to offer this technology with them in the coming months.

What is this going to cost?

When you decide to move forward, the cost will depend on which processor you use and which hardware devices they certify. We have weekly meetings with our credit card processing partners on this topic and once we have firm information from them, we will pass it along to you.

We have already been told by all of our processing partners that there will not be any EMV certified signature capture devices until the 2nd quarter of 2016. They are all certifying non-signature EMV devices first and will make those available by October 2015. We will be coding to allow the use of these devices to accept credit cards (EMV and non-EMV cards). If you chose this option, your existing signature pad will be used for signatures only and not for credit card processing. We will continue to offer this dual device option moving forward, but we will also offer a single device option (signature pad with EMV reader) once they become available in 2016.

At this point it is important to keep in mind that neither of the above technologies are currently mandated, so you have the option of continuing business as usual until such time that you can budget and plan for the change. The October 2015 date, many of you have read about, is not actually a deadline, it is simply the date when the credit card brands agree to shift fraud liability from you to them on EMV transactions. This liability shift only applies to EMV cards processed as EMV transactions and does not apply to standard credit cards you accept. Keeping in mind that EMV technology does not protect you from a data breach, I recommend you consider P2PE as the first technology to adopt. This removes the credit card data from your system, reduces your PCI scope, and eliminates the chance of a breach due to stored credit card information.

What about my customer – the consumer?

There are still over 1 billion standard credit cards in use in the United States and issuers have only begun to replace these cards. In most cases, the issuer will initially activate the card as a “chip and signature” card to make the transition for the user as easy as possible. Chip and Signature means the consumer will sign for the transaction as usual. Eventually, all issuers are expected to migrate to “chip and pin” which means the consumer will have to enter their pin to use the card. We will be able to handle both situations from the beginning.

One of the hardest changes for the consumer is that with EMV, “swipe at anytime” goes away. With an EMV transaction, the card must remain in the EMV slot during the entire payment process. It will be very important to train your staff on this change.

What about Apple Pay and other mobile payment solutions?  

Since it’s release, Apply Pay has been highly sensationalized in the media, and many processing companies are portraying it as the next big thing in processing.  What’s important to understand is that even at merchants that can accept Apple Pay, those transactions will account for less than 1% of your total revenue in 2015.  Apple Pay transactions are also subject to a much higher level of fraud (a recent report showed 6% of Apple Pay transactions are fraudulent compared to 0.1% of regular credit and debit card transactions).  While Apple Pay is a planned part of the updates we will be making to our credit card processing integration changes in 2015, it remains to be seen whether Apple Pay will catch on or become an important payment option for retailers to implement.  With all the changes coming your way, there are definitely more important steps to take first.  

Where and when can I get more information?

We plan to send updates at least once per month via email and once per quarter via mail through the end of the year. We will also be posting the most current information on our website at  http://www.rm-solutions.com/emv