Payment security should be a top priority when choosing a point-of-sale system for a car wash business. EMV and the types of transactions any proposed system supports should be taken into consideration. By affording the time to conduct proper due diligence from the outset, businesses will be protected from compliance headaches and financial losses in the future.
EMV Security
In 1994 Europay, Mastercard and Visa (EMV) introduced a single standard to create a securer method of payment card acceptance. This was designed as a replacement for the ubiquitous magnetic stripe (“magstripe”) technology.
Transactions made with EMV cards are better known as “Chip and Pin” because the cardholder inserts their card into the terminal and then enters their pin number to process a transaction. EMV transactions use the same card data as a magnetic stripe transaction, but also include an encrypted data element which changes with every transaction. This encrypted data is generated by the chip on the EMV card and cannot be created by a fraudulent card. Each EMV smart card contains a unique public and private key pair which are used for authentication.
When signalled by the terminal, the card uses one key to generate a valid encrypted code which is sent back to the terminal. This code is unique to each particular transaction and proves that the card is genuine. The second key is used by the terminal to validate the code returned by the card. These one-time encrypted codes make it virtually impossible to intercept data in order to create counterfeit cards.
Data from EMV cards cannot be assessed by fraudsters. With contactless cards the chip is powered wirelessly through its proximity to the terminal. However, fraudsters cannot use long-range RFID readers to extract data from these cards because the near field communication (NFC) technology in contactless cards uses a radio frequency that only transmits digital data across a very short range. Typically, the optimum distance is four centimetres or less and can never exceed ten centimetres. Furthermore, only a genuine POS with a genuine acquirer bank account can proceed with an EMV transaction.
Furthermore, customers can only complete EMV transactions for in-person transactions when the cardholder physically has an EMV enabled payment card with them, and the terminal is enabled to accept EMV payments.
EMV chip card technology has massively reduced the costs resulting from counterfeit fraud wherever it’s been adopted. However, despite all the evidence that EMV technology is safe, convenient and effective, there are many businesses that still haven’t made the switch.
As a means of encouraging the adoption of EMV, the payment card industry have introduced changes to liability in fraud cases. Before October 1, 2015, the financial institution issuing a card would usually absorb the costs of any fraud committed with it. After that date, however, the party judged least compliant with EMV is liable. Virtually all new payment terminals accept EMV payments, and since 2015, merchants can now be held responsible for some types of fraud if they haven’t processed a chip card with an EMV enabled processing device. While the payment industry is continuing to improve card security, it’s important that businesses are aware of the changing standards and technology available. If businesses haven’t upgraded to EMV, whatever credit card acceptance terminals they have are limited in other important ways.
The EMV standard is continuously evolving, introducing new security defence mechanisms such as Dynamic Data Authentication (DDA). The security standards that are included with the EMV chip protects everyone involved in a transaction, including the cardholders, the carwash business, issuers, and processors. By upgrading to EMV, businesses ensure that they are not the weak link in the security chain, and this will reduce their liability to losses related to fraud. Upgrading to a newer payment acceptance terminal will also enable businesses to facilitate transactions with mobile wallets such as Apple Pay and Google Pay.
EMV is optional, although not deploying EMV technology puts a business at greater risk of financial loss from chargebacks. Furthermore, businesses should consider consumer perception. As customers are now very familiar with EMV chip and pin they may consider magnetic stripe processing as both unsafe or outdated.
PCI Compliancy
The Payment Card Industry Security Standards Council (PCI SSC), was formed by the five major credit card companies to generate standards that would ensure the secure handling of credit card information. There are twelve broad requirements and over three hundred sub-requirements.
Compliance with PCI standards is enforced by the PCI Standards Council, and all businesses which store, process or transmit credit card data electronically are required to follow the compliance guidelines.
The Payment card industry (PCI) compliance standards require that businesses handle credit card information in a secure manner which helps reduce the likelihood that cardholders would have their sensitive financial data stolen. All companies which process credit card information are required to maintain PCI compliance, regardless of their size or the number of credit card transactions they process.
Companies are asked to assess their information technology infrastructure, business processes and credit card handling procedures in order to identify any potential threats that may compromise credit card data. Companies are then required to address any gaps in security, and to avoid storing sensitive cardholder information, including social security and driver’s license numbers, unless absolutely necessary. Companies are also required to provide compliance reports to the card companies that they work with. Businesses not handling credit card information properly, could leave the card information exposed to hacking and being used to make fraudulent purchases. Furthermore, sensitive information relating to the cardholder could be used in identity fraud.
PCI compliance helps to protect credit card data that is stored, processed, and transmitted. However, it doesn’t contribute to validating a specific card transaction. EMV prevents businesses from accepting counterfeit cards, but doesn’t protect credit card data after transmission. As a result of this , EMV isn’t a substitute for PCI compliance, nor is PCI a replacement or catchall for EMV. It is the combination of the two that improves overall credit card security.
Getting Started with PSD Codax
Finding the best payment terminal for a carwash business is crucial and maybe something that is overlooked too often in the industry.
In the in-bay/ rollover business model in particular, the terminal is frequently unattended and needs to meet all of the customers’ expectations, both in terms of the type of card payment available and the security they can expect to be associated with the transaction.
At PSD Codax, we can provide a variety of solutions to the POS needs of the carwash industry which are both flexible and secure. Simply get in touch with our team today to learn more.