Small Business and EMV: What Retailers Need to Know About Risk, Security

Small Business
You can trust that we maintain strict editorial integrity in our writing and assessments; however, we receive compensation when you click on links to products from our partners and get approved. Here's how we make money.
Small Business and EMV: What Retailers Need to Know About Risk, Security

Swiping credit cards is on the way out; dipping chipped cards is on the way in.

EMV technology — also known as chip and pin or chip and signature — is the more secure credit card standard the U.S. payments industry is adopting. The cards have hard-to-counterfeit computer chips that must be dipped into card readers rather than swiped. Most businesses will have to update their point-of-sale systems to accept them; here’s how to become EMV compliant and compare POS system options.

In October, businesses become liable for counterfeit credit card charges if they can’t accept a customer’s EMV card. Currently, card issuers take the loss for counterfeit charges. But 45% of retailers haven’t implemented EMV technology even though 75% say they’re worried about security hacks, according to a 2015 report by the POS provider Lightspeed, which surveyed 1,500 independent retailers. Here’s what small-business retailers need to know about EMV technology and security.

High-ticket retailers are more at risk for counterfeit fraud

Although all small businesses should be thinking about accommodating EMV technology, retailers that sell expensive items are more likely to experience counterfeiting, says Norm Merritt, chief executive officer of ShopKeep, a cloud-based point-of-sale system for retailers and restaurants. Fraudsters likely wouldn’t waste time buying a $3 cup of coffee with a counterfeit card; they’d go straight to the jeweler, bike shop or high-end boutique, Merritt says.

Small retailers that don’t have large transactions aren’t as at risk for fraud, says Chuck Winter, a consultant at the Atlanta-based global consulting firm North Highland. But high-ticket service-based businesses such as car rental companies, salons, barber shops and small hotels are also vulnerable to fraud, Winter says.

Retailers can still accept magstripe cards with the new tech — if it’s worth the risk

EMV readers will still be capable of swiping magstripe cards to accommodate customers who don’t have EMV cards yet. But if a business accepts a magstripe card and it’s counterfeit, the business is liable. It will be up to individual businesses to decide whether to continue accepting magstripe cards or require EMV cards. That decision largely depends on the type of business, Merritt says.

“If I’m selling a $10,000 necklace,” he says, he would “absolutely” accept EMV cards only. “If I’m a bodega selling an $8 biscuit and a cup of coffee, I could take the risk.”

EMV cards don’t protect against data breaches

EMV doesn’t protect against certain types of threats, such as the data breaches that occurred at Target in 2013 and Home Depot in 2014, says Sherif Samy, commercial director for the transaction security business at UL, a global safety company that works on transaction security. In data breaches, fraudsters steal credit card information directly from retailers’ networks, Samy says.

To avoid breaches, businesses need to implement two security features in addition to EMV: end-to-end encryption and tokenization. End-to-end encryption translates the card data into an unreadable format so the information can’t be deciphered if it’s stolen. Tokenization is the process of translating card numbers into unique, random numbers so they can be stored securely within a merchant’s system. Samy advises businesses to look for POS systems that include these features — look for those that are compliant with the Payment Card Industry Data Security Standards, known as PCI DSS.

The takeaways

  • Small-businesses need to update their POS systems by October or risk being liable for counterfeit charges if they can’t accept a customer’s EMV card. Here’s how to become EMV compliant and compare POS system options.
  • Although EMV cards are more secure than magnetic stripe cards, they only protect against counterfeit fraud. Retailers need to implement end-to-end encryption and tokenization to prevent data breaches.

For related information, visit NerdWallet’s resources on how to start a business. For free, personalized answers to questions about starting and financing your business, visit the Small Business section of NerdWallet’s Ask an Advisor page.

Teddy Nykiel is a staff writer at NerdWallet, a personal finance website. Email: teddy@nerdwallet.com. Twitter: @teddynykiel


Image via iStock.