By Kevin Woodward
Encryption technologies, which mask sensitive card data with mathematically derived characters and numbers, appear to be the security method that resonates best with merchants. That’s the result of a Digital Transactions News survey that asked about EMV, tokenization, and encryption.
Forty-five percent of respondents cited encryption, followed by tokenization, 30%, and EMV, 25%. That may indicate many merchants continue to be confused about EMV chip payments, despite the payment card industry’s education and marketing efforts. EMV ensures the card used at a point-of-sale terminal is genuine, while tokenization substitutes the actual card number with a randomized stand-in.
Payments providers are in a hurry to get EMV-compatible point-of-sale terminals in merchants’ hands in anticipation of the Oct. 1 liability shift. That’s when the party to a general-purpose credit or debit card transaction that doesn’t support EMV chip cards, be it the issuer or merchant, will bear liability for any resulting counterfeit fraud.
“There is still a lot of confusion among merchants about EMV,” Jeff Zimmerman, senior vice president of product management and marketing at Clearent LLC, a Clayton, Mo.-based merchant-services company, tells Digital Transactions News.
Anecdotally, encryption seems to be easier to talk about than EMV, he says. “We’ve been trying to educate our merchants for a long time. Lots of merchants are reluctant to be forced to buy new hardware.”
Encryption may be easier to talk about because it’s been around longer than EMV, at least in the United States, Zimmerman says. “We’re not hearing a lot about tokenization from merchants yet.”
Similarly, at BankCard Central LLC, a North Kansas City, Mo.-based payments provider, the EMV-education effort soldiers on. “You have to make [merchants] aware of it,” says J. Larry Daniels, president and chief executive. “Talk to them. Let them know.”
He plans to send letters explaining EMV to BankCard Central’s merchants next week and follow up with a phone call. “We are trying to get the preponderance of them converted,” Daniels says.
That is likely to be a tough job. Data-security and compliance firm ControlScan found in a recent survey it conducted that 68% of respondents felt a majority of small and mid-size businesses will not be EMV-ready by Oct. 1, primarily because they have trouble understanding the changes associated with EMV and they simply don’t care, says Joan Herbig, ControlScan chief executive.
“Recent forensic studies suggest that tokenization and point-to-point encryption would go a good deal further to combat breaches if deployed in conjunction with EMV,” Herbig says. “Two-thirds of the respondents to our survey said they plan to offer an integrated approach that includes EMV, tokenization, and/or P2PE when working with merchants on equipment upgrades. Encryption will resonate the most with merchants because it is easier to understand and explain, and it applies more broadly than tokenization, which is only necessary if data is being stored.”
Processor Total System Services Inc. (TSYS) has adopted a collective approach to security in sales pitches when it touts its suite of security products, including PCI validation, card-compromise protection, encryption, tokenization, and EMV, says Tom Boyer, president of TSYS Merchant Solutions, in an email to Digital Transactions News.
“At the end of the day, a merchant may choose to take a customized or a la carte approach to how they protect their environment, but we want to ensure that our customers are aware of the full suite of services we provide,” Boyer says. TSYS is based in Columbus, Ga.
At Vantiv Inc., EMV probably is top-of-mind for many merchants, says James Zerfas, vice president of security and risk products at the Cincinnati-based processor. Prior to 2015, tokenization might have garnered the most interest, he says. “Additionally, EMV is often mistaken as being a security technology, when in fact it’s more a fraud technology, meaning that merchants inadvertently have also shifted their thinking with the belief that EMV is an alternative to other security technologies like encryption and tokenization,” Zerfas says in an email to Digital Transactions News.
Vantiv is taking a customized approach, too, to bundling EMV and security products. Not every merchant needs every tool, Zerfas says, “so Vantiv is bundling products where it makes sense and offering some products individually in other instances.”
Many agree that smaller merchants will be among the last to adopt EMV. “We expect a majority of our larger merchant clients to work toward meeting the liability shift, but many of the small-to-medium-size businesses will just be getting started,” Zerfas says. “We expect EMV, tokenization, and encryption to be hot topics in the industry for the next few years.”
What may finally boost EMV adoption among smaller merchants is having to face liability claims post Oct. 1. “There are a lot of folks doing nothing and they’re going to let the merchant learn the hard way,” says Daniels. “They will let them get charges, but they’ve never seen chargebacks before.”
Zimmerman, too, suspects some merchants may not get motivated to adopt EMV until they bear the brunt of chargebacks. That will get them interested, he says.