Independent software vendors, value-added resellers, and point-of-sale software developers facing the daunting task of certifying their unique products for EMV payment acceptance may face costs starting at $30,000.
That figure, which comes from Andrey Tikhonov, senior director of payment technology at Elk Grove Village, Ill.-based Infinite Peripherals Inc., reflects the fact that each configuration of a payment system must be certified for each of the four major U.S. card brands, and each processor and gateway. A new hardware device, such as a PIN pad or POS terminal, or software tweak requires an updated EMV certification.
One way around that costly endeavor, and a way to shorten the amount of time necessary to gain EMV certification, is to use semi-integrated POS systems. These systems use special software to offload the handling of sensitive payment data from the POS software to the PIN pad or POS terminal. Some use a separate component, independent of the POS software and payment device.
Saving time is just as important. Generally, a typical EMV certification process may take three to six months to complete, Tikhonov tells Digital Transactions News. But many semi-integrated POS products might take just a few days or weeks to integrate into the POS software.
In addition to offering developers a quicker way to offer chip card acceptance to their merchants and avoiding significant EMV certification costs, semi-integrated POS products also may reduce an entity’s Payment Card Industry data-security standard (PCI) compliance-reporting requirements. Removing the transmission of sensitive payment data from the POS software translates into an easier PCI-compliance process.
“Almost every new ISV is using the out-of-scope interface, and most of the existing ISVs are reengineering their systems to use out-of-scope,” says Terry Zeigler, president and chief executive of Datacap Systems Inc., a Chalfont, Pa.-based payments-software specialist.
Datacap uses middleware that can reside on the payment-acceptance device or on the computer running the POS software, Zeigler says. “We then run the app independently and can talk to different PIN pads,” he says. Datacap this week said processor Heartland Payment Systems Inc. certified its NETePay middleware for EMV acceptance.
There’s another potential benefit to semi-integrated POS products compared with PC-based POS software. “By eliminating the payment message out of that environment, you get rid of one of the primary attack vectors,” says Rob McMillon, vice president of product security at San Jose, Calif.-based VeriFone Systems Inc.
Semi-integrated POS products can help make the payment card system more secure, in part because it can remove PC-based POS software as an attack vector, McMillon says, and merchants often use data encryption and tokenization in conjunction with EMV acceptance. “Semi-integrated POS makes it so one component is out of the loop,” he says, “but it doesn’t mean the merchant has no exposure any more.”