The Back Page
Future of Credit-Card Security
interview with Retail Management Solutions CEO Brad Jones
have been an ongoing feature
of the news cycle,
with a number of high-profile cases
calling into question the security
of customer payment data at even
the biggest retail merchants. In
this interview, Retail Management
Solutions CEO Brad Jones talks
Lockwood about what’s in store for
community pharmacies preparing for the rollout of EMV
chip-based security in credit cards.
Q. Brad, give us the background on EMV.
Jones: EMV actually stands for Europay Mastercard Visa, and it’s a technology that came about around 1992 or 1993, so it’s actually a pretty old technology. It was adopted in Europe to stop the duplication of credit cards. Then about seven or eight years ago it was adopted in Canada. To date the adoption rate in Canada is around 60%, so it’s been slow.
The technology embeds a chip in the card, and the purpose of this is to make sure that the card cannot be duplicated.
Q. So the chip is more secure than a magnetic strip?
Jones: Not exactly. What the EMV chip does is make it so that the physical credit card can’t be duplicated, and this is where there’s a big misconception about EMV and security. EMV would not have stopped any of the breaches that have occurred in the United States. Breaches of that kind will continue to occur, even with EMV, as long as merchants hold credit-card data on their own servers, whether that data is encrypted or not.
Q. You mentioned that this is a technology with a long history in Europe and Canada, and a fairly slow adoption rate. What does this tell us about the rollout in the United States?
Jones: It is going to take quite a long time for EMV to be fully adopted. Most consumers still haven’t even been issued cards with the chip.
Q. What can pharmacists concerned about credit-card payment data security be doing?
Jones: Well, while there’s no security advantage from EMV for the merchant, strictly speaking, this is still something that they need to prepare for, since the payment industry is requiring it.
But security for the merchant depends on how they are handling the credit-card data they are collecting. And for this there’s another technology out there that does prevent breaches, and that is a standard called point-to-point encryption.
Q. Tell us what point-to-point encryption does.
Jones: What that does is encrypt the payment data from the moment the merchant or customer swipes the card on the hardware at the store. Then that encrypted card data is transmitted to the processor, where it’s decrypted, the transaction is approved or declined, and then the processor sends a token back to the merchant’s system with the response. That token is of no value if it’s stolen. So there’s no credit-card data ever being stored on the merchant’s system, either encrypted or decrypted. All the merchant ever sees is this token.
Q. How widely used is point-to-point encryption? Clearly, these big retailers weren’t using it when they suffered their breaches.
Jones: These retailers who have been breached are not using point-to-point encryption, which would have prevented all of these breaches we’ve read about. The thing is that it’s a relatively new technology. And beyond that there are some theories about why the chains and big retailers don’t seem to be deploying point-to-point encryption. One credible theory is that they are using credit-card information to help track customer purchases, even for customers who are not part of their loyalty programs.
Q. Who benefits from EMV?
Jones: From the credit-card issuer’s standpoint EMV protects them because it means that their cards can’t be duplicated. That’s what they’re interested in .
Q. What is Retail Management Solutions’ strategy here?
Jones: We already have point-to-point encryption with one processor, we’re in the process of establishing it with another processor, and we use an external third-party service for processors with which we don’t have a direct interface now. And finally, our goal is that within the next 18 months we will not have any credit-card interfaces that don’t have point-to-point encryption. We’re also planning on making the transition to EMV in that time frame as well, since that’s what’s mandated by the credit-card industry, while point-to-point encryption is not. We’ll be offering both.
Q. So there are really two different areas that pharmacies need to focus on: making sure they are using point-to-point encryption and getting themselves prepared for EMV. Now, talking about EMV again, October 2015 is a milestone the industry has set. What’s happening then?
Jones: What happens in October 2015 is a transfer of liability. If at that time and going forward, you, the merchant, are processing 90% of your EMV cards presented as EMV transactions, then the liability will shift on those transactions from the merchant to the processor or the card issuer. But what most people don’t realize is that all that happens in October 2015 is that there is this shift. It’s not really a hard deadline in the sense that no new liability comes into play beyond what exists now, and merchants won’t be prevented from taking cards if they don’t meet the threshold. It’s just that the risk that’s there now will shift for merchants for EMV card transactions if the criteria are met.
You can see it more as an incentive for the merchants to start the adoption of EMV. Considering how long it took in Europe and Canada, it will be years before there’s widespread adoption here in the United States. That’s because it’s going to be extraordinarily expensive. There are over two billion credit cards in the United States, and each EMV card costs over $1 to manufacture. So it’s a couple billion dollars just for the issuers to put the new cards out. It’s going to take time for everyone to adopt.
Q. Are there other barriers, aside from cost, that slow the rollout?
Jones: Yes. For example, the processors were supposed to be completely ready for EMV almost 24 months ago, and many of them still haven’t provided the specs to point-of-sale vendors to code for EMV. And we still don’t know what hardware will be certified. With one of our biggest processors, we’re still waiting to see the specs and to hear what hardware they will certify.
Q. Are pharmacies going to have to buy new card readers in order to accept EMV cards?
Jones: It depends. We’ve been putting our signature capture devices out in the market with EMV readers for over two years now, knowing that this was coming. But what we don’t know is whether those devices that we’ve been deploying, and that are actually widely used across the retail market, will be certified for EMV. We’ve been told by one processor, one of the largest, both that these will be certified and that they won’t. We hear different things from different people within that same organization. We’ve been trying to make this as inexpensive as possible for pharmacies as merchants, but there’s so much uncertainty still.
Q. To recap, EMV is protecting against the counterfeiting, the duplication of physical credit cards, which protects the issuers. But reducing that risk does nothing, as you’ve mentioned, to reduce the merchant’s risk of a breach, right?
Jones: That’s right. And for the foreseeable future people will continue to come into merchants with cards that only have a magnetic strip — and keep in mind that EMV cards also have this strip in addition to the chip. Merchants will still be swiping the magnetic strip on cards for a while now. But backing up, the most important thing a merchant can do to protect himself is to make sure that credit-card transactions are being processed on point-to-point encryption as soon as possible. And they should get all the credit-card data out of their systems. If anyone does get into their systems then, you want to be sure that there’s nothing there to take.
Of course, pharmacies do still need to do EMV, since the credit-card industry says they have to. And there’s no doubt in my mind that there will eventually come a time when the industry says you can’t process transactions without EMV. But that is not happening in October 2015, and won’t happen for quite a long time.
Q. And to wrap up, what approach to all of this are you seeing in the broader retail environment, outside of independent pharmacy?
Jones: Well, one thing I’d note is that, as usual, these requirements are set up in a way that makes it easier for big retail to implement them. They have IT staff, they have the resources to expend on this, and they have direct relationships with the processors. I think you’ll see the chains adopt EMV more rapidly than independents, but I think that independents can gain a competitive advantage over the chains by adopting point-to-point encryption. They can market this to let people know that their data is completely secure at the independent, because they never hold it. No one can hack into their systems and steal it, because it’s not there. Now the chains may eventually adopt point-to-point encryption, but to date I’m not aware of any that have or that have plans to do so. CT