REPORT FROM THE U.S.—Credit card security is a topic top of mind for any business that processes consumer payment data, and this October the stakes for U.S. businesses—including hotels—to comply with the latest wave of payment security will get higher.
It’s all part of a continuing wave for the United States to widely adopt EMV chip credit cards, which reduce counterfeiting and card fraud, but which require hardware and software upgrades on the part of the party processing the payment.
Beginning in October, new compliance language will shift the burden of liability for some types of fraudulent credit card transactions away from banks and ultimately on to merchants. Hoteliers who know these new liability burdens and are actively implementing technology upgrades to read these new cards will come out ahead, legal and technology sources said.
Knowing the reasons behind the change and the implications of noncompliance will help hoteliers make a seamless transition, sources said.
Why the card change?
EMV stands for Europay, Mastercard, Visa. It is becoming the new standard in secure credit card payments as it is widely accepted in Europe but still lacking widespread adoption in the Americas.
Current standard-issue American credit cards store personal information in a magnetic stripe on the back of the card. EMV cards, however, store information on a secure computer chip, which generates a one-time-use security code for every transaction, making counterfeiting virtually impossible, according to the EMV Migration Forum, a consortium of industry players that support EMV chip implementation across the United States.
Chip cards also require a pin number, further securing each transaction. When a transaction with an EMV card is made, the card is dipped into a reader that queries the chip as opposed to the card swipe U.S. cardholders are used to now.
Major U.S. credit card issuers, such as Visa, Mastercard and American Express, have been rolling out programs for several years that include support programs for merchants to be able to accept the new card payments, and most if not all have plans in place to replace cardholders’ credit cards with new cards.
“Generally, the EMV standard for credit cards in the United States is seriously overdue,” said P. William Smith, principal with Analytical & Information Services. “The standard was adopted a decade ago in Europe and the rest of the world has generally followed to a good degree. Avoiding the cost of updating legacy systems and processes, the USA has delayed the upgrade repeatedly.”
According to speakers at this year’s HITEC technology conference in Austin, Texas, the benefits of the chip card are many. In a session on the changeover, Smith shared the following benefits of the EMV cards:
- They are difficult to counterfeit;
- they protect against point-of-sale breaches (similar to the 2013 RAM scraping breach aimed at Target);
- chip cards that also require PIN assistance protect users when cards are stolen; and
- the chip technology uses an encrypted two-factor authentication for each transaction.
What’s key to remember, Smith told HNN, is that the benefits of chip cards are largely at the point of sale. “The change only affects ‘card-present’ transaction, meaning the points of sale where a card is physically presented,” he said, adding that online transactions are not affected by new EMV standards and will carry on as normal.
What happens in October?
The next big milestone in the years-long effort by credit card companies to roll out EMV card compliance happens this October, when liability shift language goes into effect. Beginning in October, the liability for fraudulent transactions will shift from the bank to the merchant, if the merchant has not significantly deployed EMV terminals and processes. (See “What happens in October?” for a summary of liability shifts for different credit card companies.)
The upshot: Hoteliers who have made the effort to upgrade their technology to accept EMV card payments will be in better position to deflect liability associated with card fraud.
“Know your current position; know what your responsibilities are versus the banks in this situation,” said Alisa Chestler, shareholder in the Washington, D.C., office of Baker Donelson and chair of the firm’s privacy and information security team. “As the technology shifts, the thought process regarding a potential liability shift is there, but in many ways it is dependent upon what security postures are and will be.”
Smith reinforced this, reiterating that the October compliance date “is not a hard deadline or mandate to be EMV-compliant—it is a line drawn in the sand whereby the merchant assumes responsibility for fraudulent charges.”
“For some merchants, this (liability shift) might not be a big deal nor warrant the cost of an upgrade; for others, it might be considered an unacceptable risk,” he said. “Short term, this is about risk management. Long term, adopting the standard may be required to continue to accept credit cards.”
Ready for compliance?
Maryam Cope, VP of government affairs for the American Hotel & Lodging Association, said the process hoteliers are undergoing to become compliant is underway.
“Making the change to EMV is not an overly complex effort, but it does require funding and time, both of which are always at a premium and need to be prioritized with other initiatives and needs,” she said. “The change also requires the coordination and cooperation of the merchant banks, software and hardware suppliers, middleware vendors and installation providers. Managing all of these groups will be very challenging given the short time frame.”
While the burden of upgrading point-of-sale terminals will lie with individual hotels, many brands are establishing guidelines.
At Red Roof Inn, that means establishing a new brand standard, according to Chief Information Officer Jeff Linden.
“We are in the process of rolling out all new EMV-capable credit card readers as our brand standard,” he said. Rollout is anticipated to be complete by September in time for the October compliance date.
Bernie Moyle, CFO and COO for Vantage Hospitality Group, said the company is “asking its members to support the migration to EMV as soon as they can.”
Cope said that “while not every hotel will be in a position to change the system over by October, many more will have been able to accomplish that than we see today,” she said.
That alone is a good step, sources agreed, though Smith said he’s skeptical the industry at large is fully prepared.
“The hotel industry has known the standard is coming for some time, and in fact the global brands already embrace this technology standard in operations outside the USA,” he said. “Larger hotel brands that have prior exposure to EMV will be better prepared.”