The Green Sheet Online Edition
June 08, 2015 • Issue 15:06:01
EMV liability shift catching SMBs unaware
The Beach Rose RV Park in Salisbury, Mass., is the working retirement business of Salisbury natives Ray and Donna Champagne. It is an idyllic pocket of 55 RV lots a half-mile from Salisbury Beach. It rarely has vacancies on weekends and remains near capacity during the week six months a year. The park attracts domestic and international travelers and enjoys many repeat visitors each summer, as well as October leaf-peepers and overflow from nearby RV parks. Business is very good.
The Champagnes have been proactive: Their merchant services provider, which specializes in RV parks, hotels and resorts, made certain they were aware of the upcoming Europay, MasterCard and Visa (EMV) liability shift and the latest Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 compliance requirements. They upgraded their POS system to accommodate EMV chip-enabled credit cards, and they became PCI compliant.
Unfortunately, the Champagnes are in the minority. A February 2015 survey by Newtek Business Services revealed 71 percent of small and midsize businesses (SMBs) were unaware of the EMV liability shift occurring on Oct. 1, 2015. At that time, the liability for a credit card data breach can get pinned on the merchant, the bank or the credit card issuer, depending on which entity is not EMV compliant.
Breaking down the EMV liability shift
Below is what happens if a credit card data breach occurs after Oct. 1, 2015:
If a merchant is still using the swipe and signature method at the POS, and the consumer has an EMV chip-enabled credit card, the merchant is responsible for all losses in the event of fraud.
If the merchant has a POS system that accommodates chip-enabled credit cards, but the consumer's credit card has only the swipe option, the consumer's bank assumes liability for any losses should a data breach occur.
Finally, if a data breach still happens even though the merchant and consumer are both EMV-ready, the credit card issuer assumes the liability.
Suffering a credit card breach should be one of the major concerns for merchants. Those suffered by Target Corp. and The Home Depot Inc. were well publicized. What didn't make the news was the fact that 90 percent of the breaches over the last 18 months were suffered by SMBs.
SMBs face hard challenges in recent years
Just as a credit card data breach is among a list of worries for SMBs, becoming PCI compliant is another. So is "Mobilegeddon," the April 21, 2015, Google algorithm change that penalizes a website in search results if it doesn't meet Google's mobile-friendly criteria.
Two years ago, the Champagnes faced another challenge when they had to upgrade their software – which included more than a decade's worth of records – from Windows XP to Windows 7. Millions of SMBs were forced to do so since Microsoft was no longer offering support for Windows XP.
With all the hurdles SMBs have to face, how many will be ready for the EMV liability shift? Several EMV education and awareness efforts are underway. Visa Inc. is in the midst of a 20-city tour in which it is educating businesses and consumers. It also recently unveiled an online toolkit to assist merchants in managing the transition to chip-enabled credit cards.
The Electronic Transactions Association recently released a two-minute YouTube video detailing what the change means for merchants and consumers. Still, it is expected a significant number of merchants will not be ready by the liability shift deadline.
Patti Friedman is the owner of Creative Dance Arts in Clifton Park, N.Y., just north of the capital of Albany. She has taught dance since her early teens, and recently bought her own studio after renting space since the 1990s. She employs instructors, hosts parties and, of course, gives lessons just about each day of the week.
Friedman also sells apparel and runs a small cafe for parents who wait during lessons. Creative Dance Arts instructs more than 400 students – her business is thriving – but with her new studio come more expenses. She didn't think new POS hardware would be one of them, especially when she spent roughly $1,200 on a new terminal last August. She was aware new credit cards were being distributed to consumers, but she had no idea of the Oct. 1 deadline.
"Had I thought about it recently? No," she said. "Obviously we have to adjust before Oct. 1, but I don't even know what's out there."
One month ago, she and her husband, Jan, received new EMV credit cards from their issuer. Eyeing the gold chip, she asked her husband how they would be able to handle these types of cards. "It made me think, 'How are we going to process these?'" she said. "We're still swiping, but we're going to have to buy whatever upgrade there is."
'It's just not worth the risk'
There have been rumblings among the credit card companies of possibly delaying the EMV liability shift to 2016. Andrew Mahoney, the co-owner of Atomic Cafe Coffee Roasters, would love an extension, but he's not hopeful.
Atomic Cafe has three cafes in the coastal Massachusetts towns of Beverly, Marblehead and Newburyport, and a roast facility in Salem, just north of Boston. He has been a small business owner for 19 years. "We wear 20 different hats," he said. "Whenever things like this are sprung on people, the more time the better. But we have to figure it out and be compliant."
Mahoney doesn't feel the card brands are meeting SMBs halfway. "Our cafe in Newburyport is about 50 percent credit cards to cash, and it's going to continue to swing [toward credit cards]," he said. "I'm not happy about it because every swipe of a credit card costs us money. And that's the irony with the credit card companies – they're putting it on the merchant."
When told of the statistic that 90 percent of credit card breaches in the last 18 months were small businesses, he was visibly alarmed. "And that's not headline news," he noted.
Mahoney became aware of the EMV liability shift in late 2014 when notified by his credit card processor. He plans to upgrade each of his cafes with EMV-friendly POS terminals – his Newburyport cafe is just over a year old – but he could not give an exact date when.
"Anytime someone throws an $800 or $1,000 bill at you, you're not happy, but it's just not worth the risk of getting breached," Mahoney said. "You hope it never happens, but anything is a possibility."
Chris O’Donnell is a Senior Copywriter for the Instabill Corp. in Portsmouth, N.H. Instabill is a full service provider of merchant accounts to e-commerce, MO/TO and POS businesses. A resident of coastal New England, O’Donnell is also a contributor to The Daily News (Newburyport, Mass.) and Newburyport magazine.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.