Preparing Small Businesses for the EMV Deadline


With the EMV mandate fast approaching, a worrying number of small businesses are unprepared to make the change. MPD CEO Karen Webster recently spoke with Shan Ethridge, VP and GM, North America Financial Services Group, Verifone, to get an understanding of why EMV readiness has yet to take hold among smaller merchants, and what can be done to educate them about the process and its importance.


KW:  Our conversation is about something that’s gotten a lot of press in the last couple of weeks: the readiness of small businesses to take on the EMV migration that is upon us. Let me set it up with the following statistic, and hopefully you can shed some light:

We have taken a look, and industry statistics suggest that only 11 percent – that’s a pretty small number – of small businesses are prepared to meet the EMV deadline, which is pretty disappointing. Perhaps adding insult to injury is the fact that a third of them don’t really understand why they need to do it at all. Why do you think that is?

SE:  That’s a very interesting statistic. What I think it reflects is a significant gap in awareness and understanding…in the marketplace with the SMBs.

I think, as an industry, we really need to take a look at the effectiveness and the intensity of efforts to educate that market segment on the impact of the liability shift – and just as importantly, how consumer expectations will actually shift when they get used to using EMV cards at major retailers.


KW:  Do you think that small businesses think they’re too small to be a target?

SE:  I think that…small businesses don’t understand the impact of EMV on their business. And I think that they need to be prepared for that.

At Verifone, today, we don’t deal directly with the SMB merchants, but we do work very closely with our processing and acquiring partners to provide as much education and training support as they need to…close this awareness gap, if you will.

I think there’s a really big disparity between large retailers and small retailers in terms of EMV readiness. And I think that partly reflects the fact that large retailers today have dedicated personnel, and because of their sheer size, they’re able to draw support from their service providers. But how does Joe’s Pizza Shop really get prepared and understand the impact of EMV?

I think everybody in the payments chain really needs to focus…collectively on bridging that gap. I think the SMBs really need to understand the impact of the liability shift. If they don’t make the EMV requirements and card fraud takes place at their location, they could be left holding the bag – or the full cost of the fraud.

They can go back and take a look at the EMV requirements and the card fraud that takes place at their locations, and really get a good sense of the financial impact they’re exposing themselves to. And in some cases, it could bankrupt their business.


KW:  I agree; if you just step away and look at the numbers, it can be pretty daunting. And to my earlier point, do they really think that they’re visible enough to be a target of that kind of fraud? I suppose that’s one of the thoughts that runs through their mind.

Another is – perhaps this is industry-segment specific – the notion that, “I’ll just skip a step and really double down on mobile.” Let’s say I’m a restaurant operator, and I know that mobile is such an important enabler to the dining, booking, online ordering experience. As an operator of a restaurant or a food service business, that’s where I’m going to put my time and my money. Why is that wrong?

SE:  I’m not going to argue that mobile technology is not an emerging and relevant technology. But, as a company, at Verifone, we haven’t seen anything that supports that assertion. In fact, many merchants can actually leverage the technology in today’s payment terminals to enable EMV acceptance at a very affordable price.


KW:  Let’s talk about the very affordable price. You talked about the threat to the business of a fraud action that is taken at a merchant that isn’t in compliance or hasn’t upgraded to the EMV standard. What’s the ROI calculation that a small merchant should be doing in making this decision? How expensive is the whole process? Because it’s not just about putting it in the terminal; there’s a lot of other stuff that goes along with it, correct?

SE: I think that fear and misunderstanding really overshadow the actual expenses involved to upgrade to accept EMV. I think payment technology has become much more affordable and is delivering more and more revenue-generating capabilities. We hope that merchants will view the EMV shift as an opportunity to really take advantage of terminals’ new features and functionalities.

For example, they can use this technology to interact with customers on their smartphones to deliver enhanced offers or promotions, to keep those consumers coming back and buying more. Also, it gives them access to sophisticated analytics that will help them identify opportunities and maximize profitability in their business.

So when consumers get used to using EMV at large retailers, they’re going to associate that experience with more robust security. And smaller merchants that don’t accept EMV today could be at a disadvantage if they become viewed as a less secure option for that consumer. At a minimum, that could erode consumer confidence and reduce customer loyalty – which could be just as devastating as bearing the cost of fraud for not being EMV capable.


KW:  You have a very interesting perch at Verifone. You are looking across lots of different use cases, lots of different merchant segments, lots of different sizes of merchants. And you of course have been part of the EMV story, not just here in the U.S., but everywhere, for a very long time. What’s the biggest threat to EMV today?

SE:  It’s not so much…a “threat,” but I think one of the things that anyone in the industry would tell you is that the biggest problem with EMV right now is the looming certification bottleneck. And the biggest part of that problem is the issue of certifying individual point-of-sale solutions.

Essentially, EMV drastically upsets that certification apple cart with processors today. Right now, each POS integration requires a separate certification. So, for example, if…a processor…has customers using point-of-sale software from 200 different solutions and an estate of eight payment terminals, that amounts to about 1,600 different certifications that that processor is going to have to complete. And those certifications could typically take four to six months.

Let’s do the math: if a POS solution provider is just now starting to address EMV, there’s likely no way they’re going to be ready for the liability shift deadline. And don’t even get me started on the re-certifications that are going to be required if any changes are made to the software solutions along the way.

So we think the best approach is to isolate the payment data to the terminal. That way, you don’t have to certify each and every point-of-sale solution. If an acquirer or processor only has to certify the eight terminals in their estate versus eight terminals and 200 solutions, then that becomes a manageable situation.

Now you can approve those POS solutions with a simple test process rather than the complete and separate certification. If you’re using our Secure Commerce Architecture, for example, and our payment terminals, it can drastically reduce the certification process to only a matter of weeks instead of months.


KW:  Let’s elaborate on that a little bit, because that sounds different – a different approach for merchants to contemplate. What are the pros and cons? Obviously, one pro is you get the certification lickety-split. Let’s set that aside. What are some of the other changes, pro and con, that what you just described – isolating payment data to the terminal – means for a merchant?

SE:  Clearly, removing the data from the merchant’s ECR is a critical step in protecting the card data. But I’d like to add an additional consideration that I think is critical when it comes to protecting card data:

I think many people mistakenly think that EMV will solve the growing problem of data breaches, when in fact that couldn’t be further from the truth. It’s important to note that EMV is not a security catch-all. It solves the issue of using counterfeit cards in an EMV environment – I admit that – but it wouldn’t have prevented any of the major retail breaches that we’ve seen over the past couple of years.

Even with broad EMV adoption, it’s going to be years before we see mag stripes disappear. That said, it’s important to focus on protecting card data, not just the card. And the best way to do that is with a multilayered approach to security that couples EMV acceptance with end-to-end encryption and tokenization and Secure Commerce Architecture.


KW:  It sounds to me like – and this is perhaps one of the things that is getting in the way of faster progress – there are a lot of considerations that a merchant needs to internalize about how the certification process happens and what is the required change to their internal processes to make that decision. It sounds like it isn’t just as cut and dry as, “OK, I just have to upgrade my terminals.”

SE:  No, absolutely not. Verifone has been a strong advocate for a number of years, now, of…the merchant taking a multilayered approach to payments security. It definitely includes EMV – that’s a critical component to it. But it should also be coupled with end-to-end encryption and tokenization, as well as our Secure Commerce Architecture.

With end-to-end encryption and tokenization, the payment data is…encrypted from the moment it’s collected at the point of swipe, and remains encrypted – or tokenized – as it travels…from the merchant to the processor. Even if cybercriminals manage to get their hands on the data, it’s useless because the data is encrypted.

Another layer that’s important to effective payment system protection is our Secure Commerce Architecture. That actually connects the terminal directly to the processor and bypasses the process of that card data being stored in the ECR. So it prevents the payment data from actually entering the integrated point-of-sale, a PC-based cash register, which is the most common channel used by cybercriminals today to insert the malware that steals…payment data.


KW:  So it’s like a little safe tunnel between the merchant and the processor that the cardholder data travels. Is that right?

SE:  You got it.



Shan Ethridge
Vice President and General Manager, North America Financial Services Group, Verifone

Shan Ethridge is responsible for Verifone’s North American distribution and reseller channels. Additionally, he manages processor/acquirer and bank relationships across North America.

Mr. Ethridge joined VeriFone in March 2012 from TASQ Technology, where he managed First Data’s services and deployment business. Previously, he served as Vice President Special Projects for the President of First Data USA. Prior to that he was the Vice President of Sales Reseller Channel at Pay by Touch, and served as Senior Vice President Client Services for Concord EFS where he was responsible for deployment, client relations, customer service and retention and technical/POS terminal support.

He received an AAS in Electronic Systems Technology from Community College of the Air Force and studied organizational management at Crichton College.