Security Enhancement

Starting Oct. 1, small businesses that accept credit cards, -but don’t have EMV chip card readers – will be held liable for credit card data breaches like the well publicized cyber attack on retail giant Target during the 2013 holiday season.

The Fulton Montgomery Regional Chamber of Commerce held an EMV chip card seminar for its members Thursday at the chamber’s Gloversville, office, to explain the complex implications of the switch to the chip cards for small businesses. Chamber President Mark Kilmer said he’s fearful many small businesses are unaware of the risks involved with the change.

“We have about 1,000 members, many of them small businesses, and I think many of them are going to be blindsided. I think most of the big retailers are preparing for this, but the smaller ones don’t have the benefit of having tech people to advise them,” Kilmer said. “You’ve got to be prepared for this to conduct business. We’ve put the word out to our members that they need to be aware of this, and we did that partially because we haven’t been hearing a lot of comments about it.”

The EMV chip cards, EMV standing for Europay, MasterCard, and Visa, are meant to tighten up credit card security and reduce identity theft. EMV chip cards are harder to counterfeit than the typical magnetic strip credit card and promise to provide more security at the point of sale – but only if the card is processed through a chip card reader. Most of the EMV chip cards now being released in the U.S. will still have magnetic strips that can be read using regular credit card readers. Credit card companies, however, after Oct. 1 will begin to hold businesses that don’t use chip card readers liable for the damages to customers who suffer identity theft as a result of data breaches.

Tough choices

Smaller business are then stuck with a choice: upgrade equipment or take their chances with the increased liability of running the chip cards through their old magnetic strip readers.

“The liability is shifting to the merchant from the card issuer,” said Barbara Baker, a business consultant for merchant services company First Data. “In a face-to-face transaction, if the card is a chip card, and they don’t process it as a chip card – they process it as a swipe card – the liability goes to the merchant. The merchant owes the consumer because the merchant is not in compliance with what the credit card companies are requiring with these chip cards.”

Baker conducted the chip card seminar for the chamber. Her company is one of the firms that processes credit card transactions. She explained that many retailers either purchase credit card equipment or they lease it from companies like First Data. She said her company has tried to warn its customers about the need to upgrade equipment in order to comply with the security regulations mandated by credit card issuers. She told the chamber members in attendance at the seminar that the average data breach can cost a small business $114,000, and that’s not counting the “fine” that credit card issuers will levy against the business for processing the chip credit cards improperly, which could be as high as $10,000.

  • Chris Curro, the manager of Mohawk Harvest Cooperative Market in Gloversville, said Mohawk Harvest’s credit card reader, which it leases from a merchant services company on a month-to-month basis, is already equipped to read chip cards.

“We haven’t seen a cost increase from this yet,” Curro said.

Curro said he’s concerned about the shifting liability with the new chip cards. He said he wishes the new chip cards also included personal identification numbers like debit cards. He cited a U.S. Federal Reserve report that showed PIN protected chip cards are 700 percent more secure than chip cards that only have the owner’s signature on them for identification.

Changing tip rules

Michael Intrabartola, owner of the Inn at the Bridge in Northville, said things may change for his restaurant business as a result of the new chip cards.

Credit card companies are requiring credit card owners to physically hold the chip cards as they process the transaction, which will put an end to the old practice of cards being given to wait staff at restaurants, processed centrally, and then returned with a paper receipt that includes a line for tipping the waiter or waitress.

Baker said alterations to a transaction will no longer be allowed using the paper receipts, meaning tips will need to be included up front.

“I’d say 90 percent of business is through credit cards. We’re going to be getting new card readers for this,” Intrabartola said. “I’m going to see how we’re going to handle the cash-out at the tables, seeing as how it’s going to have to be done individually at the tables instead of at the main terminal at the front desk. The problem is going to be that each waiter and waitress is going to need to have the capability of doing the transaction at the table. I’m going to have to buy a bunch of iPads.”