Engaging with Clients on EMV Migration

Cyber security is universally important to businesses, whether they are large, global enterprises or small business retailers. Its importance is underscored by the looming October 2015 Europay, MasterCard, Visa (EMV) liability shift that can transfer transaction fraud responsibility in the US from financial institutions to businesses. With the shift now less than five months away, it is essential for individuals who advise businesses—including security, governance, and audit professionals—to broadly help companies understand the rewards of EMV adoption and risks of non-adoption so business owners can be adequately prepared to meet the new status quo for transaction security.

To help business owners understand how best to prepare for the October liability shift, there are a few priority items that business consultants in the security, governance, and audit spaces should fast track in conversations with clients, including:

1. Know your customers. Knowing your customer is an integral component in the world of financial transactions, especially at the world’s most systemically important institutions; however, it is also very important to retailers that transact on a business-to-business and customer level. Pulling together an intelligent view of a customer base through continuous internal audit allows business owners to efficiently assess where security weaknesses lie. For example, if a merchant frequently works with third parties that have poor security protocols, it would benefit that merchant to implement the right EMV tools to ensure that customers’ personally identifiable information and transaction data are effectively secured from every angle. Knowing your customer is especially important for e-commerce merchants as a move to EMV shifts fraud toward e-commerce merchants.
2. Understand the risks involved. It is also critically important for business owners to understand the cost-benefit analysis of EMV adoption as it relates to their businesses. If a business owner decides to forgo adoption due to concerns over cost, it is important that he or she understands how inaction or delays will impact him or her. Businesses that delay EMV do not qualify for the liability shift associated with counterfeit cards—this means that you are liable for fraud from counterfeit cards. A host of other issues—including potential revenue losses that far outweigh EMV adoption costs, reputational damage and a decrease in customer loyalty—are big factors for merchants to consider as well.
3. EMV does not solve all security issues. EMV is an anti-counterfeiting fraud countermeasure, not an encryption, tokenization or security standard. To ensure your business is protected, you must layer security technologies like encryption and tokenization on top of your EMV deployment to be adequately protected.
4. Gauge your EMV need and prepare for PCI compliance audits. If a business owner determines EMV adoption is right for his or her business—and it is important to emphasize that EMV adoption is not federally mandated by law—then an IT and technology audit of their business is immensely useful in helping them determine how best to activate adoption. By nature of the different technologies available in today’s market, each business owner will discover that they have unique EMV needs, so determining which payment terminal is compatible with EMV or which technology is needed to properly secure customer data is essential (and cost-effective!) Furthermore, it is important for small businesses that are not EMV-compatible to prepare for a heightened incidence of PCI compliance audits as transaction liability shifts to them. Companies that are EMV ready will be more secure and less prone to security breaches—and therefore less likely to experience the audits that usually follow cyber thefts.

As noted previously, there are many nuanced and detailed considerations that businesses need to take into consideration when deciding if or how to adopt an EMV-ready stance. These waters are difficult for companies to navigate themselves, so it is immeasurably useful for them to have a partner or business consultant to help guide them through the process. As you engage clients in these important conversations—whether before, during or after the liability shift in October of this year—just remember that each client’s needs are unique and their paths to EMV readiness will be equally unique as well.

Branden Williams
CTO of Cyber Security Solutions at First Data

EMV™ is a trademark owned by EMVCo LLC.

[ISACA]