By Kevin Woodward
The complexity and multiple configurations of POS systems have some merchants and vendors mired in delays.
As the U.S. payment card industry hurtles toward its EMV destiny on Oct. 1, the process for certifying EMV-compliant point-of-sale terminals is moving along well, albeit with one exception.
That exception is point-of-sale systems. POS systems, which are available in myriad configurations with software from one company, hardware from another and payment processing from a third, face the challenge of uniting these disparate components into one service that meets the technical standards for EMV transactions.
It’s not an insignificant issue. The countertop POS terminals most often used by smaller merchants have a single operating system and payment application, and so are relatively easy to certify. But POS systems must be certified for each unique configuration.
“As always, the big players are ready,” says Xavier Giandominici, director of FIME America, the U.S. arm of France-based chip-services company FIME. “The smaller merchants will solve quickly their issues with acquirers and processors.”
That leaves mid-size merchants, which comprise a significant share of the card-accepting base. “This is mostly where there is effectively a long tail,” Giandominici tells Digital Transactions.
‘The Biggest Challenge’
Given the influx of certification requests prior to the Oct. 1 liability shift, few are surprised that EMV certifications are taking longer than traditional POS terminals.
Prior to EMV, a terminal certification might have taken three to four weeks, Don Hartley, vice president of solutions technology at Anywhere Commerce, a Montreal-based mobile POS provider.
“With EMV certification, we’re looking at a minimum of three to four months, most are six months,” Hartley says. “That’s for full solutions,” a reference to cash wraps and other systems with multiple components.
The EMV migration for mid-size merchants will extend beyond the card networks’ Oct. 1 liability-shift date. Not quite half—47%—of all U.S. merchants are expected to have EMV-enabled POS terminals by year’s end, says a survey from the Payments Security Task Force, an industry group.
Indeed, mid-size merchants, reliant as they are on POS systems, share the EMV certification challenge with their payment providers, including independent software vendors (ISVs) and value-added resellers (VARs).
“The biggest challenge to the middle market is that ISVs, integrators, or VARs, work for the merchant,” says Allen Friedman, director of payment solutions, North America, for POS-terminal maker Ingenico Group. “They typically don’t get a lot of bulletins directly from the card brands,” limiting their knowledge of payment card changes. “They are somewhat reliant on the merchant to get information from the merchant’s acquirer and to pass it to them.”
It’s not just mid-tier retailers that are enmeshed in the EMV-certification queue. Large retailers, with far more complex POS systems, also have to contend with the process.
“I see it as the acquirers, who are on the front line of certifying a merchant’s solution, who are still the bottleneck,” says Stuart Taylor, vice president of payment solutions at Equinox Payments, a Scottsdale, Ariz.-based POS terminal maker. “It’s still a case of the larger players that have very complex systems, and EMV wasn’t built with the merchant’s requirements in mind.”
For example, a drug store may want one one set of risk rules for a $100 basket in the pharmacy and another for a $100 basket filled with liquor and cigarettes, Taylor says. In the pharmacy example, the store knows who the customer is, but may know nothing about the consumer purchasing the other basket. “That means a lot of acquirers are heavily caught in still trying to certify some of these big players,” he says.
‘A Little More Support’
With thousands of POS-systems developers and as many as 2,500 value-added resellers distributing these programs, the certification task is daunting and complex. The complication for mid-size merchants that use POS systems is that each configuration must be EMV-certified for each processor.
Yet, the certification step is vital to secure and reliable EMV payment transactions, says Randy Vanderhoof, executive director of the Smart Card Alliance, an industry trade group based in Princeton Junction, N.J.
Without testing merchant POS systems, the configurations, if left up to individual information-technology departments at merchants, would result in no guarantees the POS systems could properly handle all of the data elements necessary for an EMV transaction, Vanderhoof says.
“The brands [payment card networks] have been forced [to do this] because there is so much customization in the middleware that they have to put these systems through a thorough end-to-end test, using all different types of payment transactions,” he says.
That’s where the U.S. EMV VAR Qualification Program steps in. Launched in April by the Payments Security Task Force and the PCI Security Standards Council, the program aims to help VARs and independent software vendors complete a pre-qualification regime to expedite the EMV-certification process for the systems they sell.
Merchant acquirers can validate that a VAR or ISV has completed the program, says Stephanie Ericksen, vice president of risk products at Visa Inc. That is done after the VAR or ISV has submitted the system for review by a participating service provider.
The payments industry “recognized that the mid-tier would need a little more support,” says Ericksen.
Successful participation in the qualification program may shorten the duration of the formal testing with acquirers because there may be fewer reported issues, debugging steps, and versions to submit for testing, according to the program’s list of frequently asked questions. The program is not a replacement for the certification provided by the acquirer that is mandated for each specific POS setup or payment configuration, the program notes.
As a POS systems integrator, DataCap Systems Inc. faces a unique challenge with the EMV migration. As one of the first companies to integrate a POS terminal to a cash register, DataCap has a vested interest in POS systems.
“We spent a fortune developing and supporting the payments piece of the integrated cash register,” notes Terry Zeigler, DataCap president and chief executive. Eventually, that integration was turned into a piece of hardware that others could use in their systems, he says. “Today we probably have between 500 to 600 integrations to PC-based software developers and about 100 integrations to other developers,” Zeigler says.
Dealing With Complications
The problem for POS-systems developers is that each EMV kernel—defined by Visa as the set of functions that provides the processing logic and data required to perform an EMV contact or contactless transaction—has to pass EMV certification, Zeigler says.
“We now have to develop our EMV client side to talk to the PIN pad,” he says. “Once that’s done, you have to take that to each processor and get it certified on their host platform and then with each card brand, and it has to be certified by specific functionalities,” like the different cardholder verification methods.
If that sounds gnarly, it is. “The certification process is long, deep, and ugly,” says Zeigler.
DataCap in August had its product in the certification process at all but two of the processors it connects to, he says. Even with processors, he’s already contending with complications. One processor, for example, has a mandatory 10-day wait period after each change, Zeigler says.
Zeigler’s fear is that the concern over EMV might spur some merchants to abandon their integrated systems. “The challenge we have is a lot of small merchants will throw their hands up and go back [to countertop terminals alone],” he says.
‘A Staged Process’
Ideally, that won’t happen. DataCap, along with others like acquirer Heartland Payment Systems Inc. and POS-terminal makers VeriFone Systems Inc. and Ingenico Group, entice merchants with services like tokenization and encryption that can lessen the impact of meeting PCI data-security standard compliance. That, in conjunction with EMV acceptance, may make merchants less likely to switch providers.
For example, DataCap has a service that removes the sensitive payment data from the software developer’s domain, essentially making the POS system “card unaware,” Zeigler says.
“How do we get our integrators ahead of the game so they can quickly adopt the EMV format? We came up with an out-of-scope interface,” Zeigler says, referencing technology that reduces or eliminates the parts of the system subject to PCI. “By going out-of-scope, they’re not touching [the PCI] rules,” he adds. Some have dubbed this a semi-integrated approach because it moves the payment communication from the POS software.
Another benefit is a simplified EMV-certification process. That falls to the provider, says Shan Ethridge, vice president and general manager of the North American Financial Services Group at San Jose, Calif.-based VeriFone.
VeriFone offers what it calls Secure Commerce Architecture, which places the payment data in its domain, rather than in the POS system. “By leveraging a smart integrated solution, it takes a lot of those costs and burdens out of the certification,” Ethridge says. “Rather than a processor having to certify hundreds of unique configurations, they only have to manage the process.”
As Giandominici sees it, mid-tier merchants, and the companies serving them with POS systems, can benefit from the program. “It helps them understand what it means [to become EMV-compliant],” he says. “It’s a practical education on how to implement EMV.”
Overall, however, the EMV-certification process is moving along. “Some merchants and vendors are right on target, and have no delays, while others have run into some challenges, as can be expected when you try to roll out a program of this size,” says Maarten Bron, innovations director at UL LLC, a Northbrook, Ill.-based testing company, by email. “EMV POS certification is a staged process where equipment manufacturers and equipment users (the merchants) each have certain sequences to adhere to.”
Generally, that means manufacturers have to ensure the hardware and software on the payment device meet the EMV standards. This is called Level 1 and Level 2 certifications.
“Once the equipment gets installed at a merchant, the merchant has to obtain additional approvals, related to the card networks that he or she wishes to participate in,” Bron says. In some instances, the networks may grant self-certification privileges to processors, he says. “This ensures that on a nationwide level there are no significant bottlenecks that would prevent a merchant to be ready Oct. 1.”
Of course, as Oct. 1 nears, more POS terminals may become available, having completed the certification process. But, as of mid-summer, at least one independent sales organization was still waiting on more devices.
“What we have found is that there are very few terminals which are EMV-compliant with our processor,” says Ken Musante, president of Eureka, Calif.-based Eureka Payments LLC. Consequently, Eureka Payments had just one EMV-compliant terminal model this summer.
Eureka’s issue is familiar to those trying to certify POS systems. “The issue we are having is that it has been extremely difficult ensuring that there are compliant applications for all merchant types, even though we are only seeking this for a single terminal,” Musante says. “We have downloaded and tested retail with and without PIN and restaurant. We have not been able to download and test cash advance and lodging.”
All this work, even for a single terminal, is intense, Musante says. “The cost of the upgrade is expensive,” he says. “Moreover, the process is very labor-intensive [with] programming, installing, and training.”