Tired of PCI and EMV hassles? Consider solutions that shrink PCI scope and simplify EMV certification, says Andrey Tikhonov.
One year after the EMV liability shift in the U.S., many merchants are still debating whether to update their payment systems as they learn about EMV’s value and the consequences of non-compliance.
Some retailers, particularly small businesses, have been reluctant to commit the significant resources necessary to overhaul their point-of-sale systems. Others that have adopted EMV have been unable to activate solutions due to months-long certification delays.
Still, while some retailers have been slow to embrace this change, the process is indeed under way.
To adopt EMV, merchants must first determine if they will develop their own solution or purchase one from an independent software vendor (ISV), value-added reseller (VAR), or POS software developer. They also must select either a fully integrated or semi-integrated solution.
Due to the sizable investment of time and resources in deploying an EMV system, semi-integrated solutions are increasingly popular. They offer practical benefits to merchants and minimize some of the headaches that accompany the change.
Indeed, I contend that semi-integrated solutions will define the future of payments, given their advantages. These include the ability to streamline the EMV process, expedite in-store deployment, reduce Payment Card Industry data-security standard (PCI) compliance requirements, and offer relative ease of ownership.
A Critical Difference
It’s important to understand the difference between a fully integrated and a semi-integrated payment system. Typically, a fully integrated solution combines the payment application with the POS solution. The software handles every part of the transaction, including barcode reading, tendering and processing payments, and managing inventory.
So fully integrated systems incorporate payment processing with other business applications, such as accounting and customer relationship management (CRM). All payment data is included in the system, helping merchants save time and money, improve cash flow, and gain immediate visibility into finances.
The critical difference between fully integrated and semi-integrated solutions is how payment data is handled. With fully integrated solutions, for example, the PIN pad or signature pad connects to the POS terminal, which directly communicates with the merchant’s network and the acquirer or gateway.
This creates two issues: greater security risk for the retailer, which stores sensitive payment information; and a need for ongoing EMV recertification for any modification to the POS application, whether a software update or hardware change, resulting in additional costs and delays in activation.
By contrast, with semi-integrated solutions, cardholder data bypasses the POS terminal and merchant’s back office and is directly transmitted from the card reader to the gateway or processor, often with encryption and tokenization for additional security. Payment information operates using separate software that is not directly connected to the POS application—an important difference that creates many advantages.
Although semi-integrated solutions have existed for decades, they were originally developed to enable card acceptance for legacy equipment that was not capable of communicating with gateways or payment processors. Now, the shift to EMV has highlighted important advantages:
– Expedited EMV certification. Semi-integrated solutions are pre-certified, with a range of supported hardware terminal options. The software has all required payment features and functions fully implemented, tested, and certified for connectivity to a gateway or payment processor. It also has been certified for EMV end-to-end functionality with a range of credit card brands. Because semi-integrated solutions eliminate PC-based POS systems, the number of certifications required is reduced. Semi-integrated solutions already incorporate EMV certification, so merchants save valuable time, money. and hassles.
– Simple implementation. A semi-integrated solution is plug-and-play, whereby an ISV customizes the system to a retailer’s specifications. Because of this, implementing a semi-integrated solution is relatively quick, varying from two weeks to two months, depending on the complexity of the enterprise application and feature set. Semi-integrated systems can be used for mobile point-of-sale (mPOS) as well. Once certified to facilitate contactless payments and integrated with an NFC-capable terminal/reader, mobile systems can handle contactless payments using supported payment-processing platforms.
– Greater security and reduced PCI scope. Semi-integrated solutions can be assessed by an accredited qualified security assessor (QSA) to guarantee that cardholder data is handled strictly within a secure PCI PIN transaction security environment, or within a secure, pre-certified PCI payment application data-security standard (PA-DSS) setting so that data cannot be exposed outside those boundaries. This puts the entire solution out of scope for PCI compliance, eliminating the merchant’s costly, twice-annual obligation to certify the system.
Some semi-integrated solutions, however, enable the POS system to hold limited cardholder data, like the card number, for loyalty programs. These are not out of scope for PCI, but greatly reduce scope, which still is an important benefit.
– Ease of ownership. Merchants using semi-integrated solutions can easily access simple software updates that do not affect the payment functionality and do not require recertification or entirely reconfigured systems. Examples include bug fixes or feature adds such as signature capture or digital receipt implementation. Hardware changes or changes involving transaction flow, such as adding Visa’s Quick Chip or MasterCard’s M/Chip Fast to speed up EMV transactions, mandate recertification, but the ISV or software developer manages that process.
– Speed to market. Semi-integrated solutions decrease time to market because they were pre-certified for transaction processing—specifically, for EMV and PCI PA-DSS compliance. Retailers ultimately save time and can capitalize on a more robust and competitive marketplace for these offerings.
The Preferred Option
Semi-integrated solutions can be expensive because of volume-based license and maintenance fees. But the added costs are typically offset by the many benefits and the valuable upfront returns. Retailers that switch to a semi-integrated payment system from an existing fully integrated solution save development time and avoid both recertification costs and an ongoing PCI-DSS compliance process with additional fees.
Small wonder that, for small and medium-size retailers that have not yet adopted EMV, semi-integrated solutions are quickly becoming the preferred option.
— Andrey Tikhonov is senior director for payment technology at Infinite Peripherals Inc., Elk Grove Village, Ill.