EMV: C-Stores Have Long Way to GoWhy Security Technologies Have Proven Problematic to Implement
Convenience store operators say they aren't going to be fully EMV compliant anytime soon - and it's not their fault.
At the National Association of Convenience Stores convention this week in Las Vegas, many c-store operators said their adoption of EMV has been delayed by payments processors and point-of-sale hardware and software providers who can't provide the necessary equipment and services.
"Point-to-point encryption and tokenization have proven problematic to implement as well."
Even if they wanted to be EMV compliant tomorrow, they couldn't, the store operators complained.
The problem was noted last week by Doug Kantor, lead legal counsel for NACS, in an interview I conducted with him after a congressional hearing about the impact EMV is going to have on small U.S. businesses. The hearing was held to review the long-term impact of the EMV fraud liability shift, which took effect Oct. 1.
Because most c-store operators are independent and own fewer than 10 stores, they definitely fall into the "small business" category. And because of their size, the shift to EMV is going to be an onerous one.
Store Operators' Struggles
At the NACS show on Oct. 11, I got some first-hand perspective from c-store operators about the EMV challenges they face during a panel I participated in with Franklin Tallah, principal consultant and qualified PCI assessor at Verizon Business Solutions.
I was not surprised to hear that most c-stores are struggling to get their POS systems upgraded and their EMV configurations certified. I also wasn't surprised to hear that some of these merchants have no plans to invest in EMV at all. About 10 percent of the 100 or so c-store operators who attended our breakout session say they won't ever implement EMV.
What was surprising to learn, however, is that technologies beyond EMV also are posing challenges. Point-to-point encryption and tokenization have proven problematic to implement as well.
A handful of c-store operators told me that the processors with which they work are either not offering point-to-point encryption or are only offering proprietary encryption solutions that can be added for additional fees.
Tokenization is another worry, because the only tokenization standard that seems to be adopted in the market right now is the one developed by EMVCo, the global coalition that oversees EMV specifications. The most notable adoption of the EMVCo tokenization spec is Apple Pay (link), which has baked the spec into its mobile payment solution.
Merchants have long voiced concern about EMVCo's tokenization spec, which they say does not adequately meet their needs (see Tokenization: Why EMVCo Falls Short).
Conexxus, the technology arm of NACS, also has developed a spec for tokenization, but no software or payments providers have yet adopted it, I've been told.
The card brands and the PCI Security Standards Council have been pushing merchants to invest in P2P encryption and tokenization as they make their investments in EMV. Obviously, making all of these investments at once has proved problematic. And the worst part of all is that these smaller merchants really don't have many options, even if they did want to simultaneously launch EMV, P2P encryption and tokenization.
Because their transaction volumes are low, relative to big-box retailers, c-stores don't have a lot of leveraging power with processors and POS system and service providers. It's not easy for them to renegotiate or break contracts.
And even if they have EMV in place, going through the certification process with card brands has been a long, drawn-out process, too, they say. Smaller merchants, like c-stores, have to wait in line behind larger retailers for certification, they say.
Yet, in spite of all of these hurdles, which are out of their control, the fraud liability shift affects c-stores in the same way it affects larger merchants. It may not be a c-store's fault that it's falling short of being EMV compliant, but the fraud will fall back on the c-store regardless.
One point I tried to stress during my presentation is that banks are concerned about the c-store industry's plight. I encouraged c-store operators to talk with their acquiring banks to gain guidance and perhaps leverage to renegotiate some of the contracts they have with processors and even POS providers.
Merchants are bank customers. And while we tend to focus on how bankers and merchants are often at odds, we have to remember that they are partners on many levels, too.