– The deadline for converting gas stations to EMV is fast approaching, and this time there won’t be an extension. What to do?
EMV payments are coming to a pump near you, and gas stations need to get ready to accept them or face financial consequences.
A majority of the world has been using EMV chip cards and EMV-capable readers for years, mainly due to higher fraud rates with magnetic-stripe cards than what was experienced here in the United States. But now, as fraud has grown in the U.S., the card brands are mandating that card-present businesses support EMV cards to help reduce losses.
The push to support EMV stemmed from a change in the rules where merchants and acquirers are liable for all applicable counterfeit fraud associated with EMV chip transactions if their inside POS terminals do not support EMV technology. This became effective for retail EMV chip transactions in October 2015. Consequently, most retailers now support EMV at their in-station points of sale.
However, the mandate was pushed back for pay-at-the-pump at gas stations due to the extra complexity to support it. The due date was initially October 2017, but was postponed to October 2020. Recently, the Merchant Advisory Group (MAG), an association that advocates for merchants on payments issues, requested another delay due to the lack of industry readiness. But the card networks denied the request.
MAG says it is now “encouraging industry stakeholders to prepare for October 2020 by having sufficient capacity of certified technicians, adequate software availability, and streamlined certification processes to ensure that fuel merchants are able to transition to EMV and avoid negative financial implications.”
This means that if there is not support for EMV at the pump by October 2020, merchants and acquirers will take on the liability for fraudulent transactions.
Fuel margins are low, so the financial implications could be huge. It could take only a few chargebacks on gas for large SUVs to wipe out profits for the day. Further, when general retail converted to EMV, fraudsters targeted non-compliant merchants. This means even if you don’t have a lot of chargebacks—but remain noncompliant with the new mandate—the costs could potentially go up.
In fact, using current statistics, the costs at the pump are:
– More than $50 million in chargebacks recorded over the last several quarters. These become the responsibility of the merchant for all noncompliant solutions in 2020. This doesn’t include any associated fines or fees;
– Brand reputation ruined due to fraud at your pumps. This equates to lost sales as customers will avoid using your station for fear of getting their data stolen.
A Certification Ecosystem
To make the situation worse, there is a large technology hurdle to cross. The challenge here lies in the fact that existing outdoor EMV systems are made up of three parts: fuel control, payment control, and the outdoor payment terminal. Typically, the fuel controller and payment controller run on the same device, called a forecourt controller, as shown in the illustration above.
Retailers may get these solutions from different vendors. The problem is, it is critical to keep all parties aligned for delivery and successful deployment of EMV. Not easy to do, especially given new EMV-certification requirements. One example: if any component in the payment flow changes, you need to re-certify each new solution.
That means the payment software will need to have separate certification for each outdoor payment terminal, controller, and payment processor. There are hundreds of permutations of controllers, card readers, and payment processors that handle petroleum.
To make matters worse, certification with the payment processor/host is a very long and tedious task that takes months at a minimum. Not many options exist that are certified at this time.
To simplify matters, most pump companies suggest you use their complete end-to-end system. The problem is, this limits stations’ options and can get very expensive.
Map for Merchants
So, what is a merchant to do? There are a few options. They break down into three factors: what equipment you currently have, what you want to do in the future, and how much money you have. You can:
– Buy a new pump and complete system. Of course, this is what the pump manufacturers want you to do, and you may not have a choice if your pump is too old. The benefits to this approach are that you know your system should work. The disadvantage is it can be very expensive for the new hardware, software, and downtime to the business.
– Retrofit your existing pump and system. A retrofit involves upgrading your existing pump and system to accept EMV. The major pump manufacturers have retrofit kits that work on some of their newer pumps, but these kits are relatively expensive and require you to upgrade your payment software. Several third-party companies have developed retrofit kits that are less expensive.
Fit To Be Retrofit
If you want to consider the retrofit-kit option, you should take two factors into consideration.
Factor 1 – Station Configuration
First, the fuel controller, payment controller, and outdoor payment terminal need to be able to work together and be certified with your payment processor/host. Otherwise, you are just buying another mag-stripe system and are at the mercy of your vendors for when they will have the EMV certification you need.
To minimize this problem, you should consider the integration method between the components. There are two types of integration methods between the payment device and the payment processor/host.
Most existing U.S. implementations in petroleum are conceived as a full integration, where the payment application runs on the forecourt controller, separate from the payment terminal. The payment terminal just gets the cardholder data and passes it to the payment application for processing.
This concept may not work with your existing equipment, and any time something changes it can require a new certification across each piece of the solution affected. Since the payment application is separate from the payment terminal, this implementation also puts the station in PCI scope. Thus, system security becomes an important issue, as this configuration is responsible for much of the card skimming.
A new method to consider is called semi-integration. With semi-integration, the payment application runs on the payment terminal. So all card processing is handled by the payment terminal, which links directly to the payment processor. This is how most of the rest of the world does payments.
By separating the payment terminal from the rest of the system, this configuration provides more flexibility because it’s compatible with a multitude of pumps and forecourt controllers and does not require new certifications for each.
It is also more secure, since cardholder data goes directly to the payment processor/host and is PCI-certified. Also, the payment device at the pump is a PCI-certified payment terminal, so if anyone tries to tamper with the device, it will stop working. In addition, this approach minimizes downtime because you can upgrade one pump at a time. You don’t need to take the whole station down to convert to EMV (see illustration).
Factor 2 – Future Proofing
Besides your station configuration, the second major consideration is the future. If you are going to have to change your pay-at-the-pump terminal anyway, you may as well get one that can handle the future. It should support existing payment methods, such as PIN-entry for debit, and new payment methods, such as contactless through Apple Pay, Samsung Pay, and other digital wallets.
It should also be easily managed and upgradable so you can support new options such as mobile payments without replacing the hardware. Also, consider whether you want to have a screen at the pump so you can support advertising and order at the pump with pick-up in-store.
It is clear EMV at the pump is going to happen soon. The choices of technological direction and implementation are out there. As a merchant, you want to weigh the costs and factors according to how you want to do business and ultimately choose a solution that provides security, expandability, and ease of implementation.
Now is the time to act. October is only months away.