EMV, which stands for Europay, Mastercard and Visa, is a global standard for chip credit and debit cards. As background, the card networks thought that theft via swipe cards was too high: if someone stole your card – or hacked into a point of sale (POS) that swiped your card – they could fairly easily copy the static data contained in the magnetic stripe and reuse it elsewhere. Chip technology via EMV makes the transaction data dynamic so should a hacker gain access to your card’s transaction data the data would be unusable anywhere else: a unique code is generated for each transaction and the same code cannot be used twice.
EMV has been widely adopted across Europe and Canada over the past decade. Citing decreases in fraud, the card networks sought to bring EMV standards to America. As of October 1, 2015 the card networks imposed a liability shift for card transactions at in-store point of sale. This meant that merchants that weren’t EMV-enabled by that date found themselves on the hook for fraudulent card transactions, frequently known as chargebacks.
If the merchant did have EMV-enabled technology, the card issuer was on the hook for fraud, as it had been prior to the liability shift. Most merchants with small check averages viewed the the costs of EMV migration as a gratuitous expense and ignored it. However Visa likes to point out that fraud dollars dropped by 75% for merchants with EMV as opposed to a 46% decline for merchants that didn’t make the move.
Here’s where this gets fun.
POS companies have had plenty of notice to the liability shift, and the onus to invest in the technology to make their POS EMV-compliant was apparent. Yet many of them didn’t start the process in a timely manner, and some still don’t have a workable EMV solution.
Since there are likely tens of thousands of POS providers in US retail alone, we obviously need to limit the scope of the article. Therefore we’re focusing on the major POS systems across US hospitality.
Global Payments, which as one of the horsemen represents over 100,000 restaurants, has had EMV from the get-go. In general, they have support for every major processor on EMV with various hardware solutions including PAX, Ingenico and Verifone. This includes Apple and Google Pay.
Global’s EMV supports store-forwarding (think bar tabs), multi-terminal forwarding (run transactions on one terminal and edit on another), quick chip (mainly for QSR since EMV can take a long time to process), pin-debit, BIN range exclusion (for gift and loyalty cards) and they’re currently working on a full offline solution. They also support FreedomPay and Merchant Link for clients that prefer those carriers. The caveat here are that some of their POS solutions can only use certain devices, like POSitouch is only compatible with EMV on PAX devices.
MICROS went the polar opposite way and decided to boot EMV to third parties. Via their OPI, or Oracle Payments Interface, EMV devices instead are certified with the processors and not MICROS. This approach allows for faster speed to market around the world. Therefore all of the EMV-compatible solutions for MICROS are third party. “MICROS puts the burden of certification on the processor. OPI is a semi-integrated solution that keeps customers out of PCI scope. At a high-level, OPI provides the charge amount (e.g. $10) to the device which then prompts the user to insert/swipe the card. The device then directly connects with gateway. In this way MICROS is only seeing tokens,” explained a former MICROS executive.
Shift4 is another horseman and it built what it calls the UTG, or Universal Transaction Gateway. The UTG is both a cloud and on-premises solution with RESTful API that makes it easy for ISVs to integrate with Shift4’s solution: UTG in turn talks to a growing number of compatible devices that are pre-certified on the Shift4 platform. UTG is in use by 300 ISVs and 100,000’s of customers in F&B, hospitality and retail.
Shift4’s UTG supports EMV, PCI Validated P2PE, store and forward functionality, floor limits (when a merchant wants to put a limit on the preauthorized amount) and tokenization. “Our device certifications are done and the POS & hospitality companies in our portfolio can connect with UTG to handle their EMV needs” explained a Shift4 executive.
NCR, in true NCR fashion, is once again the laggard. “NCR doesn’t have an EMV solution that we can trust,” state a number of NCR’s resellers and customers. “When NCR realized that they were 3 years behind the liability shift they rapidly approved some EMV partners but we’ve had trouble finding an approved partner that works well.” NCR offers their own tethered EMV option for QSR via Connected Payments but does not have a solution that work in table service, where devices should be processing EMV dips at the table. The reasoning here is that the EMV card is not supposed to leave the consumer’s hand. In QSR the customer’s food is brought to them at the counter where they pay, but that’s not the case in full service.
Looking over the list of approved table-side partners surfaces another issue: the costs of NCR’s approved EMV solutions are high relative to non-NCR EMV providers. No doubt this stems from NCR’s walled gardens and pricey tolls.
“We tried Softpoint, one of the approved providers, but couldn’t stand it up,” explains one NCR reseller. “The problem as we understand it is that Softpoint relies on Omnivore for middleware integration to NCR’s Aloha. Whenever an issue was encountered Softpoint would point to Omnivore, Omnivore would seek help from NCR, and NCR would wipe their hands,” said another. Softpoint’s co-founder, Christian Rivadalla, countered that they have Aloha sites running, however. “Some you setup and just go and others you got to tinker with it. It’s not an exact science.” This is what we have also experienced with NCR’s Aloha POS as it is an antiquated software starved of the R&D necessary to modernize its connectivity.
Another of NCR’s approved EMV providers, eTouchMenu, wanted to head off the difficulties that come with integration through NCR’s traditional program; thus they built a direct integration under their Mobile Pay approval. eTouchMenu offers guest facing pay at the table with a la carte options like gift card. eTouchMenu has had EMV working across Landry’s, a staple NCR Aloha account, since early 2018.
PayMyTab is another solution that is a little broader in their offering. While they use Omnivore for their POS integrations – meaning another cost would normally be passed to merchants if PayMyTab didn’t absorb the fee – it allowed PayMyTab to focus on feature delivery and iteration. “We do table side ordering and pay at the table. Ironically the former is becoming more popular in many states that are raising the minimum wage as restaurants seek to control their labor costs,” said Tom Homes, PayMyTab CEO. PayMyTab offers guest analytics and loyalty along with their core values of EMV. “We’ve been told we’ll be one of only two recommended solutions by NCR in 2019.”
A consistent gripe we heard from the above solution providers was that Aloha was the only POS company charging them for integrations, adding costs to the merchant. This at least confirmed our observations as to why Aloha’s EMV options were so much more expensive.
After the four horsemen we have the major cloud POS providers.
Qu, formerly Gusto POS, has a semi-integrated platform solution. Niko Papademetriou, their head of Business Development, noted that it’s not a “cloud” EMV implementation nor is it a heavy on-premises solution, as the former often can’t support internet outages and the latter often requires a back office server. Qu’s EMV accepts all card and payment types with one integration, including Apple and Google Pay. It acts as a gateway to almost every acquirer and facilitates mobile EMV acceptable with Bluetooth, wifi or even device-level cellular connectivity.
Qu’s solution has full store and forward capabilities (when the internet or processor are out) for their transactions and supports multiple devices from Ingenico and Verifone, but has had trouble finding success with other cloud-EMV integrations and non-leading manufacturer EMV devices.
Revel started supporting EMV via Vantiv’s TriPOS in late 2016. They’ve had pay at the table since 2017 though they’ve seen no real interest in the technology due to lack of pin requirements. “Customers weren’t required to memorize pins here like they do in Europe or Canada so they still give their servers their cards and the servers run it on a machine in the back,” explained Revel CTO Erick Kobres.
Toast has had EMV running for over 15 months. Toast’s handheld device, Toast Go, became EMV-compliant three months ago and has a bevy of features: pay at the table, table side ordering, order-ready notifications, and the ability to collect guest reviews. Their EMV now has a customer-facing display as well. Toast has seen good speed in their EMV dip times at 2 seconds – which matters to QSR and fast casual brands who seek fast turnover.
Upserve had stand-alone EMV since the liability shift for $230. Recently they announced an integrated EMV play with table side ordering on Android. Previously Upserve was only available on iOS and the new EMV kit doesn’t cost any extra. The tablesides will be available in early 2019.
You tell us: is it acceptable for a “software” company to not have a functioning EMV solution more than 3 years past the deadline? Or more importantly, can a “software” company that doesn’t comply be one you should trust to run your critical software operations?
Probably not.