Making sense of EMV PCI DSS

Do you understand EMV PCI DSS?

As the reliance on technology and electronic data continues to grow, veterinary offices are becoming more vulnerable to cyber security threats. Many practice owners believe their business isn’t at risk, when in fact 61% of all breaches hit small businesses last year. Taking steps to protect your client’s credit card information starts with the right credit card processing solution.

Over the last couple of years you have probably read copious amounts of legal jargon on EMV and PCI DSS compliance, and the liability shift. No matter how secure your payment systems are, accepting credit card payments always carries some degree of risk.

The first thing you should always look for in a POS (point of sale) system is that it is set up to accept EMV chip cards.

What is an EMV chip card?

EMV (Europay, Mastercard, and Visa) cards have an embedded microprocessor chip that store and protects card holder data. These chips are far more secure than the old magnetic strip cards.

Second, you should make sure your systems are PCI DSS certified.

What does PCI DSS certified mean?

PCI DSS stands for Payment Card Industry Data Security Standard. PCI DSS is a set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI DSS compliance applies to any organization, regardless of size or number of transactions, which accepts, transmits or stores any cardholder information.

60%

of small businesses go out of business within six months of an attack.

90%

of small businesses don’t use any data protection at all.

Real world scenario

One of our employees, Kelly, recently experienced a fraudulent charge on her credit card. Kelly went to a restaurant with her family, where someone who handled her card copied the information while transacting her dinner bill. Then the person who stole the card went to an electronics store and purchased $5,000 in electronic goods. She received a call right away from the credit card company asking her if she made the $5,000 purchase of which she did not; who holds the responsibility for the fraudulent activity liability?

This is where the liability shift comes in

If the electronics store had terminals that did not accept EMV cards and were not PCI DSS certified, all charges relating to the theft would be placed on the electronic store, including penalties. Noncompliance fines for not being PCI DSS compliant vary based on the length of time of noncompliance, for 1-3 months the fine for a small business is $5,000 per month. Did you know every dollar of fraud costs merchants $2.40? The $5,000 purchase could have cost the electronic store $12,000, this doesn’t include the fine for being non-compliant.

Cyber attacks cost small businesses $84,000 – $148,000.

How can this apply to you?

All our Payment Processing approved vendors are EMV and PCI DSS certified, so if you are already using an approved vendor you are already set!

Now let’s chat about card on file. Have you ever taken a phone call from a client and they say “I’ll be in to pick up Randall’s prescription diet tonight, can you charge my card?” Within the latest versions of your Covetrus  software, you are now able to “store” credit card information for these instances. This is called tokenization. When the credit card is scanned through your EMV/PCI DSS certified terminal a token is created and stored for future use in a secured encrypted server at the payment processing company. This ensures your clients data is protected on site from internal theft and offsite through the merchant server.