Blog | March 12, 2015

VARs, ISVs Heading For Collision With EMV Deadline. But Will There Be Any Damage?

By The Business Solutions Network

Survey Shows Lack Of SMB Preparedness For EMV Credit Card Transition

In my time with Business Solutions, I don’t think I've come across such an interesting topic as EMV. The card brands and vendors in the payments world will tell you how important EMV is, while VARs and ISVs scratch their heads over the lack of direction or clarity around the initiative. Many vendors claim to have easy and affordable solutions to become EMV certified, while a large number of VARs and ISVs still claim to be in the dark as to what they need to do. The card brands will talk about the added security and warn of the liability shift in the event of a breach, while VARs catering to SMBs will tell you that their customers simply aren't at risk.

BSM just closed a survey on EMV and payment processing and the results of the survey show that, despite the purported benefits of EMV and a looming liability shift, there’s still not much urgency from the channel. For instance, our survey revealed that only 28 percent of ISVs have completed their EMV upgrades. Additionally, just over 40 percent of our ISV survey respondents told us that their software would be EMV compliant/certified in 6 months or more. If that’s true, it leaves little time to stay ahead of the October 2015 deadline.

In terms of migrating merchants to an EMV solution, 20 percent of VARs say they’re “just researching/have no urgency” to move their clients, which makes sense if the majority of ISVs aren’t ready. Those same ISVs mentioned earlier believe it will take 6 months to a year to get their merchants upgraded. Both VARs and ISVs who took the survey admitted that some customers may never upgrade to an EMV-certified solution because they don’t perceive the threat to be real.

Commenting on the article “EMV Countdown: It's February. Are Your Clients Going To Make The Deadline?,” VAR Robert Smith wrote, “many smaller merchants will accept that liability, and rightfully so in comparison to the costs of equipment and/or increased rates, and the slower processing time. I know many of our customers accept full liability today for smaller transactions by not taking the time to collect signatures. Even though we'll offer an EMV solution, they aren't likely to take us up on it before October.”

If that’s how you and your customers feel, I’d have them sign something that states that, in the event of a breach, they won’t hold you liable. Bringing that paper into the conversation is a sure way to impress upon them the importance of payments security. Bob Goldberg, general counsel for the RSPA, advises resellers to have an entire EMV program advising of the changes, noting the merchant's state of compliance, the risks, and follow-ups for those that decline to upgrade. He also adds that the RSPA’s terms and conditions (available freely to RSPA members) clearly establish that it is the merchant who is responsible for PCI-DSS compliance. “That and any other document cannot prevent a lawsuit, but it will assist in the defense of one,” he says.

As the deadline approaches and eventually passes, it will be interesting to see how things play out for those who dragged their feet. My feeling is that, no matter what opinion you have of EMV, payments security in general is one of the most important initiatives and offerings a VAR can have. The number of breaches is only increasing and criminals are finding new ways every day to target merchants. While small merchants might not be a primary target today, they’ll soon become low hanging fruit when criminals realize the best security measures aren’t always in place. Do your SMB merchants a favor and put payments security at the top of their to-do list.