Protect your Self-Storage Business with EMV and PCI
Written by Sheryl Scott on December 03, 2015 under Payment Processing & PCI
EMV (the global security standard for accepting chip credit cards), combined with PCI (Payment Card Industry) compliance, help protect your business. Many storage owners are questioning whether or not they need to use EMV compliant terminals, and how and why their businesses need to be PCI compliant. Understanding EMV and PCI is the first step in protecting your business from fraud, liability and fines.
EMV is a global security standard named for the three companies that created it, Europay, Mastercard, Visa. EMV is a chip embedded in payment cards that makes it virtually impossible to counterfeit. This chip offers stronger security than the magnetic stripe. As of October 1, 2015, the liability for fraudulent transactions has shifted to the merchant if an EMV compliant terminal was not used to accept a card-present transaction.
The benefits of EMV are too significant to be overlooked. EMV represents a more secure way to accept card payments and promises to reduce card fraud and counterfeiting. EMV chip cards transmit a unique identification with each transaction, making it more secure than the static data contained in the magnetic stripe currently used on non chip cards. This technology makes it virtually impossible for thieves to duplicate cards; thus, it reduces card fraud at the point of sale device. Special EMV terminals are required to read these chip cards. Most of these EMV devices will also allow for accepting contactless payments like Apple Pay, Samsung Pay, and Google Wallet (also known as Google Pay).
Merchants Do Have A Choice To Make When It Comes To EMV
They can eliminate exposure or losses to credit card fraud due to counterfeit cards or do nothing and simply accept the shift of liability for these counterfeit cards when it happens. Essentially, businesses still using a magnetic stripe only terminal after October 1 are responsible for the cost of stolen, lost and counterfeit cards if presented at their business. Keep in mind, transactions in the U.S. account for more than half of the world's fraudulent transactions, and these transactions have significantly increased in recent years. The main reasons for not upgrading are a lack of knowledge and a misunderstanding of the impact.
As more of these EMV chip cards are issued, more consumers will rely on using chip cards. Ensuring your business is ready for this new technology not only protects your business from this potential liability but will also show your customers that you care about the security of their card and payment information.
As for self-storage operators, it is now more important than ever to work with your software provider to find what is the best path to ensure you have an integrated payment solution for EMV with your management software. An integrated solution is key to avoid entering off-line transactions to your management software. EMV will be a key decision for many self-storage operators as we end 2015 and start 2016.
Why PCI
To make certain your facility is secure against fraud, you must also become PCI compliant. The PCI DSS (Payment Card Industry Data Security Standards) mandate applies to both software providers and merchants, yet PCI DSS is often ignored by many operators. From a security perspective, PCI DSS means your business meets the requirements for security awareness, policies and procedures, risk, and scans. In simpler terms, it means you are doing your part to ensure your customers' payment data is being protected for every transaction where you use their card information. It also means you are making a reasonable effort to protect against a data breach.
For more information on PCI requirements:
- www.pcisecuritystandards.org - The PCI security organization is responsible for the development, management and awareness of the PCI security standards. The card brands are the ones that enforce the mandate of PCI compliance for the merchant service, software, and payment provider. All parties involved in the transaction have a responsibility in protecting payment information.
- Why It Matters: Payment Card Industry Data Security - This webinar, hosted by SiteLink and presented by Charles Denyer, PCI-QSA (PCI Qualified Security Assessor), provides an in-depth and comprehensive overview of the Payment Card Industry Data Security Standards (PCI DSS) mandates for merchants and service providers.
- The Payment Card Industry Data Security Standards (PCI DSS): A Comprehensive Overview - This White Paper by Charles J. Denyer provides expert advice from a PCI-QSA in understanding the importance of cardholder data security and other critical decisions.
- PCI SAQ Certification Process in 10 Easy Steps - A White Paper by Charles J. Denyer, PCI-QSA.
Each merchant is required to complete PCI-DSS for each merchant account. Ultimately, the merchant has the responsibility to accurately complete the PCI-DSS survey. If a merchant needs help completing this survey, the merchant can solicit the help of a QSA, Qualified Security Assessor. Be careful letting a non-QSA complete the compliance forms, because if it is filled-out incorrectly or falsely to get it to pass compliance, you will still hold the responsibility for the PCI non-compliance fines. The fines for non-compliance are significant and higher if there is a breach. In Robert Halsey article, "The Real Cost of Data Breach," he mentions just how significant those fines can be: "The bottom line? The cost of a data breach for a Level 4 merchant averages $36,000 and can be as high as $50,000 (or more). In other words, more than enough to cripple-or even destroy-a small business."
All merchants should check to ensure their software and merchant provider has the highest level of PCI-DSS compliance. As an example, Sitelink has achieved PCI-DSS Level 1. This means SiteLink undergoes on a quarterly basis the most rigid penetration test to ensure its customers' tenant payment information is protected to the fullest extent. You can rest easy knowing your customers' payment information is protected within SiteLink Web Edition, and SiteLink has done their part by verifying PCI-DSS Level 1 with a QSA. After you have verified your software management system meets the necessary requirements, the next step is to complete the PCI assessment for each of your merchant accounts. For multi-site operations, SiteLink can help merchants simplify this effort. Just contact SiteLink Merchant Services, and a representative will help you with the process.
Both PCI and EMV play very important roles in protecting your business. PCI documents the required standards that each business is required to follow to protect customers' payment transactions to avoid a potential breach. It is important to know that significant fines are assessed for non-compliant merchants when found. PCI is mandated by the major card brands (Visa, Mastercard, etc.), and it is the merchant account owner's responsibility to ensure this is completed accurately. EMV is strongly recommended as a way to take payments more securely, accept contactless payments and avoid the liability shift for fraudulent transactions. Ultimately, it is the merchant's decision to implement EMV or do nothing and accept the liability shift.
Related Industry Blogs
Check out other industry blogs related to Protect your Self-Storage Business with EMV and PCI.
Make More Money - Audit Your Self-Storage Operation
Auditing is a tool every self-storage location should use regularly to help increase revenue, streamline operations, reduce theft, mitigate risk and grow the business.
Self-Storage Tenant Insurance is Good Customer Service
From a customer service perspective, requiring evidence of insurance to store at your facility gives your tenants the opportunity to review their current coverage and compare it to the program you offer.
SiteLink Resource Links
» Industry Webinars » Industry Blog » Conferences & Events » Resource Library » Self-Storage Associations » Essential SEOIndustry Blog Categories
Search blogs by category tags and find the information most important to you.
Top Industry Blog Posts
Self-Service for Self-Storage
Offering a variety of features and rental options, from self-storage kiosks to mobile-friendly websi...
Increase Your Self-Storage Revenue Stream
Based on capacity, airlines charge different rates for the same package of peanuts and the same amou...
Pricing For Profit
As self-storage companies incorporate systematic, dynamic, and data-driven methods into setting move...
Industry Blog Notifications
Register to be notified of future self-storage industry blog articles.