If you’ve started to see more credit cards featuring chip technology, you’re not alone. In fact, you should expect to encounter them a lot more as they are introduced throughout the U.S. Unfortunately, many spas are not yet equipped to handle chip-enabled cards. If your spa is one of them, you’ll want to remedy the situation sooner rather than later. Spas that have not migrated to the new terminals needed to process chip credit cards have been on the hook for credit card fraud since Oct. 1, according to major credit card companies. “Most in the industry are not aware of this,” says Kathryn Moroz, president of Spa Advisors, a management consulting company.
Essentially, American Express, MasterCard, Visa, and the like have had it with old technology magnetic stripe cards, which are easy plunder for fraudsters. As a result, they’ve decided to shift the liability for fraud to businesses, including spas, that have insisted on clinging to the old mag-stripe technology and have not yet brought in new chip-card terminals.
That means if someone who perpetrates credit card fraud comes into your non-chip card-ready spa now and charges anything on a credit card, your business eats the loss—all of it. The problem is that hundreds of thousands of U.S. businesses—including many spas—have no idea they’re on a collision course with fraud. “While the credit card industry needs to churn out a lot more chip cards, retailers seem to be in worse shape,” says Matt Schulz, a senior industry analyst at CreditCards.com. “Very few are ready to accept chip cards.”
According to a February 2015 poll by Newtek Business Services, 71 percent of business owners were completely unaware that they’ll be responsible for magnetic stripe fraud after October. Spas definitely do not want to be a part of that group. “Being educated about what this change means for businesses and consumers is the smart thing for business owners to do,” says Christi Cano, president of Innovative Spa Productions, a spa consultancy.
Despite the backlash anticipated from businesses that have begun getting stung for fraud, the major credit card companies are hanging tough. It’s no wonder though, as all of those credit goliaths have been burned by the wholesale theft of credit card data that is often measured in millions of accounts. They’re also dealing with untold numbers of angry cardholders, many of whom know all too well that the security on a mag-stripe credit card is a joke.
Chip cards, by comparison, are much more secure, according to Megan Shamas, a spokesperson for EMV-Connection, a branch of the Smart Card Alliance. Chip cards produce a one-time-use code for every transaction, making it much more challenging for those committing fraud to compromise. Plus, if a chip card is lost or stolen, the card is much more difficult to counterfeit, says Shamas.
Chip cards, also known as EMV cards, an acronym for the three companies that helped develop the card technology (Europay, MasterCard, and Visa), also have an extremely successful track record in Europe. Credit card fraud in the UK plummeted by 72 percent after chip cards were widely adopted, according to Patricia Moloney Figliola, a specialist in internet and telecommunications policy with The Congressional Research Service, a research team employed by the U.S. Congress. And Canada saw a 48 percent reduction in fraud after chip cards were rolled out there, says Figliola. According to her, the U.S. is the last major market to make the switch to chip cards.
Besides intense pressure from credit card companies on chip-card migration, fed-up consumers are also beating the drum. A recent MasterCard study revealed that 63 percent of credit card holders want a chip card “immediately,” says Carolyn Balfany, group head of U.S. product delivery for MasterCard. And 87 percent of those surveyed said they were completely comfortable with the idea of transitioning to chip cards, she says.
Of course, the rub for spas is that getting from here to there will cost money. Expect to pay $300 to $1,300 for each new chip-card terminal you bring in, depending on the features you want, says Phil Wimberly, vice president of integrated solutions sales for OpenEdge, a payments software provider. Plus, you’ll have to train staff to deal with the new technology.
According to Wimberly, one of your best resources for the new terminals will most likely be the business that is already handling the card processing for your mag-stripe cards. The one silver lining is that many of these card-processing businesses “are offering financial incentives to make the switch to chip-card terminals now, rather than later,” says Barbara Faulkner Morrow, principal of Barbara Morrow Spas International, a consultancy.
“It’s a bit of a nuisance to introduce new systems and hardware—but the alternative is worse,” says Leslie Glover Fairbanks, president of Aspen Spa Management, a spa consultancy. Fortunately, some spa software providers are prepared for the new technology, such as ResortSuite, which has supported EMV in Canada and Europe for years. “The U.S. requirement will be less onerous than those in Canada and Europe,” says founder and CEO Frank Pitsikalis. “The U.S. will be mandating chip-and-signature as opposed to chip-and-PIN transactions with the major difference being the cards must contain a chip, which is inserted into a reader rather than being swiped. ResortSuite supports both approaches but also provides additional security for card-not-present transactions by supporting point-to-point encryption (P2PE) swipe/key entry devices.” According to him, P2PE ensures the data is encrypted as it’s entered so confidential credit card data isn’t transmitted, processed, or stored on the spa’s network. “The credit card gateway processes the card securely offsite and sends back a token—useless to bad actors—to ResortSuite, which represents the card and is then stored in the database,” says Pitsikalis. “The token can be used securely by ResortSuite for up to two years to charge a guest, if needed.”
Your customers will most likely find migrating to the new cards to be fairly intuitive. There are, however, a few differences to note. Chip cards need to be inserted into a terminal, rather than swiped. A chip card also needs to stay inserted in the terminal until a transaction is completed. For verification, chip cards will require either a customer signature or a customer PIN. And some will be contactless, requiring only a simple wave over a terminal to initiate a transaction.
During the first few years of the transition, chip cards will also come with a magnetic stripe, which will enable consumers to make purchases at businesses still using mag-stripe technology. But the primary point to remember is that as long as you have chip-card terminals, you won’t be on the hook for fraud created by any mag-stripe card you accept as payment, says Shamas. In other words, as long as your spa has made the effort to accept chip cards, credit card companies aren’t looking to penalize you for accepting a mag-stripe card, she says.
Of course, even after virtually all retailers have converted to the new chip-card terminals, there’s a good chance there is yet another hack waiting around the corner. “History tells us that criminals will likely figure out a way around this technology also, so be prepared,” says Moroz.
Given that the Oct. 1 deadline has already passed, all the major credit card companies are engaging in massive business educational campaigns, hoping to help spas and other businesses dodge the fraud liability axe. But even with the massive PR push, industry watchers fret there will still be hundreds of thousands of uninformed businesses starting to see red over their new fraud liability.
“The Achilles heel for EMV merchant adoption will be small and micro merchants who are not only unprepared for EMV but also unaware of the fraud-liability shift in the U.S. this year,” says Nick Holland, head of payments at Javelin Strategy & Research. Don’t be one of those businesses.
For background on planning your spa’s migration to chip-card processing, check out the helpful 38-page Visa Merchant Chip Acceptance Readiness Guide (http://vi.sa/1VUk5qT). While you’re at it, you can also read up on the latest in credit card fraud prevention techniques with a white paper authored by the Smart Card Alliance. It focuses on using chip cards, encryption, and tokenization to further protect your business against fraud (http://bit.ly/1RcIlhk).