With the latest 2017 POS technology changes to PCI-DSS, and ever-changing security requirements in a world in which electronic transactions are constantly under attack, there are significant changes afoot when it comes to processing credit cards. Last year, for instance, most companies were forced to migrate from SHA-1 (Secure Hash Algorithm) to SHA-2 because the former was deemed insecure, and the likes of Google, Microsoft, Apple and Mozilla announced that they will no longer accept SHA-1 certificates in the browsers in 2017. Likewise, companies have until June 2018 to stop using and update current versions of unsafe SSL and TLS protocols, which have also been proven insufficient in the face of more advanced threats that have emerged.
Although these changes are seamless to consumers, they will have a big impact to merchants as far as their hardware and software readiness is concerned. Key tasks merchants will have to perform to accommodate these changes include:
- Updating POS terminals and/or cash registers
- Educating employees about new business processes and technologies
- Improving reporting, processing and reconciliation processes
- Upgrading e-commerce and online checkout systems
What are credit card companies changing?
Credit card companies are adopting new numbering systems and merchants need to update their POS systems to accept those. In some cases, there will be penalties involved.
1) MasterCard is adding new BINs – MasterCard has created a new BIN (Bank Identification Number) range (that begins with a “2” in addition to the existing “5” series). Banks and card issuers expect to start distributing MasterCard credit cards with the new 2 series BINs in June, 2017. In addition to the old 510000-55999 series cards, they’ll be issuing cards in the 222100-272099 BIN range.
2) Expanded use of 19-digit PANs – While technically there have been several card types that support 19-digit PANs (Payment Account Numbers), Visa is now issuing some cards with 19-digit PANs. This is expected to increase over time.
What does this mean for merchants?
This requires a system-wide change and POS upgrade that can be easily absorbed if managed correctly, but can also go very wrong if not, or if merchants miss the June 2017 deadline. For example, MasterCard has is issued a fee schedule for non-compliance with the new BIN numbers as follows:
- Up to $2,500 per occurrence for the first 30 days
- Up to $5,000 per occurrence for days 31-60
- Up to $10,000 per occurrence for days 61-90
- Up to $20,000 per occurrence for subsequent violations
EMV still on the horizon for many merchants
Besides the other technology changes merchants must accommodate, many are still facing the switch to the Europay, MasterCard and Visa (EMV) or chip standard. For merchants and financial institutions, the switch to EMV or Chip and pin means adding new in-store technology and internal processing systems, and complying with new liability rules. For consumers, it means activating new cards and learning new payment processes.
As it stands now, only 37-38% of merchant locations are currently ready to process chip card payments, per Mastercard and Visa estimates found on creditcards.com. They also estimate that there are 15 million POS terminals that still need to be upgraded to accept chip cards. Industry experts expect the merchant migration to continue over the next few years, especially as the remaining liability deadlines get closer. The fact that some payment processors are already charging back merchants for not having chip and pin technologies installed on their POS systems is a key driver to make the change sooner than later.
For some Merchants that still have old POS technologies and are using outdated, insecure protocols these new changes could mean a considerable investment to refresh their infrastructure. With the right IT consulting partner and a careful plan, however, those costs can be reduced significantly and the transition can be smoother.