Which acquirers are ready to accept chip card transactions on EMV certified terminals today?

emv smart cardUnofficial list of acquirers for retail merchants who want to be EMV Compliant by October 1. As merchants and industry sales people are discovering, not all processors are ready. For those merchants that want to be EMV Compliant to accept chips cards for the liability shift, this is a huge problem.

This list is to help avoid confusion about getting you ready vs getting you EMV enabled.

Every acquirer,  terminal manufacturer, and industry reseller has language in their marketing materials about ‘getting you ready’. And that’s exactly what will happen. Merchants who install EMV capable terminals or Point of Sale systems will be ‘ready’ for when everyone (equipment manufacturer, acquirer, POS or gateway, as applicable) completes their certification.

EMV Compliant: Merchant has certified EMV terminals and their merchant account has been EMV enabled to accept chip cards.

10 largest merchant acquirers of 2013 were:

1. Bank of America
2. Chase Paymentech Solutions
3. First Data
4. Vantiv
5. Elavon
6. Wells Fargo Merchant Services
7. Citi Merchant Services
8. Global Payments
9. Heartland Payment Systems
10. WorldPay

In no particular order, this is a list of acquirers supporting terminal options for merchants to get EMV enabled. There’s one big provision. Acquirers have multiple transaction processing platforms. A merchant could be on a platform that’s not EMV capable yet, though the acquirer has another EMV capable platform. Additionally, the certified terminal solution may require a third party gateway. If changing processors, confirm with the acquirer, Independent Service Organization (ISO), or bank that they can accept chip cards immediately. To make the list, the terminal must support contact EMV debit and credit at a minimum.

Merchant acquirers with EMV Compliant solution today with countertop terminal:

  • First Data- FD50, FD100, FD200 series with FD35 required; FD130, FD130 DUO with FD35 required. Note, all terminals require specific application revision.

Merchant acquirers with EMV Compliant solution today with multi-lane terminal:

Multi-lane signature capture terminals require a payment gateway. To List of integrated solutions vendors and their certifications:

  • CenPOS certified Verifone MX 915 to First Data
  • CenPOS certified Verifone MX 915 to TSYS

Merchant acquirers with EMV Compliant solution today with mobile terminal:

  • ChargeAnywhere certified Miura Shuttle M006 & M010 to First Data
  • Highline retail cloud software certified VeriFone E315/E335 PINPAD to First Data. Requires using Highline all-in-one- POS software and merchant services.

TSYS offers transaction processing products and solutions to financial institutions, including banks and acquirers, among other services. For example, a bank may use both TSYS and First Data in their merchant services environment. TSYS is available as a connection option to most if not all the big acquirers. Bottom line: if your acquirer does not have the EMV certified terminal desired, TSYS may be the solution to more choices. Ask the EMV solution provider, not the acquirer questions, because the acquirer is less likely to know anything about products and services they don’t sell.

Resources:

Acquirer, Payment Gateway and POS Solutions Provider EMV Roadmap- Links to the related EMV certification list and or schedule for EMV certification. Bookmark this page now!

  • authorize.net – scroll down the page ETA support dates are 2016; no equipment specifics listed. Note: NFC payments also not supported yet.
  • Shift4 emv roadmap – the 3rd graphic is completed certifications; none in US to date.

Sales contacts: 3D Merchant Services offers EMV compliant solutions, including CenPOS, for retail merchants with $1M minimum annual processing; new merchant account may not be required.

Data Source: Web sites, acquirer bulletins to industry, Linkedin –  I maintain this subject for open comment on the Linkedin US EMW discussion board with over 3,500 members, mostly industry insiders. Recommended reading- EMV handbook for merchants by Verifone. It has a great Q&A section.

Have an addition or update? Please add your comments!

What do I need to accept payments for an online store?

The essential elements of an ecommerce store are the shopping cart, payment gateway, security certificate and merchant account. All payment processors that we work with now require a certified PCI Compliant shopping cart.

The store or shopping cart components include order and content adminstration, inventory managment, product management, customer management and search engine optimization among other elements.

The payment gateway is just that- a gateway that allows the secure transmission of credit card and debit card payments from the shopping cart to a merchant processor. The gateway is a standard security mechanism for the internet.

The security certificate is issued to a business. Digital security certificates provide two essential security functions: authentication and encryption.
The business is verified to be legimate. It also enables the SSL protocol,or secure socket layer for encrytion, which includes displaying HTTPS and the little lock symbol that appears in browsers.

The last element is the payment processor. Merchants accept credit and debit cards by opening a merchant account with a payment processor. Just like you can’t go to the federal reserve to do your personal banking, you can’t go to Visa and Mastercard to do your credit card processing. Payment processing is offered through banks, payment processing companies and independent service organizations (ISO). Sometimes the same company offers their services through all channels. For example, First Data offers payment processing  directly and also through banks they have partnerships with, and through registered ISO’s. Because of the complexities of the industry, the best prices and value are not necessarily achieved by going direct. In fact, indirect service thrives because of value added and volume partnership pricing.

In the past, processors required a secure gateway, however this has now been extended to the actual shopping cart software as well in some cases. One reason is that some carts allowed for storing card data unencrypted somewhere on a server. For some shopping carts, getting certified is a formality. For others, there are security issues somewhere within the process- whether front end or back end, and work is needed before the cart can be certified.

The quick solution for those carts that are not compliant has been to disallow credit card processing except for paypal and google payments.

Virtually every cart accepts authorize.net as a gateway and it’s one of the most popular. I recommend it, when appropriate. The Orbital Gateway may be a cheaper solution for those processing on the Paymentech platform, however not as many carts have Orbital integration.
Orbital Gateway Integration & Certification Program- Orbital is a Chase Paymentech gateway and only works with those processing on the Chase Paymentech platform. Merchants must complete either the shopping cart certification, or use a hosted payments solution such as CenPOS or CRE Secure.

VoIP for credit card processing voids PCI Compliance

If you plug a PCI Compliant credit card processing terminal into a VoIP connection, then your processing is no longer compliant.

This explanation attempts to detail why. Traditional phone = analog. Traditional lines use hardware to send data ie the copper line. When using a 2008 compliant credit card terminal, the desktop terminal sends encrypted credit card data from the merchant to the processor and back using analog signals.

VoIP = digital. VoIP traffic flows across the Internet in unencrypted packets, which means anyone that has access to the network between sender and recipient can intercept them. So the desktop terminal may be compliant, but once the data is on the open network, the merchant set up is no longer PCI Compliant. Even though there are optional packages that can be attached to some VoIP networks, they do not meet current PCI compliance standards for the credit card processing industry.

If you attach a magnetic card swipe to your computer the transaction is processed using SSL security. It is not the same as VoIP. SSL uses a cryptogaphic system. It has two keys to encrypt data- a public key known to everyone, and a private key known only to the recipient. The magnetic card reader can be used with many POS systems and a high speed DSL, cable modem or T1 line.

Internet, ecommerce, and virtual terminal transactions all use SSL.

There are important considerations to check for both mag card readers and ecommerce transactions. Each requires a Gateway. The Gateway enables secure, real-time payment processing of credit card transactions. It is not the same as a credit card processor. Most people don’t realize that gateways and ecommerce stores must pass specific information through to the credit card processor to get better rates. Most systems focus on fraud protection, but do not necessarily pass through critical data required to meet specific interchange requirements. Sometimes the store doesn’t pass the data, and sometimes the gateway doesn’t pass the data- it all depends on company capabilities.

I’m not a tech expert but in general, the description above is sufficiently accurate to explain why. Bottom line: Visa & MasterCard officially state there is no acceptable VoIP solution that meets PCI Compliance requirements.