Liability for Credit Card Security Shifting to Merchants

Small Business

How to protect your customers and yourself

By Michael English

If you are a merchant that accepts credit cards, you are required to comply with the PCI Data Security Standard (PCI-DSS), a common set of industry requirements to help ensure the safe handling of credit card data at the point of sale (POS) and as it flows into the payment system.

Most small merchants can use PCI’s self-validation tool to assess security for card holder data. The tool includes a list of yes-or-no questions for compliance. (Learn more here.)

But PCI-DSS compliance does not provide optimal security and is not enough to prevent data breaches. Companies that have been breached are finding that cyberthreats are increasingly sophisticated, and hackers are going after data they can monetize.

Tips for Securing Payment Acceptance and Processing

  • Buy and use only validated payment software at your POS or website shopping cart.
  • Do not store any sensitive cardholder data in computers or on paper.
  • Use a firewall on your network and PCs.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords. Be sure to change default passwords on hardware and software: most are unsafe.
  • Teach your employees about security and protecting cardholder data.
  • Follow the PCI standard.

Technology Enhancements

In addition to the above steps, there are several available technologies that can greatly reduce your risk and simplify your PCI compliance efforts. These include:

EMV Cards (a.k.a. chip cards or smart cards). EMV stands for Europay, Mastercard, and Visa. The main security advantage of EMV cards is that they are much more difficult to counterfeit than current magnetic stripe cards, greatly reducing the all-too-common occurrence of thieves presenting counterfeit cards at your business.

Although it is not mandatory for a business accepting credit card payments to implement EMV, a liability shift begins Oct. 2015, making merchants that do not have a POS terminal capable of reading EMV cards responsible for chargebacks of fraudulent transactions. (The liability shift for pay-at-the-pump gas station transactions begins Oct. 2017.)

After the liability shift begins, a retailer must consider the chargeback losses that can be attributed to card fraud and estimate what those levels of card fraud will be. Other markets such as Canada and the UK have seen a reduction in card fraud at merchants with EMV payment systems and fraud growth in those that do not accept EMV, as well as in card-not-present situations.

Encryption. E3, end-to-end, or point-to-point encryption card readers are designed to scramble card data with only your payment gateway or acquirer having the ability to unscramble it. This will effectively remove unencrypted (a.k.a. clear text) card data from your POS and network.

Tokenization is a useful technology for any business that needs to retain card data after a card is authorized. A token is returned as part of the authorization process that is used to represent the card number going forward. Business cases where this technology proves helpful include recurring billing, reservations, deposits, and instances where card data are used for loss prevention systems as well as for purchasing analytics.

Michael English is executive director, product development, at Heartland Payment Systems.

This article is adapted from Heartland Payment Systems White Paper 2013: Payments Security for Small Restaurants and Merchants. To receive a copy of the full white paper, contact Kristin Novak-Csapo at

Heartland Payment Systems is a preferred vendor in CBIA’s Member Discount Program.

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected with CBIA News Digests

The latest news and information delivered directly to your inbox.