Making sense of EMV, PCI, and DSS in payment processing

Over the last couple of years, you have probably read copious amounts of legal jargon on Europay, Mastercard, and Visa (EMV) and Payment Card Industry Data Security Standard (PCI DSS) compliance, and the liability shift. No matter how secure your payment systems are, accepting credit card payments always carries some degree of risk.

As the reliance on technology and electronic data continues to grow, veterinary offices are becoming more vulnerable to cyber security threats. Many practice owners believe their business isn’t at risk, when in fact 61% of all breaches hit small businesses last year.¹ Taking steps to protect your client’s credit card information starts with the right credit card processing solution.

What is an EMV chip card?

The first thing you should always look for in a point-of-sale (POS) system is that it is set up to accept EMV chip cards.

EMV cards have an embedded microprocessor chip that stores and protects card holder data. These chips are far more secure than the old magnetic strip cards.

What does PCI DSS-certified mean?

Second, you should make sure your systems are PCI DSS certified.

PCI DSS is a set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI DSS compliance applies to any organization, regardless of size or number of transactions, which accepts, transmits or stores any cardholder information.

Real-world scenario

One of our employees, Kelly, recently experienced a fraudulent charge on her credit card. Kelly went to a restaurant with her family, where someone who handled her card copied the information while transacting her dinner bill. Then the person who stole the card went to an electronics store and purchased $5,000 in electronic goods. She received a call right away from the credit card company asking her if she made the $5,000 purchase of which she did not; who holds the responsibility for the fraudulent activity liability?

This is where the liability shift comes in

If the electronics store had terminals that did not accept EMV cards and were not PCI DSS certified, all charges relating to the theft would be placed on the electronic store, including penalties. Noncompliance fines for not being PCI DSS compliant vary based on the length of time of noncompliance, for 1-3 months the fine for a small business is $5,000 per month. Did you know every dollar of fraud costs merchants $2.40? The $5,000 purchase could have cost the electronic store $12,000; this doesn’t include the fine for being non-compliant.

How can this apply to you?

All our payment-processing approved vendors are EMV- and PCI DSS-certified, so if you are already using an approved vendor, you are already set!

Now let’s chat about card on file. Have you ever taken a phone call from a client, and they say, “I’ll be in to pick up Randall’s prescription diet tonight, can you charge my card?” Within the latest versions of your Covetrus software, you are now able to “store” credit card information for these instances. This is called tokenization. When the credit card is scanned through your EMV/PCI DSS-certified terminal a token is created and stored for future use in a secured encrypted server at the payment processing company. This ensures your clients data is protected on site from internal theft and offsite through the merchant server.

¹ BlackFog. June 2023. https://www.blackfog.com/smbs-were-victims-cyberattack/

² Cyber threat is huge for small businesses. USA Today. October 2017. https://www.usatoday.com/story/money/columnist/strauss/2017/10/20/cyber-threat-huge-small-businesses/782716001/