APARC Special Edition: EMV Compliance

In the last 2 years, have you bought new meters and if so, have you requested coin & credit card meters?

Has your supplier said to you that they are EMV compliant, and supplied you with a meter that is coin & credit card with a contact reader, and without the contactless reader? Well unfortunately under scheme guidelines all “new meters” are classified as unattended devices, and all must include contactless.

In April 2013, Visa and MasterCard mandated that all unattended Parking Meters must process transactions via CHIP, (as opposed to the older less secure Magnetic Stripe). In October 2014, MasterCard required that ALL unattended Parking Meters must be able to accept a MasterCard “PayPass” transaction. Did you know that it is a breach of Visa and MasterCard rules for ANY unattended Parking Meter to process a transaction offline?

It is not up to an equipment manufacturer to decide what is secure, compliant and safe. These decisions are made by Visa, MasterCard, American Express and Diners Club. Why? Because they are tasked with ensuring that ALL cardholders are able to safely and securely make card payments without the worry of having their personal details compromised and falling victim to Credit Card fraud. Worse still, if a Parking Machine is compromised, it is not the Equipment Manufacturer, the Bank or the Payment Service Provider that bears the losses – it is YOU. The Card Schemes (Visa, MasterCard and EuroPay) set rules that all Banks must abide by. These rules stipulate that all equipment must comply with industry standards, set by the card schemes. These standards include the ability to accept contactless transactions, the requirement for all transactions to be conducted via the chip on the card and the need for all transactions to be processed online.

“HOLD ON FOR A SECOND, BUT YOU paid for a compliant solution… Did you get what you paid for”?

Why should you care? Your organisation could be risking potentially huge fines, and irreparable brand and reputational damage. In only the last couple of years, some of the world’s biggest names have fallen victim to card data breaches, where, as a result of not conforming to the Card Scheme’s guidelines, they have been culpable for massive losses. Can your business afford to lose millions of dollars as a result of a non-compliant, insecure parking meter?

You must be compliant. There is no question about this. If you are not compliant, you MUST ask your current equipment provider why you are not compliant. Demand an explanation and do not rest until you have not only an explanation but also a resolution. If you are not compliant, you need to become compliant as quickly as possible. Compliance is critical, after all, if you are the victim of a card data compromise (as a result of insecure equipment and/or processes), your equipment vendor isn’t responsible, YOU are. Your equipment vendor doesn’t have to pay the fines, reimburse the cardholders and deal with the brand damage, YOU DO! If you are not compliant today, ask your provider why you are not compliant, and what are they doing to compensate you for the compromised and risky position that they have placed your organisation in.

New Meters

Have you installed “NEW METERS” accepting Credit Card? If you have, and the meter has NOT got a ‘contactless” solution attached, YOU are NOT EMV compliant, and YOU are not processing EMV transactions, do not be fooled.

PAID for an EMV UPGRADE?

Have you paid for an EMV UPGRADE, and have received your CONTACT reader, and haven’t received your CONTACTLESS device? Well if you haven’t received your contactless device you are probably not processing EMV transactions, once again do not be fooled, and demand answers in writing.

Things you should do

Have you requested a copy of the devices certification? Have you viewed or received Bank Certification for “Contact and Contactless” for a certified end-to-end solution? Well if you haven’t, there are obviously questions that you the customer should be asking.

The next question I would be asking myself as the owner of the equipment is, am I “processing” EMV transactions, and are the public safe to transact in a non EMV environment? Though from the outset you have been told that your solution that you have purchased is EMV compliant. Once again go back to your manufacturer and ask for written confirmation.

In summary, demand to know when you are going to receive your end to end “Fully EMV compliant solution, and make sure that you haven’t been misled, and compromised in the biggest possible way… As this compromise affects you the institution and the END USER of the equipment. All for the sake of the almighty DOLLAR! If this has happened to you, in my personal view, it is opportunistic and scandalous.

If anyone would like any further clarification, or assistance please don’t hesitate contact me directly.

Phillip Verity 
Managing Director, APARC
M: 0401 648 282
E: phillip@aparc.com.au