Although much noise was made about card-fraud liability shifting to merchants earlier this month, the effects of the EMV transition have been felt by restaurants as more of a ripple than a wave, according to some in the industry.
“There’s not a great deal of angst” over the switch, says Lacy Novell Morris, VP of information technology for Johnny Rockets. “If you’re a restaurant and have a relatively small ticket—anywhere from $20 to $25 per check—your incidence of fraud is [going to be] low.”
That’s a sentiment with which Laura Knapp Chadwick, director of commerce and entrepreneurship for the National Restaurant Association, emphatically agrees.
“EMV may be a solution to a problem restaurants just don’t have,” Chadwick says, noting that restaurants rarely see counterfeit cards.
Still, the Federal Bureau of Investigation has issued two security warnings to restaurants and other merchants since the Oct. 1 liability changeover, stressing that that no form of digital commerce is completely safe. “No one technology eliminates fraud and cybercriminals will continue to look for opportunities to steal payment information,” the Bureau said in one warning.
Chadwick echoes the position that EMV alone does not protect restaurant operators from a data breach or hack. “To secure their whole enterprise, [operators] should use technology that will remove or never allow customer information to enter their system,” she says.
By itself, an EMV system will only tell you whether the chip credit card being used is legitimate, she says, and as a result, many restaurants are leaning toward tokenization and encryption over EMV compliance.
Johnny Rockets seems to follow that line of thinking, as Morris points out that the company’s first order of business is to achieve tokenization and encryption, followed by meeting EMV standards.
However, restaurant owners need to pay attention to their chargebacks, Chadwick says. “Restaurants need to be mindful that if they’re seeing a lot of counterfeit cards, [they] have to be ready to make a change.”
In Morris’ view, there are three camps among restaurateurs: those who have taken EMV very seriously and have proactively invested in being compliant, those who are slower to adapt due to “structural obstacles” and those who have chosen to ignore the changeover altogether and operate business-as-usual.
Many know that “it is in the interest of best practices” to have a plan for EMV, he says.
Over the course of the next 12 months, Johnny Rockets will begin to replace its tabletop tablets with new versions that have an EMV reader as well as encryption and tokenization capabilities, Morris says.
Part of the challenge, he avers, is relying on manufacturers to meet timelines and counting on them to consider all angles as technology and regulations change, such as if, for instance, U.S. banks shift to chip-and-PIN cards from the chip-and-signature cards now being introduced.
But as far as incorporating EMV is concerned, he says, “we’re on track.”