By now you probably know that EMV is coming to the US. Some say it is long overdue, others believe it will only shift fraud to other methods. But what if EMV adoption would solve the PCI issues for small and medium businesses? That could be a really interesting case study to see how it applies as small businesses are typically caught unawares when bad things happen.

Chip, by Declan Jewell

As with all things, it may come down to acceptance more than anything else. Imagine for a moment if companies did aim to remove PCI DSS assessment activities from their annual audit schedule and converted all of their terminals to support EMV. Unless you and I as consumers get cards with a chip in them and actually USE them, those merchants won’t see the full benefit of EMV. Of course, we can only hope that an upgraded reader would be capable of full P2PE with magstripe data as well, thus potentially solving a massive issue for SMB. Why potentially? Because it requires everyone in the ecosystem to play nicely and help take the merchant out of scope. Small businesses are great for our economy, but they certainly aren’t payment experts.

Let’s say for example that a company decides to make the move to EMV and installs compliant readers that match up with existing P2PE guidelines, encrypts magstripe data point to point, and finally outsources all of their ELECTRONIC payment infrastructure to a third party. What is their risk/liability at that point? The type of fraud you would see at this point would be focused on the payment instrument itself (bad charges on cards) and physically mucking with the Point Of Interaction (POI). It’s not to say that electronic hacking as we know it today in this space would cease, but it would certainly change into something else. My colleagues in Europe say that the card-present type of compromises have reduced to almost nothing, whereas the e-commerce breaches have grown steadily. We still see both here in the US, but will a push to EMV cause the same shift, and if so, how do we arm small businesses to combat the shift?

This post originally appeared on