If you either use credit cards or are a merchant that accepts credit cards (I think that covers most of us), your world is changing and changing rapidly.
Sorry, this is going to be long, so you might want to get a cup of coffee and possibly some aspirin before you start reading.
First, if you are a merchant that accepts credit cards, effective Oct 1, 2015, if you do not accept Chip based credit cards (the so called EMV card that has been the standard in Europe for 10 years – we are just a little bit behind), if there is credit card fraud, you, as the merchant, become financially liable for the loss (for gas stations that does not happen until 2017).
This means that as a merchant, you have to change your credit card reader equipment, train your employees and if your credit card process is tied into your point of sale system, likely have to change that as well. All this is at your cost as a merchant. Here is Visa’s guide for merchants on how to migrate from the old mag stripe credit cards to the new chip based card.
One thing that is still different between the U.S. and Europe is that Europe requires that you enter a PIN with the chip card and we are going to use the old fashioned signature. PIN is likely much more secure – retail clerks rarely check whether your signature matches the back of the credit card. Mastercard and Visa opted not to use a PIN because they thought that people might use their cards less if they were harder to use – and that is like a knife to the heart for credit card processors. They would rather eat the losses, which they pass on to the merchants in the form of fees, who pass them on to you and me in the form of higher prices.
The second change that will affect merchants is the release, in April 2015, of the PCI 3.1 standard. The main reason for this change is because of all of the SSL bugs that I and others have been writing about for months (including Heartbleed, POODLE, FREAK and Bar Mitzvah, among others). This likely will require a number of software upgrades as SSL is no longer allowed, only the current version of TLS.
In addition, as of PCI 3.0, released in January, merchants are now required to conduct penetration tests at least annually, which are much more complicated than that the old requirement for doing vulnerability scans (see guidance on conducting penetration tests here) . Merchants also have to implement intrusion detection and prevention technology.
Now the part that affects consumers – which, of course, also affects merchants if they choose. Apple released Apple Pay earlier this year. Some merchants embraced this; others are totally fighting it – by either turning off the NFC feature on their credit card terminals that are required to make it work or not fixing that part of the terminal if it breaks. This is so much of a problem that some customers have reported that they have only completed ONE Apple Pay transaction successfully since they registered their cards.
But if that wasn’t confusing enough, customers and merchants will have to deal with other competitors to Apple Pay, including:
Samsung Pay – which only works with the Samsung Galaxy 6
Google Wallet – which has been around for a few years, but has not gained much acceptance.
CurrentC – the big merchants alternative to Apple Pay. This is supported by the retailers and they will give you discounts and freebees if you use this rather than Apple Pay. This will be hard for Apple to counteract because the merchants are in control of these discounts and freebees.
Stratos – a small high tech startup with their own solution
Here is a guide to these options.
If you are a consumer, you can choose to use one of these alternatives or not.
If you are a merchant, you will need to make a bunch of decisions – running the risk of offending customers and having them go elsewhere.
And, I am sure, there will be more choices before this all settles out.