Overview

Paygistix is a RM Gateway EMV processing option that is available in starting with Restaurant Manager version 19.1. Paygistix is a compelling RM Gateway option because it provides a single solution for MSR, NFC, and EMV. The Paygistix gateway is currently certified with Payment Logistics (preferred vendor) and First Data Omaha.

Paygistix EMV is implemented in a way that cardholder data never enters the POS environment. By employing tokenization technology, the Paygistix EMV interface eliminates the need for Restaurant Manager to store sensitive cardholder information. When configured for normal use, the POS application and terminal are completely out of PCI scope when using a payment terminal with Paygistix EMV. One huge advantage to the Paygistix interface is that most credit card handling changes will be handled through the device and not Restaurant Manager.

Will Credit Card Processing be the Same?

The steps for processing a credit card payment at the POS will be somewhat similar to how restaurants have always processed credit cards in the past. However, there will be some noticeable differences. Here are some of the key differences.

You will no longer be able to just swipe a card from anywhere within an open order to enter a CC payment. Unlike traditional credit card processing with a standard MRS, EMV payment requires the POS to awaken the EMV terminal to establish communications.

To enter an EMV credit card payment, the employee will enter the Settlement screen and chose a CC payment type. At this point, a prompt will appear telling the employee to dip the credit card on the EMV terminal. The EMV terminal will communicate with the processor and seek an approval code. The EMV terminal will pass a long a token to Restaurant Manager when authorization has been obtained, a credit slip (on existing POS printer) will print out, and the employee can add a tip on the POS station or the EMV terminal. CC Tab transaction will be processed significantly different. All CC tabs will now require a pre- authorization and dipping the card into the EMV terminal because the EMV terminal will first contact the processor and then pass a token back to the POS rather than communicating directly to the POS. CC Tabs must be completed with Complete Auth and will require the card to be present when completing the transaction to remain EMV compliant.

Please note an EMV terminal is not simply a standard MSR and EMV credit card processing will not be exactly the same as before because of the change in communication flow. The EMV terminal will complete at least twelve functions before passing tokens to the POS. Some of the functions an EMV terminal will perform is determining card type (i.e. credit card vs debit card), the restrictions of the card, if a PIN required, plus many more functions. At this point the EMV terminal will go out to the processor to check if the card is valid and then pass a token back to the POS. In other words, there is no longer just simply swiping a card. This translates into slightly longer processing times and change in functionality. There is definitely a trade off in functionality for enhanced security. However, security should be of the utmost importance as this demonstrates the restaurant has a strong commitment to protecting the customers data. In addition, EMV shifts liability back up to the processors leading to a reduction in charge backs. Another benefit is that EMV terminal will now process NFC transaction. Please visit the FAQ's section of the document to see what functionality has changed.

Will EMV Make You PCI Compliant?

Simply put: No ! In reality, you don’t need to implement EMV in order to be PCI compliant. Whats the between difference EMV and PCI-DSS ? EMV uses technology that authenticates that a card is valid and belongs to the person using it, but PCI -DSS involves a broader set of data security controls that protect cardholder data through the payment transaction process. In fact, EMV and PCI Compliance are managed by two separate entities with completely different set of governing rules. This article published by the PCI -SSC helps explain the difference between the two organizations. So do you need EMV ? EMV should be considered one component to building an overarching, cohesive data security strategy that helps you reduce your liability risk. Will you still need to follow PCI-DSS best practices? Yes you will. ASI has published a set of general guidelines that you can view here: RM PCI Implementation Guide.

What Does Out of Scope Mean?

As discussed above, if EMV does not apply to PCI-DSS compliance, than what does out of scope mean? In a traditional Credit Card processing environment, an MSR is connected directly to the POS. Keep in mind that a standard MSR is nothing more than a keyboard substitute. A card is swiped and passes the payment information through the POS software for authorization. The POS software then receives authorization from the processors where the transaction can be finalized. This is considered in scope because all cardholder data is present throughout the POS software and OS software (swipes are recorded within virtual memory unless correctly configured differently.

In an out of scope environment, the EMV device is awaken by the POS to start the payment process. Here is the difference: instead of first sending the information through the POS software, the EMV device sends transaction data directly to the processor for approval. The EMV terminal will receive the authorization from the processor and pass it back to the POS via a token. This arrangement takes the POS system out of the authorization process because no card holder data is sent to the POS, thus taking the POS system out of PA-DSS scope. Once again, just because EMV processing is considered out of scope does not mean you are relieved from PCI compliance.