The Green Sheet Online Edition
September 14, 2015 • Issue 15:09:01
Insider's report on payments:
EMV is coming along, slowly
On Oct. 1, 2015, the Europay, MasterCard and Visa (EMV) protocol will become the standard for U.S. POS credit and debit card payments. So how prepared for the change are merchants and consumers? Not very.
Various studies suggest less than a third of card-accepting businesses are prepared, with EMV-compliant terminals in place, and it's not just smaller merchants who are missing the mark. "Outside of the big guys, like Wal-Mart, I think you'll find only a small percentage of major retailers are EMV ready today," said Lynn Holland, Vice President and General Manager Retail Payment Solutions at payment company ACI Worldwide Inc.
"Readiness varies by the merchant and the market they serve," said Jeff Guthrie, Chief Sales and Relationship Officer at Moneris Solutions Corp. "For merchants that deal in areas of higher fraud rates, like retail, there's definitely more of an urgency to switch over." Those with low tickets, like quick service restaurants, have been slower to change, Holland added.
EMV is a security protocol for chip cards and the POS devices that read the cards. EMV chips, unique to each card, transmit a one-time code when inserted into a card-reading device to initiate a purchase transaction. This eliminates the need for card-present businesses to capture and retain card numbers and related information that cyber-criminals can then purloin. U.S. cardholders will continue to sign to authorize purchases.
The technology has existed for years, and most major economies already have switched to EMV. The United States is under the gun to follow. To make sure that happens, the card brands have decreed that noncompliant businesses will bear liability for fraud that ensues from noncompliance. (So, for example, if card data is stolen from a merchant because he or she is still using mag-stripe instead of chip readers, the merchant will be financially liable for any losses that ensue.)
Issuers, merchants lag
Recently, I took an unscientific poll of friends and colleagues, using Facebook, to get a handle on card issuance. Forty out of 50 of those who responded had at least one chip card in their wallets. This surprised me. I still haven't received one at this writing (in early September). I was also surprised to learn it's not necessarily small card issuers that are lagging.
One friend, an East Coast suburbanite, reported, "My AmEx cards were first to have it, many months ago. But my Visa (issued by Chase) and my MasterCard (Bank of America) still haven't been replaced with chip cards." Another friend who lives in a remote area of Arizona and carries credit and debit cards issued by a Midwest credit union said his cards have been EMV compliant for several months, and he's been using them at chip reading terminals. "Many of the merchants here have the new chip readers," he said. "The thing I've noticed is that it drastically increases the time it takes to process a payment. It really holds up checkout lines."
Holland wasn't surprised by this. "The interaction between the terminal and the card is very chatty," he said. Besides, it's a chip not a high-speed computer, he added.
An acquaintance from Sacramento, Calif., said, "All the stores I shop at have the new machines with chip readers, but none are working yet. I'm still swiping."
I asked Guthrie about the disparity among issuers. "There are more than 1 billion cards that have to get switched over," he noted. "It's not a simple or cheap process for the issuers, and it's taking time." By some accounts, only about one quarter of credit and debit cards issued in the United States and in use today have chips. Some optimists expect upward of 70 percent of credit cards and 50 percent of debit cards to be EMV compliant by the end of the year.
"Merchants need to be prepared to accept EMV-enabled cards when they're presented regardless of how many actually have been put into consumer hands," Guthrie said. "If they don't have a terminal that can accept these cards, they're taking the chargeback risk of doing that transaction."
Part of the delay in merchant implementation is due to the EMV certification process. New EMV terminals must be certified by each card brand prior to mass market distribution. "The certification process is under extreme pressure," Holland said. "We're seeing saturation at every point in the process." However, Holland said that by mid 2016, 90 percent of the national and regional retail chains ACI serves should be up and running with EMV-compliant terminals.
EMV is only one part of solution
Despite its promise, EMV will not eradicate card fraud. The protocol does nothing to protect against online fraud, and experts expect online fraud to surge when EMV takes hold here. That could cause some consumer backlash. A survey taken in July 2015 by market research firm GfK and the Associated Press found that Americans are most concerned about the security of their personal information when they make online purchases, not so much when using their cards inside stores (45 percent versus 38 percent).
Meanwhile, retailers have been grousing because PIN authorization hasn't been mandated, even though EMV was intended to rely on PIN authorization. "Banks and card networks have some explaining to do," Jason Brewer, a spokesman for the Retail Industry Leaders Association, noted in a recent email to the press. "Why, if chip and PIN has been successful across the globe in reducing fraud, would we implement a less secure standard for American cardholders?"
Guthrie offered one explanation: consumer familiarity. "They're not familiar with the chip card concept, and they're used to signing for debit and credit payments," he said, adding that as U.S. consumers become more familiar with EMV, use of PINs to authorize payments will increase.
Holland agreed. He also noted that some merchants are motivated by the fact that interchange on debit card payments is lower than on credit card payments.
But just about everyone with a stake in the business agrees EMV alone cannot eradicate credit and debit card fraud. "In Moneris' view, EMV is one of many layers of security to protect credit and debit card data," Guthrie said. "EMV is the first line of defense, and then we layer in tokenization and end-to-end encryption to fully protect cardholder data."
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.