The Green Sheet Online Edition
January 25, 2016 • Issue 16:01:02
EMV, four months on
It's been four months since the Europay, MasterCard and Visa (EMV) mandate took effect in the United States, yet the migration to EMV-compliant POS terminals is far from complete. Lack of merchant awareness is one reason. An even more compelling factor, however, is the existence of long queues for processor certification of EMV-compliant terminals and software applications.
"You have to get in line early, and you have to be ready when they [certifying companies] are ready," said Jim Dugan, Chief Financial Officer at Charge Anywhere LLC, based in South Plainfield, N.J. But chances are good that most processors will need more time to get ready than initially expected. "It's not an easy process; there are a lot of moving pieces," Dugan added. And it's a process that must be repeated for every payment app, terminal and gateway.
In January 2016, Charge Anywhere heralded certifi-cation of its ComsGate Payment Gateway with Chase Paymentech's Tandem platform. The company had already certified with Chase a series of encrypted devices equipped to accept a variety of EMV payment types through the Charge Anywhere software platform.
"Our EMV solution supports retail and mobile implementations for merchants, and we have a tool kit for software integrators to quickly and easily provide EMV payment functionality with minimal development effort and at a fraction of the cost of developing EMV card acceptance capabilities," Paul Sabella, Charge Anywhere's Chief Executive Officer, said in announcing the certification. Yet, there is still more to be done. "We're already back in line with Chase" for additional certifications, Dugan said during an interview.
The certification queues haven't been lost on the merchant community. "We have lots of retailers who have made and continue to make significant investments in equipment upgrades but cannot avoid the liability shift due to a lack of certification," Gray Taylor, Executive Director of Conexxus, a not-for-profit group focused on convenience store technologies, stated in the fourth quarter of 2015.
And merchants aren't the only parties to card payments that need to be on board. Many card issuers face the same queuing issues that POS hardware and software providers confront. "Individual card issuers in some cases had to get in line with their providers," said Douglas Brent, counsel to the law firm Stoll Keenon Ogden PLLC. And, of course, there were cost considerations. "Issuers are looking at their individual business cases," he added. "They are also looking at [customer] risk profiles. … All the October date meant was that the liability shift could occur then," he added.
EMV is a global technology standard that protects against card counterfeiting. EMV cards store vital account and accountholder information in programmable chips and issue a unique code that accompanies each transaction from the point of capture through settlement. It is considered far superior to mag stripe technology, but it also ushers in process changes and customer service issues. For example, chip cards must be inserted (dipped) into a slot and it takes time for the chip to be read, which is a big change from swiping cards through mag stripe readers.
October 2015, a soft deadline
The United States has been slow to move to EMV, despite widespread adoption elsewhere, so the card brands established deadlines to prod greater adoption. Most U.S. merchants were supposed to be EMV compliant by Oct. 1, 2015. Petroleum dealers with pay-at-the-pump devices have until October 2017 to upgrade to EMV compliance. Taylor noted that as of November 2015, there was only one fully certified solution for pay-at-the-pump, which had just been introduced by Heartland Payment Systems Inc. and The Pinnacle Corp., a supplier of automated solutions for convenience stores and petroleum dealers.
"The fact that our industry has but one fully certified solution one month after indoor liability shift, and 23 months before automated fuel dispensers shift, shows how inadequately implementation was planned for our market," Taylor said.
To be in compliance with EMV, POS devices must be able to read the encrypted data and pass it through for clearing and settlement. Concrete numbers are hard to come by, but a report published in November by the Congressional Research Service, stated that as of October 2015 fewer than half of U.S. retailers were ready to accept EMV cards.
In addition to chips, EMV cards from U.S. issuers also contain traditional mag stripes, which can be read by non-EMV POS terminals. Under the mandate that took effect in October, any merchant that uses a non-compliant terminal (reads mag stripe instead of chip) is financially liable for losses should that information get breached and used to perpetrate fraud.
Historically, issuers paid about 60 percent of losses from card fraud, primarily that associated with card-present transactions, while merchants paid 40 percent, or the bulk of losses from card-not-present transactions, according to the November 2015 report from the CRS cited above.
Consumer adoption, glitches
ACI Worldwide surveyed consumers in 2015 and found that nearly six in 10 had not received chip-enabled cards in the run up to the EMV mandate. What's more, 67 percent did not understand the reasons for using chips instead of traditional mag stripe authorization.
CardFlight Inc., which specializes in mobile payments, said its data suggests card issuers have been stepping up efforts to get EMV cards into the wallets of customers. CardFlight said that between October and November 2015, it recorded a 5 percent increase in the share of transactions coming through its gateway that were initiated with EMV-compliant cards.
As of November, over 50 percent of transactions that passed through its payment gateway were originated using chip cards, CardFlight reported. American Express Co. cards are furthest along in the migration; 83 percent of AmEx cards have chips. Discover is the laggard, with just 40 percent of cards EMV compliant, according to CardFlight. Hawaii boasts the highest concentration of EMV cards: 63 percent of cards used in the Aloha State are EMV compliant, CardFlight said. In Mississippi, just 11 percent of credit cards issued contain EMV chips.
Meanwhile, there were numerous press reports about long lines at checkout during the year-end holiday shopping season because of the new cards. "Credit card chips mean longer lines for shoppers," stated a Dec. 27, 2015 headline in the New York Post. According to the article, cashiers at New York stores claimed it was taking between 30 seconds and several minutes longer to complete EMV card transactions than using mag stripe card readers.
Brent believes the problem may be exaggerated. "There is a perception that the checkout process is slower," he said. "However, my own experience suggests that isn't really the case." Dugan, in a recent interview, suggested consumer awareness and understanding is growing, and consumers seem to be adapting to it.
SIDE Note: Card fraud by the numbers
The 2015 year-end holiday season triggered a surge in card-not-present fraud, according to ACI Worldwide. An analysis of hundreds of millions of transactions from large global retailers showed fraud losses were down in terms of amount per transaction, but it also indicated that fraudulent transactions are growing in number. "Our findings suggest that merchants must be even more vigilant and shore up e-commerce fraud protocols, which may leave online shoppers vulnerable," said Mike Braatz, Senior Vice President for Payments Risk Management at ACI.
Here's a look at key findings gleaned from ACI's survey:
- Card fraud attempt rates by value increased by 33 percent between 2014 and 2015.
In 2015, one out of every 86 card transactions was a fraud attempt; in 2014 it was one out of 114.
- The average ticket value (ATV) using fraudulent cards was $273 in 2015, lower than the $282 average fraud in 2014. ACI said lower shipping costs, decreasing cost of goods and the ubiquity of coupons all contributed to falling ATV.
- Digital downloads charted the highest fraud rate (9.55 percent).
- Fraud involving buy online/pick up in store transactions grew by 28 percent. Retailers do not require consumers to re-run cards when they pick up products in store, making this an attractive option for fraudsters, ACI stated.
One consumer-facing issue that remains troubling to some – and has prompted dozens of posts to GS Online's MLS Forum – is tip adjustments for card-acceptance at tableside in restaurants. Some restaurants are said to be foregoing the switch to EMV until EMV-compliant devices can be modified to support tip adjustments. Several posts to the MLS Forum suggested this is a safe bet. "I just can't picture a restaurant getting too many stolen, face-to-face transactions for a meal," wrote a forum participant who posts under the name Clearent. A post by sdsorensen added, "The advantage for chargeback protection on counterfeit cards is miniscule for restaurants, nail salons, hair salons, etc."
As long as cardholders continue to sign for transactions, even when using EMV cards, however, tip adjustments should not be a big problem, said Dugan. "But when PIN becomes a requirement, they are going to need a pay at the table solution," he said.
To PIN or not to PIN
Card payments authorized by cardholders using PINs are considered inherently more secure than those authorized by signature, and the lack of a PIN requirement for EMV in the United States remains troubling to some.
"You don't need to be a security expert to know that an illegible scrawl is virtually worthless as a fraud prevention device," Mallory Duncan, Senior Vice President and General Counsel at the National Retail Federation, wrote in an Oct. 20, 2015 statement published by the NRF. Duncan went on to pillory card issuers and card companies for not requiring PINs with EMV cards. "Do banks let customers use a signature when taking money out of an ATM? Yet signatures are what banks want to use to 'protect' billions of dollars in daily transactions with their new generation of credit cards," he said.
Brent believes the jury is still out on whether foregoing PINs will have a material effect on card fraud in the United States under EMV. "Experience is going to tell us how much fraud overall is decreasing because of chips," he said.
When MasterCard Worldwide polled consumers in 2015, it said it found that most prefer using PINs to verify chip card payments. Forty-nine percent of consumers in the survey said they considered EMV with PIN to be the most secure type of transaction, compared with 45 percent in 2014. This year, 14 percent of consumers surveyed by MasterCard said they considered chip and signature to provide the best security, while 15 percent picked traditional mag stripes. What's more, "the vast majority of consumers we surveyed expect all types of stores to accept cards using chip technology," MasterCard wrote in a report on the survey titled Consumer Enthusiasm and Desire for Chip Cards Growing.
Following are a few other insights from that report:
- 73 percent of consumers surveyed said having a chip card would encourage them to use their credit and debit cards more often.
- 33 percent would be extremely or very likely to switch card issuers if their current issuers didn't offer chip cards.
- 75 percent of consumers said they expect to use their chip cards at merchant locations where they most often shop.
As the CRS noted in its November report to Congress, there is no concrete data that would confirm or deny the advantages of PINs since the United States is the only market to implement EMV with signatures. "[W]hile the primary driver of the transition is fraud reduction, it remains to be seen if signature verification will produce the same level of fraud reduction in the United States as PIN verification has produced in other countries," the agency wrote.
The U.S. Department of Justice entered the fray over PINs in 2015, publicly questioning a U.S. migration plan without PINs, before eventually back peddling. The FBI, which is part of the Justice Department, issued a public service announcement in October warning that chip cards "may still be vulnerable to exploitation by fraudsters" without PIN authentication. The message was replaced a few days later with a less damning warning that "no one technology eliminates fraud and cybercriminals will continue to look for opportunities to steal payment information."
The attorneys general of eight states and the District of Columbia wrote the leading card brands to urge that they implement EMV chip with PIN as soon as possible. "There can be no doubt that this [chip and sign process] is a less secure standard, since signatures can be easily forged or copied or even ignored at the point-of-sale," the letter stated. The eight states are Connecticut, Illinois, Massachusetts, Maine, New York, Rhode Island, Georgia, Virginia. The plea was not lost on the CRS. "Congress may wish to follow the renewed interest by some states to encourage PIN adoption," the agency advised.
Fraud is a huge and growing problem in the payments space and the key impetus behind the push for EMV cards and terminals. The Economist reported that Americans make one-quarter of card payments globally, yet the United States accounts for about half of global losses from card fraud. Most card fraud results from card counterfeiting; counterfeiters use stolen card data to create bogus cards. The logic behind EMV is to make it impossible for card data to be stolen in the first place since the card data is encrypted from the get go. This is important for card-present transactions where chips can be read by EMV-compliant terminals.
One result of the move to EMV in the United States has been a migration of fraud to card-not-present transactions. This migration of fraud appears to have begun long before the EMV mandate took hold. ACI Worldwide reported in November that its analysis showed a 30 percent jump in card fraud attempts between 2014 and 2015.
"When it comes to fraud, 2015 is likely among the riskiest seasons retailers have ever seen, and it is critical that they prepare for a significant uptick in fraud, particularly within e-commerce channels," said Mike Braatz, Senior Vice President, Payments Risk Management, at ACI Worldwide.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.