The Green Sheet Online Edition
October 24, 2016 • Issue 16:10:02
Happy first birthday EMV:
the safe, the slow and the numbers
I'm sure most of you recall last year's EMV (Europay, Mastercard and Visa) frenzy: Are you EMV ready? Get EMV ready for the October 1st deadline! EMV compliance – everything you need to know. And so on and so forth. Now, exactly a year in, payment professionals and merchants, alike, cannot help but wonder the following: What actually happened over the past year? How effective has EMV been? What were the consequences? Have we become EMV ready? And looking back, what did this readiness bring about?
Reasons for slow adoption
The rules were clear. Be a good merchant. Apply before the deadline. Update to EMV-capable POS terminals, certified and enabled by your acquirers. And you'll be off the hook. Liability for fraudulent charges will continue to fall on the card issuers and have no impact on your profits.
And supposedly, a good chunk of merchants did just that. A considerable number of them applied for certified terminals and considered their work done. But, of course, filing an application is only half the story, with acceptance being the other, equally important half – an acceptance that never came.
While big giants such as Target Corp. were EMV ready almost on the dot, smaller merchants encountered a pile of backlogged, lengthy applications that proved way more complex than initially planned. The result? Liability costs for merchants that culminated in a lawsuit from a group of smaller retailers alleging the card brands' certification delays were deliberate attempts to save money by avoiding paying for chargebacks. Were the accusations valid?
Were the merchants victims of rules that were beyond their powers? Or were the merchants to blame for not applying for certified terminals in good time?
Irrespective of finger pointing, the extent of EMV's current adoption is still debatable. While Mastercard quoted a 468 percent increase in updated terminals from October 2015 to July 2016, and Visa Inc. reported a total of 1.3 million chip-enabled locations reached by June (three-fourths of which were small to midsize businesses), when you compare their figures to the total market, the results aren't impressive. Mastercard's most recent report indicated a mere 30 percent retail adoption.
Costs versus benefits
Inevitably, when considering adoption, a cost-benefit analysis is vital for every retailer. Do the costs match up to the returns, or is it a futile investment leading toward a drained budget? The IHL Group estimated that retailers have spent $35 billion to solve an $8.6 billion annual problem. However, when the investment is evaluated over the long run (say, a 10-year period), the investment can make more sense.
Nonetheless, distinctions exist among individual retail segments. On the one hand, enterprise-level merchants and retailers such as jewelry shops or stores that experience high amounts of fraud, can clearly see the return on investment. On the other hand, smaller convenience stores struggle to justify the shift. Indeed, USA Today reported that Jared Scheeler of the National Association of Convenience Stores estimated that an average of $26,000 was spent on EMV reforms. This is out of an annual $47,000 profit budget.
An incomplete version
The comparison of the U.S. EMV implementation to its counterparts in other world regions, where the mandatory rollout of chip cards was also coupled with a PIN, making updated POSs in those regions a true two-factor authorization solution, caused commotion around the fact that the U.S. EMV initiative was a lagging, outdated measure that came a little too late.
By commotion, I mean outright accusations that translated into yet more lawsuits. With Wal-Mart Stores Inc. as the pioneer, followed soon thereafter by The Home Depot Inc., the card networks were faced with allegations that they introduced chip-and-signature technologies, instead of the safer, up-to-date chip-and-PIN technologies, to benefit from the higher rates for which the former qualified.
More security needed
New chip cards are deemed more secure than mag-stripe cards, as the data written on chips is dynamic, changing for each individual transaction. However, this is only part of what's needed for the entire safety protocol to be intact.
Experts have pointed out that it's paramount to be able to enable additional functionalities that ensure the encryption of data. Point-to-point encryption, through which data is encrypted from the point of capture all the way to the acquiring bank, and tokenization, which allocates a random string of values to the actual payment data, have become essential best practices.
In late summer 2016, POS company NCR Corp. realized that by rewriting the magnetic stripe of a chip card, it is possible to deceive POS terminals into thinking that the chip card is indeed a mag stripe card, which would enable hackers to continue their offline expeditions of fraud. Nonetheless, the process is more intricate than it sounds. Even if this were to occur, the back-end system would identify that the data was compromised, rejecting the transaction.
Should I dip? Slide?
Confusion about how to pay at the POS probably entered all of our minds at least once in the past year. Dieter Bohn, Executive Director of The Verge, tweeted, "US rollout of chip payments has been awful. Every point of sale terminal is a horrible guessing game." And he was right. Upon reaching the checkout terminal, users still face uncertainty. Questions arise: Does the terminal support chip cards? Even if it does, is it already certified to actually accept my card? Wait, is my card even chip enabled?
Arguably, this confusion is a temporary transition problem, but the rate at which this is being overcome is, yet again, slower than expected. For dipping to become a natural, nationally uniform habit for consumers, not only should the majority of terminals become EMV certified, but users should also become 100 percent chip cardholders.
The negative byproducts
I expect you all know what the negative byproducts are? It's been predicted. We've been warned. And it's happening. Online fraud was predicted to more than double between the inception of EMV and 2018, and 2016 data did not disappoint. Five months in, Forter Co. detected an alarming 27 percent increase in online fraud between the fourth quarter of 2015, and the first quarter of 2016. What's more, according to the latest study by Pymnts.com and Forter, fraud attacks of digital goods in 2016 saw a 186 percent rise.
As messy as the first year's rollout might have been, and even though EMV has proven to be an imperfect answer, the necessity of replacing outdated payment technologies in the United States cannot be contested. Let's hope that EMV is the first step toward a safer, more efficient payments ecosystem, as well as an educated merchant base that understands its rights and risks.
Evi Triantafyllides is the Marketing Director at PAAY, provider of a software solution that qualifies e-commerce transactions at lower interchange rates and shifts liability for ecommerce fraud away from merchants to card issuers. The first full-time employee at PAAY, Triantafyllides is responsible for the company's marketing and, at the same time, focuses on ISO relations and partnerships. Find out about PAAY at www.paay.co or reach out to her directly at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.