EMV Transition Delays Persist
Six months after the EMV chip card liability deadline, merchants and issuers are still lagging behind when it comes to EMV-enabled point-of-sale system implementation, leaving systems vulnerable and consumers confused.
However, experts said they are not surprised.
“I think we are where we expected to be since the U.S. market is the largest and most complex payment ecosystem in the world, and there's no mandate or requirement that retailers participate in the EMV migration,” Randy Vanderhoof, executive director of the Princeton Junction, N.J.-based Smart Card Alliance, said. “The result is there is going to be a mixed response. That is what we are seeing.”
The four major U.S. credit card issuers – Visa, MasterCard, American Express and Discover – established Oct. 1, 2015 as the day when credit card fraud liability shifted to merchants if they did not have an EMV payment system ready.
“There are very few issuers that really wanted to do this,” Michelle Thornton, director, product development for the Rancho Cucamonga, Calif.-based payments CUSO CO-OP Financial Services, said. “Just like very few merchants wanted to do this. It is as we all predicted, it is going to take a while.”
Although it is still too early in the transition process to draw any conclusions about fraud upticks, two card fraud trends have begun to raise some eyebrows.
Last year, the security firm Experian serviced about 3,550 card breach incidences, according to Experian data breach resolution vice president Michael Bruemmer.
“It is down about 20% to 25% versus last year so far,” Bruemmer said. “In terms of overall rate it has gone down. Two-thirds of security incidents involving payment cards are still coming from the old mag stripe. So from that it seems like more people have not turned on or adopted the [EMV] technology.”
The Omaha, Neb.-based management consulting firm The Strawhecker Group released survey results in February that estimated only 37% of U.S. merchant locations are EMV-ready. TSG's previous survey of payment processors and other payment providers, completed last September, estimated more than 40% would be EMV ready by this time, showing a slower implementation pace than expected before the shift.
A CU Times survey conducted in conjunction with the Tampa, Fla.-based Card Services for Credit Unions in October and November 2015 found almost eight in 10 credit unions (78%) missed the highly anticipated liability shift deadline.
There is a wide spectrum of retailer engagement in EMV, Vanderhoof noted, including merchants that consciously made the decision not to upgrade. Other businesses were very proactive in getting their systems upgraded before the liability shift in order to provide the maximum level of security protection for their system and customers, he added.
“They are just going to take the risk and see what happens,” he said of the merchants that chose to opt out.
In the middle of the spectrum are businesses still in transition, Vanderhoof said. These businesses may have invested in the hardware but not the software, so while their terminals are capable of supporting EMV, they opted not to activate the technology yet. Alternatively, they might be waiting for their processor's testing certification or approval.
“We are probably reading the same reports as to why that is happening – merchants don't want to train their staffs, they haven't gotten the software done yet, or it's not tested or certified,” Thornton said. “I am not sure what the motivation is behind it. We’re seeing a lot of different experiences and confusion for cardholders.”
For credit unions, the migration has mainly led to member confusion. Thornton explained members call to ask why the chip card does not work at certain merchant locations or what is wrong with the card.
“Then the credit union has to tell them it is a merchant issue,” he said.
Thornton added, “The reports we’re hearing from our credit unions is that it is a bit of the Wild West out there as far as what you are going to run into. Merchants having it on one day, not having it on other days.”
She added many merchants are taking EMV cards even if they haven't fully transitioned their systems.
“They may be taking credit, but not debit, and some will take the chip dip but then [the cashier] asks the user to pull it back out and swipe it,” she said.
Bruemmer said he has also seen a lot of consumer uncertainty.
“They go to one outlet where it is required, then they go to another outlet where it is not required or there is confusion over whether it's PIN or signature,” he said. “Even at some outlets that went from chip and signature to chip and PIN, there is some confusion.”
Vanderhoof added, “There were many more retailers that intended to have their systems upgraded, in place and operational by now that have found it much more difficult, more costly and more time consuming than they had planned.”
This is due to a wide variety of factors, but he said merchants are mainly relying on their partners and suppliers to be on the same EMV upgrade timetable.
In the past, issuing financial institutions absorbed the majority of card fraud burden.
“Now, there is no predictable level as to how much fraud liability is going to shift onto those merchants,” Vanderhoof said.
Businesses that have not seen much fraud could see a new wave if they wait too long to transition to EMV. Establishments such as convenience stores, fast food restaurants and coffee shops, which were previously not considered high-value targets for people with stolen payment credentials, are suddenly now at risk, Vanderhoof noted.
“Those primary fraud targets are becoming fewer and farther between for the criminals, so they are going to look to other targets that historically have not been the first place they would go to with stolen credentials,” Vanderhoof said.
Thornton said CO-OP has not seen much impact as far as the ability to process transactions.
“The biggest impact is at the point of someone trying to make a payment,” she said. “So it is around the consumer experience.”
Thornton added, “The CO-OP Dispute Resolution Center is actively exercising chargebacks on fraudulent transactions as the result of the EMV liability shift. We certainly do want our clients to adopt the chip cards. Adding this extra layer of security provides protection with card present transactions and makes it much more difficult to produce counterfeit cards.”
She added CO-OP still expects to see forward movement in the EMV space.
“Yes, it's bumpy right now, but everyone is going to have to physically move to it at some point,” she said. “I do not see it slowing down.”
Bruemmer said, “This isn't going away. Those companies that have not adopted for whatever reason, operationally and technologically, are required to have met the EMV adoption deadline. They are the group that is most at risk.”
Bruemmer added he believes with the exception of gas pump and ATM operators, which have extended liability deadlines, those that have not adopted EMV chips and devices should be held accountable for fraud.
“That is something we all need to do just to protect the consumer,” Bruemmer said.
EMV is only one aspect of the payment puzzle facing e-commerce and brick and mortar merchants. Mobile and online payments, card not present security, tokenization, biometrics and a whole other host of changes are coming at them quickly.
“There has been no concerted effort to provide business stakeholders with an understanding of what the underlining technologies are and how they need to develop a strategy for upgrading or implementing some of the technologies,” Vanderhoof explained.
To expand its investment in educating industry stakeholders on how to make payments and identities more secure, the Smart Card Alliance announced a new training center in Crystal City, Va. The National Center for Advanced Payments and Identity Security will function as a permanent facility for live, interactive and dynamic educational activities, including workshops, educational courses, briefings, symposiums, and training and certification testing.