ATM EMV Deadline Looms
The next major step for merchants and card issuers in the move from magstripe to chip technology is looming: The liability shift deadline for ATMs and self-service fuel dispensers.
The liability shift deadline for ATM transactions made with MasterCard branded credit and debit cards is Oct. 1, 2016; Visa's deadline is Oct. 1, 2017.
Experts said as credit unions continue to migrate their magstripe plastic to chip cards, they should not neglect the impending deadline for making ATMs EMV ready. They must also prepare to educate members on the new ATM technology and emphasize chip card benefits.
“Every financial institution or anyone that has an ATM should be looking to upgrade their ATMs to meet that upcoming liability shift,” Art Harper, director of card payment solutions at the St. Petersburg, Fla.-based payments CUSO PSCU, said.
One expert emphasized the ATM transition isn't a mandate. It's a liability shift, and issuers and merchants have the option not do it.
“If the ATM owner has gone through the cost of certifying it and it is a magstripe card that has been compromised, then the liability goes to the issuer of that card, the credit union or the bank,” Jamie Topolski, director of alternative payment strategies at the Brookfield, Wis.-based core processor Fiserv, explained.
On the other hand, if a credit union or bank upgraded its payment cards to include the EMV chip but the ATM owner hasn't upgraded its ATMs, the liability falls on the ATM owner in the event of a fraudulent card transaction.
While there is no mandate for the ATM transition, the threat of fraud might be enough to convince ATM owners to complete the upgrades. Skimmers have been attacking older ATMs in final efforts to gather card information from the weakest points of the ATM network.
Some industry observers, such as the National ATM Council, said they believe only 40% to 50% of ATMs will be EMV ready by October 2016. According to the council, Visa currently has 217 million EMV cards in the U.S.; 115 million are credit and 102 million are debit. MasterCard said approximately half of its U.S. consumer credit cards (192 million as of December 2015 per the Credit Card Forum) are EMV enabled.
Topolski noted according to the National ATM Council, 42,000 independently operated ATMs will be a taken offline because of the transition.
PSCU has more than 400 credit processing member-owners, almost all of whom are currently issuing EMV credit cards.
In almost all circumstances, members receive complete protection in the event of fraud whether they have an old magstripe card or a new chip card.
“The question is whether the issuer of the card is going to bear the liability for fraud, or the merchant or ATM owner,” Topolski noted.
All automatic fuel dispensers must be EMV compliant by October 2017 to comply with the liability shift.
Fuel merchants received extra time because self-service pumps need their wiring upgraded to a broadband environment. They also require recertification by state officials to verify they are dispensing and charging correctly.
“The state governments are saying they can certify all the pumps in a timely manner,” Harper said.
However, there are still some unresolved EMV related issues, such as the perceived slow transition at POS terminals.
“The progress made in the last year and a half in the U.S. with migrating to EMV has been remarkable,” Topolski said. “The number of cards and merchants supporting EMV transactions has been great.”
Many experts agreed the transformation process is where they expected it to be, given the U.S. holds the largest and most complex payments ecosystem in the world.
Harper explained since the liability shift last October, approximately 70% to 80% of tier one retailers, including big box merchants, are EMV-ready and processing EMV transactions. Tier two, which includes regional supermarkets, and tier three, which covers mom and pop stores, are slowly moving to EMV.
In addition, the longstanding issue of PIN versus signature authorization has re-emerged.
“It is just more complicated with EMV, just as everything is with EMV,” Michelle Thornton, director, product development for the Rancho Cucamonga, Calif.-based payments CUSO CO-OP Financial Services, said.
Other countries mandated the use of chip and PIN. Requiring a PIN for every transaction addresses both the counterfeit card problem as well as the use of lost or stolen cards. In the U.S., chip-and-signature cards have been more prevalent than chip-and-PIN cards, in many cases because issuers want easier-to-use cards in consumers’ wallets.
Some merchants, such as Walmart, have encouraged consumers to enter their PIN.
“There are many merchants that have taken a similar position, in a sense that they are educating their consumers that the merchant will accept debit EMV cards only with a PIN,” Vladimir Jovanovic, director of debit, prepaid and ATM product management for PSCU, said.
Topolski added, “It is the merchant's right, under the Durbin amendment, to choose how they want to route the transaction.”
The food chain Kroger launched an extensive marketing campaign promoting its PIN requirement in debit EMV transactions, Jovanovic pointed out.
“This really shows that merchants are taking the EMV migration as an opportunity to educate consumers on their preference,” Jovanovic said. “The fact that those consumers may want to use their card and sign for that transaction does not seem to deter this merchant behavior.”
Depending on their terminal configuration, merchants will try to push consumers toward PIN or coerce the purchaser to choose options that result in PIN usage.
“Like in the magstripe world, merchants can configure their terminals in all sorts of ways,” Thornton said. “Ultimately, it is up to the cardholder. Some consumers want to use PIN and some don't. Every card in the U.S. has the capability of doing signature and PIN. You have to use a PIN at an ATM.”
Consumers have encountered a mixed bag of options because 42% of retailers have not updated the terminals at any of their stores to enable chip-and-PIN or chip-and-signature technology, according to a CardHub survey.
“Merchants that are steering consumer behavior at the point of sale by asking for only a certain type of authentication may be running the chance of losing those consumers as loyal shoppers,” Jovanovic said.
Harper also said because consumers have become accustomed to signing for debit card transactions, their experience weakens and becomes confusing when they are not given that opportunity.
“From a consumer perspective, the fewer restrictions they encounter, the more comfortable they will be with the payment process, and each consumer will find whatever suits them better,” Jovanovic claimed.
The CardHub survey found 56% of people do not care if a retailer's payment terminal is chip-enabled, and 62% do not understand the difference between the two methods. Some 41% of respondents said they do not have, or do not know if they have, a chip card.
Since security is at the root of the EMV liability shift, experts view that as a problem.
“Nobody is treating EMV as the cure-all for all fraudulent payments, but it is still more secure than magstripe,” Topolski said.
Harper pointed out magstripe transactions were static, meaning the data appeared in the same format or strung code each time regardless of the issuer. Thus, hackers were able to gather the information to create counterfeit cards easily. In the EMV environment, transactions are dynamic, with no two transactions presented in the same format.
“As an industry, we need to make sure that we are educating consumers adequately on the differences between their old magstripe cards and new EMV cards,” Harper said. “We need to realize consumer experience and education is the key to gaining utilization of the card. If the consumer receives good education from their issuer about the benefits and functionality of the card, it's more likely the consumer will use the card.”