The din from the drum of the EMV mandate is not what it was three years ago. But the reverberations over compelling retailers to adopt costly new point-of-sale technology in order to accept new chip-based credit and debit cards — and the debate over whether doing so has reduced fraud — continue to ripple through the industry.
Indeed, EMV has sent the traditional magnetic-stripe card the way of the dinosaur, with chip cards gaining ubiquity with retail’s most important stakeholder group — consumers. According to Visa, 97 percent of in-person card purchases were made with chip cards as of June.
Despite banks’ initial claims that retailers were slow to adopt EMV and retailers’ counterclaim that the card industry was slow to certify the equipment they installed — six months or more in some cases — implementation of EMV is now essentially a done deal. Visa says 67 percent of U.S. merchants now accept EMV at 3.1 million terminals. The National Retail Federation says the number is higher — at least 99 percent of large merchants and 81 percent of small retailers, with the remainder expected to make the move as they buy new terminals in the normal course of replacing old equipment.
“The road to adoption of EMV in traditional POS has been painful,” Boston Retail Partners Senior Vice President Perry Kramer says, noting “many of the regulations were still being finalized as merchants were developing processes” to implement the technology. Retailers faced challenges such as customers learning to “dip” rather than swipe. And consumers complained that EMV transaction took longer than mag-stripe, although that issue was largely resolved through the card industry’s rollout of “quick chip” EMV technology in 2016, he says.
“What you see today is that the majority of the Tier 1 retailers have it in, and it is working very well,” Kramer says. But “there’s a broad user experience still out there with EMV, some of it being very good and some of it not being so good.”
Many smaller retailers continue to struggle through the transition, Kramer adds. “This is due to a number of reasons including the cost of upgrading the software and hardware,” he says. “Change management and resource efforts required to make the changes continue to compete with other business priorities in a segment that has a very small resource pool.”
A SHIFT IN LIABILITY
It was October 1, 2015, when the credit card industry unilaterally decreed that retailers would be required to accept chip cards or face increased liability if a chip card was fraudulently used at a cash register without a chip reader. (The chip in an EMV card only functions in-person, not online.) EMV — short for Europay MasterCard Visa — was adopted by its two namesake card companies plus American Express and Discover as a means for mitigating payment card fraud. The issuers reasoned that EMV cards’ embedded microchips would more fully protect consumer data and improve security over the traditional magnetic stripe cards in use since the 1960s.
Under card industry rules during the magnetic stripe era, banks were responsible for fraud costs if a card turned out to be counterfeit, while retailers were responsible for fraud committed with lost and stolen cards. Under EMV rules, retailers are now responsible for fraud committed with counterfeit chip cards if they don’t have a chip reader, and remain responsible for lost and stolen fraud.
Retailers were quick to point out that the chip does nothing to prevent lost and stolen card fraud, and complained that the card companies forced them to pick up the estimated $30 billion cost of implementing a technology that would reduce banks’ fraud costs without solving fraud issues for merchants. They also said EMV diverted resources from technology like encryption and tokenization that prevent card numbers from being hacked in the first place.
But faced with the choice of installing new card readers or being exposed to billions of dollars in fraud costs, merchants were in a no-win situation, says Thad Peterson, a senior analyst covering payments with Aite Group. “In terms of protecting yourself from the liability, it was the only smart thing to do,” he says.
HAS EMV REDUCED FRAUD?
A study released by Visa earlier this year reported that merchants who completed upgrades to chip-card readers saw a 75 percent reduction in fraud committed with counterfeit cards between March 2015 and September 2018. The study did not address fraud committed with lost and stolen cards.
A Federal Reserve study released in October agrees that EMV has reduced in-person card fraud — but also shows that EMV has moved payment card frauds online. In-person card fraud fell from $3.7 billion in 2015 to $2.9 billion in 2016, but “remote” fraud rose from $3.4 billion to $4.6 billion in the same period, according to the study.
“These results suggest that remote card payments fraud is likely to be of increasing concern for the U.S. payments system going forward,” the Fed said.
For merchants, much heartburn remains over the EMV mandate. NRF Vice President for Government Affairs Public Relations J. Craig Shearman says that while the retail industry largely has complied with EMV, a more robust system of authentication for transactions remains a sticking point.
NRF has long argued that while the chip makes cards more difficult to counterfeit, it does nothing to prove that the person trying to use a card is the legitimate cardholder. NRF has demanded that banks make PINs available on credit cards the same as on debit cards, saying that requiring consumers to enter a secure, secret personal identification number for a transaction to go through could stop the fraudulent use of counterfeit, lost and stolen cards alike even without a chip. PIN could also block online fraud, NRF says.
“Our concern is that we’re now three years into EMV, and we still only have half of the security it is capable of,” Shearman says. “Chip alone certainly has been an improvement over magnetic stripes, but chip without PIN is like locking the front door and leaving the back door wide open.”
Credit card companies’ decision in 2017 to stop requiring signatures on card transactions had little impact since signatures were often “illegible scrawls” that did not sufficiently authenticate the user, Shearman says. But the card industry should have taken the next step and enabled PIN, he says.
According to NRF’s 2018 State of U.S. Retail Payments study, 51 percent of merchants surveyed said biometrics would be the best method of authenticating transactions. But with biometrics yet to become available on cards (it is currently limited to smartphones), 46 percent of merchants said PIN would be the most secure protocol that is widely available. A total of 95 percent said PIN improves transaction security and 92 percent said they would implement PIN for credit cards if it were available.
The survey also noted that 67 percent of merchants said they already have PIN in place for debit cards, and that 46 percent have installed equipment that would allow it to be used on credit cards if it were available.
The Fed study said that in situations where PIN is available in the United States — debit cards and at ATMs — fraud occurs three times as often without PIN as it does with PIN.
The retail industry views PIN as the “gold standard” for securing payment card security, Shearman says, noting that EMV chip cards do not directly prevent hacking of card data but only make it more difficult for thieves to use a hacked card number.
Analysts say that while the fervor over EMV may have quieted, the transition will continue for several more years.
Gasoline stations originally faced a 2017 deadline to get their pumps EMV compliant, a deadline that has now been moved back to 2020. Peterson calls the gas station mandate “a really big deal” because many stations are small business franchisees despite the well-known national brands on their signs. He says legacy machines proliferate in that segment of retail and upgrading terminals will be a significant undertaking: “It’s going to be a relatively costly venture.”
Peterson also points to upscale dining as another area that is due EMV treatment down the road, with restaurants moving to equip their locations with portable EMV terminals that can be used at the dining table to complete transactions. Fast food and fast-casual restaurants have largely already moved to EMV.
WHAT’S THE FUTURE?
After years of operating under rules dictated by the card industry, NRF and other retail associations this summer announced the formation of the Secure Payments Partnership, a new coalition intended to improve the security of the U.S. electronic payments system ranging from credit and debit cards to emerging technology.
SPP, which also includes the Food Marketing Institute, the National Association of Convenience Stores and the National Grocers Association, is demanding a seat at the table for all stakeholders — including retailers — when payment system security rules are set. And with ATM networks among those complaining that the big card companies dominate the setting of those rules, the coalition marks the first time that financial services companies have joined retailers on the issue — First Data’s Star network and the Shazam network are among the founding members.
“The payments system has to keep pace with rapidly evolving technology and the needs of consumers and commerce,” NRF Senior Vice President and General Counsel Stephanie Martz said in announcing the coalition. “The U.S. payments infrastructure should be the strongest, most innovative and most secure in the world, but we won’t get there unless we change the way we make security decisions.”
M.V. Greene is an independent writer and editor based in Owings Mills, Md., who covers business, technology and retail.