OAKBROOK TERRACE, Ill. — While thousands of convenience-store retailers continue their push to accept EMV payment inside the store, the October 1 deadline arrived with little if any fanfare, laying the cost of fraudulent purchases potentially on store-owners’ shoulders.
That’s not to say that liability will charge like an avalanche at retailers now that the shift date has passed. Any number of players along the payment process have to be equipped for Europay MasterCard and Visa (EMV) before retailers will be liable and at the same time, customers have to receive the cards in order to start using them.
In a study released this fall by ACI Worldwide, Naples, Fla., nearly three in five (59%) of credit or debit cardholders surveyed said they have not yet received a new chip-enabled card. In that survey of 1,000 consumers, 67% indicated they have not received information from their credit-card issuer or bank explaining what EMV means and how it will impact them.
“Banks have failed to meet their own deadline for converting to chip cards, but America’s retailers are open for business either way,” said Mallory Duncan, senior vice president and general counsel for the National Retail Federation (NRF) in a statement. “Consumers with chip cards will begin ‘dipping’ their cards, instead of swiping them to pay at chip-equipped stores. If you are part of the majority of shoppers who still haven’t received a new chip card from your bank, you can still use your old magnetic stripe card at any retailer just as you do now.”
According to the NRF, credit-card companies have been unable to grant the necessary software and payment-terminal certifications to stores nearly fast enough to meet their own deadlines. Consequently, many retailers have chip-reading terminals set up in their stores, but can’t turn them on until they’ve been certified by the credit-card companies, Duncan said.
Gray Taylor, executive director with the association’s technology advisory firm, Conexxus, Alexandria, Va., told the National Association of Convenience Stores (NACS) that the credit-card companies gave U.S. retailers far too little time to ramp up for the transition. Since announcing the shift deadlines in 2011, retailers here have had only four years to move to EMV, compared to a 12-year migration that just concluded in Canada.
“It kind of feels like America is getting a ‘bum’s rush’ in the name of fraud reduction,” Taylor said. “The chip architecture of EMV has been touted as a serious remedy for card fraud, and it is indeed a credible ‘layer’ of added security that addresses one factor of card fraud: counterfeit.”
The other two types of transactional fraud, “lost and stolen” and “card not present” (which includes online purchases), are not touched by EMV, Taylor said. “So while our economy spends close to $30 billion to greatly reduce—notice I did not say eliminate, because it won’t—counterfeit fraud [which accounts for] about $3.5 billion annually, the whole enterprise misses the mark on the other two types of fraud,” he said.
Speaking at a software user conference last month, Taylor estimated the c-store channel would pay $3.9 billion to meet the October 1, 2017 deadline for forecourt upgrades to EMV, with that number rising to $8.9 billion over 10 years adding in financing and maintenance expenses.
An important element missing with regards to EMV, according to Taylor, is the inclusion of personal identification numbers or PINs. A 2012 Federal Reserve study showed that signature-authenticated transactions experienced 400% more fraud than PIN authenticated (over 11 basis points of sales for some card types versus 2.7 basis points for PIN), Taylor said.
“If the card payments system were serious about reducing the societal cost of fraud, we would have adopted PIN authentication for all card transactions years ago,” he said, “but the card brands have elected to buck the trend of most other G-20 nations and marry its new 20th-century technology with signature—the security system first adopted by the Pharaohs—instead of PIN.”
Speaking last spring at the RSA conference in San Francisco, Eduardo Perez, senior vice president of risk services for Visa, Foster City, Calif., said, “It is important to know that we provided issuers and merchants a choice on the cardholder-verification method that they want to accept. About half of the merchants in the United States today do not accept PIN, so we want to make sure that we are providing cardholder-verification methods that meet the needs of the merchant community, and a large portion of the U.S. merchant community does not accept PIN.”
Most merchants have been equipped to accept PIN for years as a requirement for accepting debit transactions, Taylor said. Post EMV, all compliant merchants will be capable of PIN.
Duncan concurs with Taylor. “Cards without PINs are not the safest possible measure,” she said. “Most banks refuse to include PINs on credit cards, but the majority of U.S. consumers prefer to use chip-and-PIN cards rather than chip-and-signature cards.”