The major credit card issuers want every single point-of-sale terminal in the United States, from credit card machines to gas pumps, replaced or upgraded over the next two years.
Retailers and other businesses that don’t comply face liability for any resulting fraudulent payment transactions.
The conversion cost for retailers: Estimates range from $7 billion to as much as $30 billion. New card terminals can cost from $250 to $1,000 or more. Besides money, the switch will take time. Once new hardware and software have been installed, getting systems certified may take three to four months.
The change will be most expensive for merchants who haven’t upgraded their point-of-sale system in 15 years or longer.
THE DEADLINE
Because of rules from the card issuers, not legislation, liability for credit/debit card fraud shifts Oct. 1 from the card issuers to retailers and other businesses accepting credit cards if those businesses have not adopted payment terminals that accept cards using Europay, MasterCard and Visa (EMV) chip technology. Automated fuel dispensers have until 2017 to make the shift to EMV.
In 2012, Visa, MasterCard, American Express and Discover set the Oct. 1, 2015, deadline for the switch to chip-enabled cards and the subsequent shift in fraud liability to whichever entity uses the least secure technology. Several business groups have sought an extension of that deadline, but the card issuers have not backed off the deadline set three years ago.
Doubts abound if card issuers and retailers will be ready when Oct. 1 comes. The American Bankers Association expects half of the banks and retailers to have completed the transition by the deadline.
Javelin Strategy & Research estimates banks will replace only 23 percent of debit and credit cards by the end of 2015, which means many cards won’t be upgraded until 2016 or 2017. The Payments Security Task Force, a payment-industry group, also estimates that roughly half of U.S. merchant terminals will be ready to accept the new chip cards by the end of 2015, representing 80 percent of U.S. purchases.
Retailers who don’t expect to be immediately compliant still need to plan their EMV implementation today, if only to begin the education process.
The major card issuers are offering relief from some of the financial burdens. VISA offers merchants who make the conversion an incentive package, while American Express offers each small business $100 towards the upgrade.
HOW IT WORKS
Instead of swiping a card, the consumer ‘dips’ a chip card and leaves it in the reader throughout the authorization process or customers with dual-interface cards (cards with both a contact chip and a contactless antenna) may be able to quickly “tap” or “wave” their card near the reader at checkout. The embedded computer chips make credit and debit cards far more difficult to clone. Unlike magnetic-stripe cards, every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again. Counterfeit cards only account for only about 37 percent of credit card fraud, however, and the new technology will not stop other kinds of hacking and cyber attacks.
Analysts predict that credit card fraud at brick-and-mortar retailers will fall after the introduction of chip-enabled cards, but that online fraud will rise, as has happened in other countries using the technology.
To complete a chip-based transaction using an EMV card, the retailer must have installed a card reader that can read the data contained on a card’s chip. A retailer may also offer a contactless card reader, which allows customers to simply tap their chip embedded cards in order to make a payment.
Chip-only cards will still require a signature as well to complete the transaction. If the card is a chip-and-PIN, which is much more secure, a customer will enter his or her secure personal identification number, or PIN.
Most U.S. banks and card companies have chosen not to issue PINs with the new credit cards, an additional security measure that would render stolen or lost cards virtually useless when making in person purchases at a retail outlet.
Instead, the banks will stick with the present system of requiring signatures. The United States is one of the few developed countries that have not embraced chip-and-PIN technology. Retailers like chip-and-PIN transactions because they are cheaper. Shops pay larger fees whenever a customer signs for a transaction and smaller fees when a customer uses a PIN.
About 40 percent of major banks are or will support PIN capabilities. In addition to all major retailers accepting signature based cards, 65 percent plan to accept chip-and-PIN cards as well, according to CardHub, a credit card search tool.
The new chip cards also contain the old-fashioned magnetic stripe to accommodate merchants who don’t have the new technology and processors still have the magnetic stripe readers to accomodate cards without the chip.
WHO IS LIABLE?
Under the new system, if a retailer accepts a chip card but doesn’t have a chip reader, the bank will no longer bear responsibility for fraud if the card is counterfeit, shifting the burden to the retailer.
If neither or both parties have implemented chip technology, the liability stays the same as it is today (see chart below).
VISA will continue to maintain liability for lost or stolen cards, but the other major issuers will shift the liability for lost or stolen cards to the merchant if the merchant’s technology doesn’t match theirs (see lost/stolen card fraud chart below).
WHO BEARS LOSSES NOW
A 2013 study by the Federal Reserve on debit card fraud losses found that cyber security fraud losses are relatively evenly divided among merchants and card issuers. When fraud occurs in the area of credit-card purchases online, over the phone or by mail order, the merchant pays, not the card company. After refunding the cardholder’s money, credit-card companies turn around and charge the retailers for the loss. The merchants are also often charged additional fees, from $10 to $100 per transaction. Financial institutions are also compensated for fraud through interchange “swipe fees,” which merchants pay per swipe of a credit or debit card and total approximately $48 billion annually.
WILL CARDS GO AWAY?
Retailers and security experts say it would make more sense for the United States to jump instead to a more secure system, such as point-to-point encryption. This technology goes farther than chip-and-PIN, which first was deployed about 20 years ago, because it scrambles data to make it unreadable from the moment a transaction starts. But the newer technology costs as much as twice what the chip card transition will cost.
Another solution being touted is to move away from static card numbers that can be stolen and replace them with one-time use “tokens” that change every time you shop, like Apple Pay and Samsung Pay. Issues have surfaced, however, with how the tokenization system interfaces with banks. Even Apple stores have seen fraud related to that interface.
The Payment Card Industry Security Standards Council released a set of guidelines for tokenization the first week in April.
Still, banks may be moving away from the plastic card completely.
“What we want to do is get rid of static numbers all together. Those are the things that make us vulnerable,” Doug Johnson of the American Bankers Association has said.
SOURCES: EMV Migration Forum, National Retail Federation, Retail Industry Leaders Association, Wall Street Journal, Fortune, CNN Money.
CHANCE TO LEARN MORE
Discussion of the EMV conversion was part of a free June 10 webinar about Changing Consumer Purchase Patterns.
The webinar was part of Retail University, a series of free webinars brought to you by Alabama Retail and the Council of State Retail Associations. For more details or go to the calendar under Events at alabamaretail.org.
This information first appeared in Alabama Retail Quarterly, First Edition, 2015.