2015 was a wild ride for payments. From federal regulations and cybersecurity, to mobile innovations and contactless payments, there has been a steady flow of change this year. As December winds down and the world slows its pace to enjoy some moments of peace, we reflect on the most mentionable advances in the payments industry, and what’s in store for 2016 in our 3-part series.
And to kick it off, everyone’s favorite payment topic of 2015 – EMV.
That 3 letter word we couldn’t escape: EMV
EMV came to its full fruition on October 1st, when the deadline for adoption hit and the liability for fraudulent card use at the point of sale shifted from banks to merchants.
The deadline has passed and the response from merchants has been lackluster. On December 18th, PYMNTS.com published thoughts on the 60 day evaluation of EMV from industry experts including Lori Breitzke, Marketing at Verifone, Shan Ethridge, Vice President and General Manager of North America Financial Services Group at Verifone and Brian Hamilton, Senior Director of Risk Products and Business Intelligence at Visa.
“Of 12 million merchant terminals in the U.S., only 314,000 were EMV-enabled by Oct. 1 — and not all of them were activated and in use. The card side was a bit more prepared, with roughly 250 million cards upgraded to include chips. But that’s still a small drop in the proverbial cards bucket — there are 2.1 billion cards in circulation across all networks and platforms.”
“There were expectations that we would be 100 percent deployed across issuers, acquirers, processors and merchants,’ says Breitzke. ‘It’s now obvious it’s going to take a good deal longer than that.’”
Why has EMV implementation been so slow?
Retailers have their reasons, and their bottom line, for one, is key. Committing to expensive, EMV chip-enabled payment terminals is a hard pill to swallow. Even if a merchant did commit, there was justified concern over increased wait times at check out as consumers go through the learning curve of getting used to using their chip cards. In fact, many merchants purposely did not “turn on” EMV by October simply because they did not want the new technology to interfere with their holiday season.
“We are seeing longer transaction times, with it taking up to 10 seconds to [process] the card,” says Lori Breitzke, Visa. “Most major retailers are seeing between 1–9 seconds longer at the terminal. There is a huge desire to get that down.”
Consumer World’s recent survey revealed that less than 46% of major retailers are actually utilizing their EMV-enabled terminals.
“NBC News followed up with some of the big name retailers who have not yet enabled their EMV terminals, including Bed Bath & Beyond, CVS, Costco, Foot Locker, Kmart, Kohl’s, PetSmart, T.J.Maxx, Toys”R”Us and Whole Foods. Many have plans to roll out the changes gradually throughout 2016.
Mallory Duncan, senior vice president and general counsel at the National Retail Federation, notes that it takes the average retailer about 19 months to get the new chip card payment system up and running. Many stores did not have time to do that before the start of the holiday shopping season, so they decided to delay implementation.”
The great debate of Chip and Signature versus Chip and PIN
Adding to the confusion around EMV on the retailer and even consumer side is the implementation of EMV as Chip and Signature in the U.S. rather than Chip and PIN in the rest of the world.
Ideally, EMV is a strong two-part authentication process which consists of the chip itself and then a unique PIN, or personal identification number, that cardholders must enter with the chip card, even for credit cards. Stolen chip cards with PINs are useless to criminals since they shouldn’t know your PIN, whereas chip cards with signatures will be simple to use. So if the card is stolen out of your wallet, home or anywhere else, it can be used at a retailer – unless the retailer asks for identification to check your signature and name.
Retailers are disappointed with the Chip and Signature decision.
“There are two indisputable facts,’ Conexxus Executive Director Gray Taylor recently wrote. ‘According to the Federal Reserve Bank, signature transactions have a 400 percent greater fraud risk than PINs, and consumers know that PINs are far more secure than signatures.”
EMV: What to Expect in 2016
The chip and signature debate will continue to rage
Ruston Miles, Bluefin’s Chief Innovation Officer, does see EMV bringing a decrease in counterfeit fraud in 2016 but that decrease will be tempered by the lack of a PIN on cards.
“Chip cards contain a cryptographic key that authenticates the card and creates a one-time code for each transaction, and as a result, we will see a decrease in counterfeit fraud. However, since EMV in the U.S. does not require a PIN authentication (domestically, EMV is chip and signature) we will not see a decrease in lost and stolen card fraud. Any criminal can forge a signature, but a 4-digit pin is difficult to replicate while standing in the checkout line. The desire to implement PINs into the EMV technology system will be a discussion heard often in 2016.”
Full implementation won’t happen for many years
Forrester has predicted that EMV cards won’t achieve broad adoption in the U.S. until 2020 while the Payments Security Task Force has said the transition to EMV chip cards will be nearly complete – 98% of total credit and debit cards – by 2017, based on issuer’s estimates.
On the flip side, GrowthPraxis has estimated that two out of three payment terminals in the U.S. will be EMV compatibly by 2020 – which is just 65%.
As we all know, EMV takes two to tango – and without a compatible card and a compatible terminal, there is no dance.
The potential rise in card not present fraud is the EMV wild card
We’ve heard a lot about how card not present (CNP) fraud will rise because it’s harder to use counterfeit cards at the POS.
“After EMV (Chip & PIN) implementation in the UK, card-not-present fraud spiked 79% and continues at an alarming rate 5 years later,” says Miles. “The complete 16 digit card number and 4 digit expiration date are transmitted in the clear in the EMV payload. Malware continues to steal the clear-text data in the UK even with EMV. Fraudsters use this stolen data for online fraud and purchases.”
However, we don’t have any hard statistics pointing to this trend yet – likely because such a small fraction of retailers and cards are EMV enabled and in use. We should get a better idea in 2016 of the fraud patterns that come about due to EMV.
Stay tuned for next week’s part 2 of Bluefin’s 2015 Payments Wrapup where we overview the biggest fraud threat retailers and organizations will continue to face: malware.
