This Saturday marked the one year anniversary of the EMV “fraud liability shift” in the U.S. – the time, last year, that all retailers were supposed to have EMV terminals in their stores and all banks were supposed to have issued cards with chips. Retailers that were not ready by this time would incur the costs of any counterfeit card used at their point of sale.
EMV – which stands for Europay, MasterCard and Visa – is a global standard that uses chip technology to authenticate credit and debit cards. The technology is much more secure than the magnetic strip on the card and difficult to duplicate. EMV came highly anticipated, in the wake of numerous large-scale data breaches and increased counterfeit card fraud, with the mindset that this technology would improve payment security and make it more difficult for fraudsters to successfully counterfeit cards.
A year later and like many companies, we’re reflecting on the good, the bad and the just plain ugly of EMV and how it has affected retailers and consumers.
EMV – So Where are We Now?
The answer is simple – not as far as expected.
The Strawhecker Group (TSG) recently published survey results that estimate 44% of U.S. card-accepting merchants have EMV terminals. This is lower than their January 2016 survey, where it was estimated that 50% of merchants would have EMV terminals by this time. TSG also found that less than a month away from the October 1st anniversary of the EMV liability shift that only 29% of U.S. merchants are actually able to accept chip-based transactions.
“EMV merchant adoption has slowed down a bit, at least comparatively speaking to our last EMV survey results in January 2016,” said Jared Drieling, business intelligence manager at TSG. Approximately one-third of merchants have activated EMV POS systems despite the larger base of U.S. merchants with EMV terminals in place. “EMV terminal vendor supply and delays in the terminal activation/certification process are the bottlenecks in the migration,” he said.
Drieling noted that EMV adoption can also vary greatly across industries; for example quick-service restaurants, who thrive on fast service, are suspected to lag behind in the EMV transition. By December 2016, TSG estimates that consumers will be able to use their chip-based credit and debit cards at 51% of U.S. merchant locations.
What’s also worth noting from the survey is an increased number of chargebacks by the non-EMV compliant merchants – over 60% of the respondents surveyed – proving that merchants are feeling and will continue to feel the impact of the liability shift brought on by EMV.
EMV Implementation Costs Merchants
The reasons for lagging EMV adoption vary from the large expenses merchants must incur to upgrade to EMV-enable terminals (estimated at $300-$500 per terminal), to card issuers dragging their feet in sending customers their new chip-enabled cards, to fear of confusion and a slow in-store check-out process.
Whatever the reason, there are some true nightmares that have come to life for merchants within the last year that were attempting to transition to EMV.
One case reported in PaymentsSource was Arizona grocery chain Bashas. The chain’s conversion to EMV was well underway a year in advance of the 2015 deadline but a series of glitches on partner and vendors’ sides, including software issues, delayed turning the service on for 10 months – passing the liability shift deadline and thus responsible for fraudulent card usage occurring in that timeframe.
Netflix was also a casualty of EMV – even though they are largely an online business and don’t use payment terminals. Their monthly subscribers, after receiving chip-enabled cards with new account numbers and/or expiration dates from card issuers, did not notify Netflix of the new cards. Netflix relies heavily on subscription revenue and could not bill a large segment of consumers that received new cards, leading to a 10.2% decline in year-over-year subscriber accounts for Netflix.
Negative Consumer Experience and Long Checkout Lines
Wall Street Journal Reporter Joanna Stern pretty much hit the nail on the head when she described the checkout process with a chip card:
“Here’s what it’s like to buy something at a store these days:
- Swipe card.
- Get scolded by cashier to use the chip reader.
- Insert chip and cancel all foreseeable plans.
- Wait some more.
- Celebrate once you hear that joyless “Remove card” sound.”
Ms. Stern also did her own research on the time it takes to check out, remarking:
“After pulling out the stopwatch for over 50 transactions at various retailers in recent days, I can confirm that it takes twice as long to pay with a chip card than with a card swipe or mobile payment—on average, 13 seconds versus 6 seconds.”
The card brands recognize that this is a problem and both Visa and MasterCard are working on speeding up the process. However, merchants who have not yet implemented EMV will likely delay implementation again until after the holidays, as they did in 2015.
EMV is Important – But it’s Not the Silver Bullet
Fraud costs in 2014 for U.S. retailers were over $32 billion, up from $23 billion from the previous year. And let’s face it, card fraud will only continue to rise.
According to the report “The State of Retail Payments 2016,” from the National Retail Federation and Forrester, of the 59 North American retailers surveyed, 86% planned to be EMV-ready in 2016, and three quarters put EMV implementation among their top three payment challenges this year.
EMV will continue to be important, as it protects a merchant from fraud if a counterfeit card is used at the point of sale terminals. Additionally, EMV chip and signature “authentication” technology helps to prove, by way of the chip, that the card being used is not fraudulent and by way of the signature, that the consumer using the card is the rightful owner.
But what EMV does not do is secure credit card data, and as retailers test and adopt more payment technologies – and as fraud continues – they are investing in other ways to protect, or devalue, their card data.
“Think of P2PE as the Cloak of Invisibility used in the Harry Potter stories. It conceals the credit card data from the moment it enters a payment portal, so it is encrypted before even being sent to the service provider. ‘P2PE protects card data while in transit between the merchant and its processor, making it nearly impossible for hackers to skim the actual, usable card data while it is in transit,’ the report states.”
Additionally, NRF’s report shows that 6 in 10 of those retailers surveyed – 61% – also plan to implement tokenization by end of 2017. The report explains that “tokenization protects cardholder data that is at rest in a retailer’s or vendor’s system by replacing the real 16-digit card number with another 16-digit reference number, thereby making it useless to a hacker.”
As the leading provider of PCI-validated Point-to-Point Encryption (P2PE) integrated and stand-alone solutions for retail, mobile, call center and kiosk/unattended environments – we write a lot about the importance of EMV, PCI-validated P2PE, and tokenization in a holistic approach to payment security.
What we have found most interesting in terms of EMV one year later is the recognition that EMV is not the silver bullet to payment security and, as demonstrated by reports such as NRF and Forrester’s, retailers recognize that they also need P2PE and tokenization to protect the actual payment data.
While EMV has been painful for consumers and merchants, it’s a necessary technology to authenticate credit and debit cards. And like any new technology, there will always be bumps in the road. Here’s to hoping for a smoother year in EMV and an improved checkout experience.