Authentication , Fraud , Payments Fraud

EMV: Why U.S. Will Miss Oct. Deadline

Experts Opine on Impact of Fraud Shift, Status of EMV Migration
EMV: Why U.S. Will Miss Oct. Deadline

The U.S. payments infrastructure will come up far short of completing the rollout of EMV technology by the Oct. 1 fraud liability shift date because of high costs, a perceived lack of consumer demand and doubts about EMV's ability to significantly reduce card fraud.

See Also: Secure Access in a Hybrid IT World

Although fraud-fighting experts say progress is sub-par, few will even offer updated estimates on the quantities of chip cards or EMV-ready POS terminals that have been rolled out so far.

"There is no authoritative data; just speculation," says Randy Vanderhoof, executive director of the EMV Migration Forum.

Earlier this year, the forum predicted then that by the end of 2015, 600 million chip cards would be in circulation in the U.S., and 7 million EMV-compliant POS terminals would be in operation. But Vandherhoof says he can't offer an updated status report.

However, a survey of 150 smaller retailers, completed in August, found that fewer than 22 percent reported they were EMV compliant, according to Software Advice, a POS software consulting firm for merchants. The firm's small survey of consumers found that 62 percent had not yet received chip cards from issuers.

Meanwhile, The Merchant Advisory Group, which represents 85 of the country's leading merchants, estimates that only 20 percent of 13.9 million POS devices at U.S. merchant locations will be EMV capable by October or shortly thereafter.

And Visa estimates that as of the end of July, 127 million Visa-branded chip cards had been issued and 295,000 merchant locations had installed EMV-compliant POS terminals. But according to near-field communications trade publication NFC World, that only represents about 18 percent of the 720 million Visa-branded payment cards in the U.S. and 19 percent of the 247,000 U.S. merchants that process Visa transactions.

"We'll see marginal progress by the end of 2015," says Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "I think the rollout will take at least until the end of 2016, with small businesses being the main 'drag factor.'"

Fraud Liability Shift

As a way to encourage the implementation of EMV chip cards, card brands set Oct. 1 as the fraud liability shift date for magnetic-stripe point-of-sale transactions.

After the shift date, merchants will be liable for fraud that results if a consumer uses a chip-enabled card at a POS terminal that only accepts magnetic stripe transactions.

Wills contends that the biggest hurdle that stands in the way of EMV adoption by merchants and card issuers alike is cost.

"The main thing is the cost of upgrading equipment and training staff to use the new equipment," he says. "Then there is the cost of [EMV] certification, which can range from hundreds to a few thousand dollars."

Those expenses are very difficult for small and mid-sized merchants to justify, Wills says, especially because their customers aren't asking for EMV. And banks are facing similar issues, he adds.

"Chip cards are a lot more expensive to produce than magnetic-stripe cards," Wills notes. "But the main challenge for issuers is customer education. ... Since consumers aren't exactly pressuring their issuers to give them chip cards, it's not been a priority for all banks."

Justin Guinn, a market research associate at Software Advice, which surveyed merchants, notes: "The reasons they said they haven't already adopted EMV relates to cost and concerns that EMV is not necessary."

Some 34 percent of surveyed merchants said they've not moved forward because they don't have time to research and implement EMV, and 25 percent say EMV is just too expensive, Guinn notes. "Twenty-three percent said EMV is unnecessary, which shows a lack of knowledge about what the liability shift entails, and the amount of fraud that could fall back onto merchants."

EMV's Impact on Fraud

Merchants' perception that EMV won't reduce fraud signals a need for more education, says Troy Leach, chief technology officer of the PCI Security Standards Council.

"What we do know is that everywhere any form of EMV has been adopted, it has significantly cut down on fraud at the point of sale," he says. "As U.S. businesses migrate to EMV and update their POS environments, they need to be confident the technology is set up correctly to protect their customer base ... as well as their overall payment security efforts. That is a big focus for us at the council - making sure merchants that are trying to do all the right things have the resources they need to protect themselves and their customers."

But Wills contends that even when chip cards are widely used at chip-enabled POS terminals, card fraud is not going to significantly decline. That's because the U.S. is relying on signatures for authentication, rather than PINs, which are widely used in other nations.

"The weakened incremental security offered by chip and signature, along with the unclear business case for most merchants to comply - even taking the liability shift into account - basically defeats the purpose of the industry going to chip cards in the first place," Will says. "That's because a required PIN, interacting with the chip, is the main fraud barrier to lost or stolen card use that chip cards offer when compared with magnetic-stripe cards. We've been using signatures in the magnetic-stripe world for decades, and we know that merchants don't check them, even though they're supposed to. They're still not going to check them when chip cards arrive, and the chip's ability to authenticate the cardholder won't be used."

But other experts argue that even just a move to chip, regardless of whether it's chip and signature or chip and PIN, will be a vast improvement over mag-stripe technology.

Continued use of signatures for in-person credit-card payments is seen by card issuers as a way to help encourage use of chip-based credit cards, says Tim Webb, a fraud executive at Citibank. That's because consumers are already accustomed to using signatures to complete purchases with magnetic-stripe credit cards.

Wills, however, argues that the industry has incurred a massive infrastructure cost for the EMV shift in return for only a marginal fraud reduction.

"Some merchants are coming to this conclusion on their own and choosing to just accept the liability," he says.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network