EMV Migration: The Merchants Fight BackMerchants Say Tokenization a Better Long-Term Security Solution
U.S. banks and credit unions say they're waiting for U.S. merchants to take payments security more seriously. While they agree card security is a shared responsibility, they argue that they, not merchants, have for far too long paid the price for breaches that result in the compromise of card data.
See Also: 2023 Threat Horizons Report
Until merchants are required to cover fraud losses and recovery-related expenses associated with breaches, such as the one suffered by Target in late 2013, they have little incentive to change their security practices, banking institutions argue.
It's in our best interest to work together to help take fraud out of the system. ... Information sharing is a key part of risk management.
But merchants see it differently. And last week during Information Security Media Group's Fraud Summit Los Angeles, representatives from two national retail associations had an opportunity to share their perspectives.
Both association speakers strived to leave our audience with a better understanding of retailers' desire to enhance payments security. Despite bankers' claims, America's merchants take security very seriously, they contended.
David Matthews, general counsel for the National Restaurant Association, who sat on the end-of-day payments security panel with Liz Garner, vice president of the Merchant Advisory Group, stressed that payments security is "clearly" a shared responsibility.
I don't think anyone would argue with that.
But what did spur some debate were Matthews' points about why most merchants aren't rushing to implement EMV chip transactions, in spite of the impending October 2015 fraud liability shift date set by the card brands for fraud that results from mag-stripe transactions.
Matthews told the audience, which comprised mostly bankers, that nearly half of U.S. merchants - 46 percent - had not yet begun any preparations for EMV acceptance at their points of sale. He said that's because most smaller merchants don't believe that the cost of fraud outweighs the expense of EMV investments.
David Pollino, senior vice president and enterprise fraud prevention officer at Bank of the West, a $69 billion institution based in California, responded by saying smaller merchants, in particular, that have not initiated an EMV shift should be bracing for a rude awakening post-October 2015. Losses associated with mag-stripe card transactions, which are now covered by issuers, will be too much for many smaller merchants to bear, he argued.
Matthews and Garner said their members are aware of the risks. But they argued that merchants are reluctant to rush into invest in a technology that they believe isn't going to enhance security.
Is EMV Worth the Expense?
Merchants believe that EMV compliance, like PCI compliance, costs a lot of money and still doesn't prevent breaches.
In fact, Garner said EMV isn't going to solve most of the increasing fraud problems merchants and issuers alike face today. The only parties coming out ahead in the EMV migration plan, she argued, are the card brands, such as Visa and MasterCard.
"The card brands - who don't have the same skin in the game - control PCI-DSS and EMVCo," the standards body that manages and tests EMV specifications, Garner said. "There needs to be an open standards process in the U.S. to craft and maintain the most secure and interoperable standards, and to lay a strong foundation for mobile commerce."
Merchants, Garner added, are interested in making technology investments that will truly protect consumer cardholder data over the long haul.
Rather than focusing solely on EMV, merchants want open-source tokenization solutions that can ensure the protection of transaction data in both card-present and card-not-present/e-commerce payments. EMV cannot do that, Garner said.
"It's issuers, merchants and cardholders who bear the brunt of fraud losses in the U.S.," Garner said. "It's in our best interest to work together to help take fraud out of the system. We absolutely can and should be able to work more closely together in the future. Information sharing is a key part of risk management."
Target, while far from being the biggest card breach, was a powerful catalyst for payments change in the U.S. And it's clear from last week's exchange at our Fraud Summit that banking institutions and retailers do share a common interest.
My hope is that these two factions will continue their dialogue in 2015 about what the best steps are for improving payments security. The discussion at our summit was a good start, and I look forward to seeing the debate continue at our future Fraud Summits. Check out the schedule of upcoming events, and register for the summit nearest you. Let your voice be heard.