October 1 has finally arrived, and retailers that have not updated their payment terminals to meet Europay, MasterCard and Visa (EMV) standards are now liable for some fraudulent payment activities — shifting the responsibility away from banks and credit card providers. Have retailers planned effectively and implemented the required new technologies in stores? Perhaps even more critically, are consumers equipped and informed about the new standards and payment procedures?
Retailers across all categories are spending close to $8 billion to complete the necessary upgrades that enable their point-of-sale (POS) terminals to accept EMV payments, according to the Retail Industry Leaders Association (RILA). The organization also expects that most large retailers will complete the POS upgrades this fall to accommodate the liability shift.
Despite these efforts, others in the payments industry point to retailers as a weak link in the overall move to EMV.
“Issuers have largely gotten the cards into consumers’ hands, but merchants have not activated terminals or completed migration for chip,” said Randy Vanderhoof, Executive Director of the Smart Card Alliance, in an interview with The San Diego Union-Tribune. “As we get closer to the deadline, there’s going to be a significant ramp up of merchants that are going to enable chip … and a significant flood of chip-on-chip transactions. If there are any unforeseen problems with cards, merchant terminals or consumers [in understanding how chip cards work], they will be exaggerated by the sheer volume of transactions that will be hitting the market at the same time.”
Although EMV payments will certainly present a learning curve for both stores and shoppers, RILA recently raised its own questions concerning whether financial institutions were doing their part to comply with the liability shift. The trade group points to the most recent data disclosure from VISA, which shows that as of July just 18% of the 720 million debit and credit cards issued by VISA to consumers contained an embedded chip.
Other recent surveys show similar, though higher, levels of compliance from financial institutions. Leading up to the liability shift deadline, 41% of consumers reported that they had received a new chip-enabled card from their bank or credit card provider, according to ACI Worldwide’s EMV Readiness Survey, which polled 1,000 adults in the U.S.
“Retailers are making a multi-billion dollar investment to protect customers and reduce credit card fraud,” said Brian Dodge, EVP, RILA. “Unfortunately, the claims being presented by the financial services industry represent an attempt to mislead reporters and consumers rather than provide the facts surrounding the upcoming October 1st liability shift.”
Is EMV Worth The Spend?
The October 1 deadline also represented a significant time and cost commitment. Costs to upgrade terminals can run between $200 to $1,000 per device and implementation, from start to finish, can last as long as 20 months. Facing these significant requirements and unwilling to add major upgrade costs to their budget, some retailers, especially SMBs, are letting the deadline pass without making any upgrades and instead deciding to roll the dice on being responsible for fraud losses.
“There’s a lot of urgency around the EMV transition in retail, but retailers need to remember that EMV compliance doesn’t provide total security protection and it isn’t a regulatory mandate,” said Jerry Rightmer, EVP and Chief Product And Strategy Officer, Starmount, a commerce platform provider. “Like any business decision, EMV compliance is a question of the tradeoff between cost and benefit: if fraudulent transactions aren’t a major cost to you now, you may be better off hanging tight on an EMV upgrade until you are ready to make a full in-store system replacement.”
For example, UK-based retailers that faced their own EMV deadline used that opportunity to add next-generation POS and in-store systems that supported features such as omnichannel selling, inventory visibility and customer engagement.
“The primary focus then became not just about the EMV compliance, but about adding advanced capabilities to help drive higher sales across channels while limiting the cost of fraud,” said Rightmer.
Where Will Criminals Hit Next?
Complying with the EMV standards could lessen the possibility of the well-publicized black eyes that recent data breaches gave U.S.-based retailers. However, EMV is not a shield that protects all retailers from every attack. For example, online transactions will still include card account numbers and track data that attackers can use — leading them to move towards card-not-present (CNP) transactions, such as online shopping.
“Online merchants need to worry about nefarious activity as criminals shift their focus to CNP transactions due to the tightening-up of fraud protection at most physical retailers,” said Frederick Felman, CMO, Recurly, an enterprise-class subscription billing platform.
U.S.-based retailers can look to other countries, such as Canada and the UK, to find best practice tips and clues to where criminals will strike next. Studies from Europe and Canada show that U.S. retailers that have completed in-store compliance requirements should now shift their focus to e-Commerce.
“For merchants and acquirers that are ready, it means a significant improvement in the security of in-person transactions,” said Franklin Tallah, Managing Principal, Compliance and Governance, Verizon Enterprise Solutions “Specifically, attackers will have a much tougher time making counterfeit payment cards.”