Chip-card conversion has retailers anxious

Shop owners face a little 'organized chaos,' Maine retail association executive says

Matt Hamblen
Zach Miners

The nation's retailers bear a huge share of the burden of converting to more secure chip card technology, even as banks have been shipping updated chip credit and debit cards to millions of customers for months.

On Thursday, retailers of all sizes must have inew payment terminals installed in their stores, restaurants and hotels. If they don't meet the Oct. 1 deadline set by banks and card companies, they will then incur all the financial liability for fraud with cards using older magnetic stripe technology.

Yet, only about half of the nation's 12 million payment terminals will be upgraded by Thursday, according to analysts and financial experts. With new payment terminals costing up to $600 apiece, it has been a massive and expensive conversion.

"October 1st snuck up so quickly," said Curtis Picard, executive director of the Retail Association of Maine, in an interview. "It's organized chaos, a little, right now."

There are about 9,000 stores, restaurants and other retailers in Maine, some with hundreds of payment terminals. Picard couldn't say how many have been converted to accept chip cards, which contain an embedded computer chip that hardens protections for a 16-digit card number, the user's name and the card's expiration date. Analysts said the situation in Maine is fairly typical of the rest of the nation.

"If you're not upgrading, you are accepting liability for fraud, but the cost of $300 to $600 per terminal is burdensome, especially for a small retailer," Picard said. "The benefits of the liability shift seem too great for many."

Picard said he personally believes that avoiding the liability is worth the added cost of installing the new terminals. He said some Maine retailers are facing the looming deadline with a tinge of anxiety. "Summer has come and gone and they say, ' I better get going' " on converting. "That's the situation we're hearing."

[ ALSO ON CSO: Is EMV the silver bullet to credit card fraud? ]

Visa, MasterCard and American Express have been shipping new chip cards to millions of card users for months. On Sunday, Visa said that the Oct. 1 date should be viewed as a starting point, not an end state, for the conversion. Card issuers first began planning the conversion in late 2011, when the U.S. was far behind Europe, Canada and other countries in adopting more secure chip cards.

Visa and others have said it will take another two to three more years before up to 70% of transactions are made at a chip terminal, and possibly four to five years to reach 90%.

"The October 1st deadline is like having cold water splashed in your face for retailers, even though the card companies and the banks are all painting this rosy picture about the conversion," said Avivah Litan, an analyst at Gartner. "Well, it's not so rosy. People are not telling all the details of the chaos in the background."

Litan spoke on a panel at the Food Service Tech conference in Washington on Monday where she said restaurant chain IT managers were especially concerned about the deadline. Large retailers like WalMart and Target are ready to accept chip cards, mainly, but that leaves mid-sized and smaller retailers widely unprepared.

At the conference, Litan said some restaurant chains complained they were facing a six-month to nine-month delay in getting new payment terminals certified to perform transactions. EMVCo, an alliance of Visa, MasterCard and EuroPay, which originally created chip cards decades ago, has a process for certifying terminals.

"I didn't realize there is such a backlog of people who have to be certified," Litan said.

It's unclear whether a retailer that has installed working chip-card payment terminals that are not yet certified will face liability for fraud immediately after Oct. 1, Litan said.

She also said retailers now are being told by banks and card processors to store receipts that have been signed digitally by their customers for purchases. Banks and card companies seem to prefer taking a customer's signature with a chip credit card, rather than have customers memorize a PIN to use with a chip credit card.

"Having the stores save the receipts themselves is almost like going back to the stone ages," Litan said. When Canada converted to chip cards, that nation's retailers at first required chip credit card signatures on a digital screen, but have gradually shifted to requiring a PIN code instead, Litan said.

Picard said he wished the credit card industry would push U.S. consumers to learn a PIN for credit card use, just as they have with debit cards. "Adding that four-digit code to a chip credit card would make things much more secure, so why not take the extra step to go to chip and PIN as well as convert cards to chip cards?" Picard added. "We think consumers are pretty smart and savvy at remembering a four-digit number."

Using a PIN instead of accepting a signature would protect against theft or loss of a chip card, since a thief would also need to know the PIN to buy something with the card, said Jordan McKee, an analyst at 451 Research.

"The big worry we have with the chip conversion is particularly for small and medium businesses," McKee said. "Many of them simply don't see the need for chip cards or any clear return on investment. To them, it's just the next shiny object that they constantly get pitched on."

McKee has also urged reluctant retailers to convert warning that if they keep using magnetic stripe technology, thieves will inevitably migrate to their businesses. "Those still married to magnetic stripe are the easiest to attack from the fraud standpoint," he noted.

McKee said a 451 Research survey of 154 businesses with fewer than 20 workers conducted in September showed just 14% had adopted chip terminals, and that nearly two-thirds won't be ready by Oct. 1.

"It's very easy to counterfeit a magnetic stripe card, and all you need, basically, is a magnetic-tape card reader to get a 16-digit card number and other data," he said. "But a chip card protects that sensitive data on a microchip. It would be cost-prohibitive to attack that chip at scale, and it's never been done effectively."

Consumers won't incur any liability for fraudulent use of their new chip cards, just the same as today with magnetic stripe cards. In fact, several surveys show that roughly half of Americans generally have no idea what a chip card is or whether it is even more secure.

This story, "Chip-card conversion has retailers anxious" was originally published by Computerworld.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)