Chip card payment confusion, anger rages on

Merchants blame card companies for delays in certifying EMV software

chip pin credit card emv
REUTERS/Philippe Wojazer

Six months after U.S. retailers began assuming liability for debit and credit card fraud, only a fraction of the nation's in-store payment terminals can accept the highly secure chip-enabled cards.

As a result, customers often face confusion and delays at checkout counters when trying to make payments. Many small, mid-sized and independent retailers still rely on insecure magnetic-stripe cards, despite the warnings of banks and card companies that those cards can be defrauded by criminals who surreptitiously skim customer account information and then use the customer's credit card information to buy goods illegally.

"Consumers don't know what to do at checkout and don't understand the chip technology and didn't feel the need for chip cards pushed upon them. They are now being caught in this mix. They don't know whether to swipe or insert a card, or sign, or use a PIN. They are dealing with longer lines, and retail staff are still learning about the cards and how they work," said Randy Vanderhoof, executive director of the nonprofit EMV Migration Forum, in an interview Tuesday. The forum represents a 170-member cross-section of banks, merchants and card payment technology companies.

EMV, which stands for Europay, MasterCard and Visa, is a global industry standard for chip cards and the technology that supports them. Chip cards, sometimes called smart cards, are already widely used in other countries.

The fraud liability shift and causes for delays

Starting Oct. 1, banks and card companies said U.S. merchants would have to assume liability for fraudulent transactions if their payment terminals weren't updated to support chip cards. Of the 12 million payment terminals in the U.S., an estimated 5 million to 7 million have been converted to chip-ready hardware, but just 1.2 million of those terminals and the required software are certified to accept chip cards by hundreds of different payment processing companies, Vanderhoof said.

Data from Visa tends to confirm his calculation. Visa said recently that 1.025 million merchant terminals in the U.S. could accept chip cards as of March. About three-fourths of those those terminales are in small and medium-sized businesses.

However, software certifications of chip-enabled systems are accelerating, Vanderhoof said. By the end of 2016, half of all installed terminals will be certified as ready to take chip cards. "That 50% mark is considered critical for fraud to go down," he added.

Banks vs. merchants, again

The delays in chip card certifications have led to a battle royale between merchants and banks (and their surrogate card companies), which have been enemies for decades over credit and debit card "swipe" fees that merchants must pay banks to allow their customers to use the cards.

On the one hand, the National Retail Federation blames card companies -- and indirectly the banks behind the cards -- for failing to push processing companies to certify chip-card equipment faster.

Banks and card companies, meanwhile, say merchants didn't adequately prepare for the Oct. 1 liability shift, which was first announced in late 2011. There were subsequent adjustments to the requirements for chip-enabled debit cards and to meet new federal requirements, but merchants still had years to prepare, the banks said.

Nearly a year ago, major industry players undertook a program to streamline and simplify the EMV testing and certification process for resellers and software vendors.

That hasn't stopped the NRF from accusing card companies of mishandling the process.

"At this point, the majority of major retailers have either implemented EMV [payments] or are in the process, and for the most part, retailers have done their part, but the holdup is the credit card companies who have dropped the ball and haven't certified the [software and] equipment, and that's frustrating for retailers," said NRF spokesman J. Craig Shearman in an interview on Tuesday.

"It's a lack of planning and preparation on behalf of the card industry," Shearman added. "Card companies will tell you they announced the liability date a year or two ahead, but the truth is they didn't provide all the technology details and standards until a few weeks [before the Oct. 1 deadline.] Retailers didn't have years to prepare. It was a 'hurry up and wait' process."

To add insult to the conversion confusion, many retailers are also reporting 10-fold or larger increases since Oct. 1 in "chargebacks" from banks for fraudulent charges that the banks no longer will pay because of the liability shift, he said.

As a result, some retailers, who used to get $10,000 in chargebacks, are now facing $100,000, he said. "There's been a dramatic increase in chargebacks — no relationship to EMV or not," Shearman said.

Two Florida retailers sue banks, card companies

Visa, MasterCard and other card companies and major banks have stood by their position that merchants and the rest of the payments industry have long known the liability shift would take place last October. They have argued that the card industry took steps to streamline certification and have even disputed some of the chargeback claims by retailers.

The position of the card companies and banks is partly laid out in a 34-page legal memorandum filed in federal district court for Northern California on Monday.

The memorandum asks a judge to dismiss an antitrust lawsuit (Case number 3:16-cv-01150-WHA) over the fallout following the chip card conversion filed by two Florida-based retailers against four card companies and nine major banks in March. A hearing is scheduled for June 2 before Judge William Alsup.

The two retailers, B & R Supermarket and Grove Liquors, said in the lawsuit that they have seen a 20-fold increase in their bills from banks for fraudulent transactions since the Oct. 1 deadline.

In response, the banks and card companies said the two retailers have not alleged sufficient facts to "establish a conspiracy to restrain trade."

Their memorandum adds: "Plaintiffs [B & R and Grove Liquors] have one central gripe: It used to be that card-issuing banks bore the cost for the fraudulent credit card transactions, but now, …merchants who have not timely adopted fraud-reducing technology in the form of EMV-chip-reading point-of-sale systems allegedly bear that cost until compliance. Plaintiffs blame this on decisions by the payment card networks —American Express, Discover, MasterCard and Visa — each to impose an Oct. 1, 2015 deadline for merchants' adoption of that fraud-reducing technology."

The memorandum also says that the retailers failed to secure certification of their newly installed chip card systems before the deadline, but "claim this occurred because of a conspiracy among defendants who allegedly control the certification process." Nonetheless, some merchants were able to complete their conversion and certification in time to avoid liability for fraudulent charges, the defendants added.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)