Last Friday\u2019s Oct. 1 deadline for so-called EMV or \u201cchip-and-PIN\u201d credit card technology to replace the 1960s-vintage \u201cswipe-and-signature\u201d magnetic stripe card system should not have been a surprise to any of the major players in the payment card industry (PCI) \u2013 merchants, card issuers and banks.Visa, one of the three developers of the EMV standard (along with Europay and MasterCard) announced in August 2011 \u2013 more than four years ago \u2013 that it would be moving to EMV in the U.S. (it has been in use in Europe for more than a decade). The EMV Migration Forum\u00a0was created by the Smart Card Alliance in July 2012.For the past year and a half there have been regular, increasing reports\u00a0of the impending deadline, along with warnings that if merchants or card issuers did not have EMV technology, they could be on the hook for the cost of fraudulent use of cards.But, based on how many of the participants met that deadline, it looks like a lot of them were unaware of it or ignored it. Estimates last week of the percentage of merchants that lack the new payment terminals ranged from 50 percent to as high as 75 percent.[ ALSO ON CSO: Predicting winners and losers in the EMV rollout ]Gilles Ubaghs, \u200esenior analyst of financial services technology at Ovum, an independent analyst and consultancy, noted that his firm found, \u201c30.2% of merchants reported that they had never heard of EMV at the beginning of this year, and a further 36.8% report they have no interest in launching EMV in the future.\u201dAnother survey, by Randstad Technologies, found that, \u201cas late as this summer, 42% of businesses had either taken no steps or were unaware of any progress toward the transition.\u201dJason Oxman, CEO of the Electronic Transactions Association, cited a survey\u00a0by The Strawhecker Group that found only 27 percent of U.S. merchants were EMV-ready by last week\u2019s deadline. That is expected to increase to 44 percent by December, but not get to 90 percent until 2017.He said the survey showed the card issuers doing better \u2013 that 70 percent will have issued EMV-enabled cards by the end of the year.Tokenization can prevent future data breaches by replacing account information with single-use tokens that cannot be intercepted. Jason Oxman, CEO, Electronic Transactions AssociationAnd Joram Borenstein, a vice president at NICE Actimize, reported\u00a0last April on a less scientific but more entertaining personal survey in greater Boston, where he tried to use the chip portion of his credit card at more than a dozen brand-name chains and independent retailers.\u201cIn the majority of cases, the clerk behind the counter had no clue what I was doing \u2026 They almost always looked annoyed and instructed me to swipe; I think they thought I had gone mad,\u201d he wrote, adding that he thinks Boston is typical and that, \u201chardly anyone is ready for chip-and-PIN. Merchants certainly aren\u2019t \u2026\u201dThe obvious question is: Why? Especially given the liability risk. Especially since EMV makes \u201ccard-present\u201d transactions much less vulnerable to fraud, and the U.S. currently holds the dubious distinction of leading the world in that area of cybercrime.Not to mention that the U.S., which prides itself on being among the most technologically advanced nations in the world, lags behind most other countries in implementing this technology.[ ALSO ON CSO: Is EMV the silver bullet to credit card fraud? ]According to experts, there are a number of reasons. First, the deadline is not a law. Failure to meet it will not produce fines or criminal sanctions.The most widely reported \u201cincentive\u201d to adopt it is the so-called liability shift, which means that whichever party \u2013 the merchant or the card issuer \u2013 has the \u201clesser\u201d technology will be held liable for fraudulent transactions.If a customer has a chip card but a merchant can only do swipe-and-signature, the transaction will still work, but the merchant will bear the cost of any fraud. Or, if the merchant has a new terminal but the customer doesn\u2019t have an EMV card, the card issuer eats any fraud costs.Adrian Lane, security analyst and CTO at Securosis, argued in a recent research paper\u00a0that there is much more involved than the liability shift \u2013 much of it very good for merchants \u2013 but he said much of the resistance to the change is because, \u201cmerchants are being asked to incur significant costs and operational disruption to solve a banking problem rather than a merchant problem.\u201dHe added that it is much more complicated than, \u201ca straight equipment swap.\u201dMark Horwedel, CEO of the Merchant Advisory Group, agrees. He said the large majority of the burden \u2013 especially the financial burden \u2013 of this transition falls on the merchants.\u201cThis is the most complicated and most costly point-of-sale (POS) project that\u2019s ever been foisted on merchants. They\u2019re making us pay for 75% of the conversion,\u201d he said, adding that in Europe, networks lowered their interchange fees or offered to share some of the cost of installing new equipment. Besides that, he said, U.S. merchants pay transaction fees that are seven to eight times those paid in Europe.\u201cCredit cards are a bank product,\u201d he said, \u201cand on their face they are unsafe, but the industry has made a one-sided effort to shift the expenses (of making it more secure) to the merchants.\u201dHe also complained about the time allowed for the shift. \u201cFour years is not enough,\u201d he said. \u201cIn Canada it was eight to 10 years. It is a huge overhaul.\u201dThis is the most complicated and most costly point-of-sale (POS) project that\u2019s ever been foisted on merchants. Mark Horwedel, CEO, Merchant Advisory GroupDick Mitchell, solutions director at Randstad, said there is no big push from consumers demanding the EMV system, \u201cso many businesses just aren\u2019t feeling the urgency to upgrade their systems. Part of that is because consumers have historically been insulated from the liability, but there has also been a lack of education.\u201dHe said it would likely take another major retail data breach, such as that at Target\u00a0in late 2013, \u201cto really light a fire under some of these retailers.\u201dThere are also warnings from security experts that such a major breach remains likely, since the American version of EMV won\u2019t be as secure as that in Europe, because many banks are allowing \u201cchip and signature,\u201d instead of requiring a customer to enter a PIN number.Ubaghs said such a move, \u201cdrastically reduces the effectiveness of EMV, as you remove one of the two factor authentication elements of EMV. A pickpocket could still use your card and forge your signature. It\u2019s a bad move by the U.S. that will weaken security.\u201dHe and others note that consumers in every other market are using PINs, and that U.S. customers do it with debit cards and ATMs.The main reason, they say, is that card issuers and banks fear that if customers are required to enter a pin, they won\u2019t use their cards as much. \u201cThey risk falling into a back-of-wallet position or even consumers abandoning cards,\u201d Ubaghs said. \u201cRemembering a PIN on a card isn\u2019t that difficult, but if you have five or six cards, you might change or abandon some if you have too many PINs floating around.\u201dLane warned in his paper that another flaw, at least so far, in EMV is that it, \u201cdoes not mandate the use of point-to-point encryption (P2PE), much less full end-to-end encryption. PAN (primary account number) data is still transferred in the clear, along with any other data passed, if payment tokens are not being used.\u201dMany businesses just aren\u2019t feeling the urgency to upgrade their systems. Part of that is because consumers have historically been insulated from the liability. Dick Mitchell, solutions director, Randstad TechnologiesA lack of encryption was one of the things that made the Target breach so catastrophic.The token problem is being addressed, Oxman said, with the deployment of, \u201cnew, cutting-edge technologies that along with EMV present a multi-layered defense of our complex networks. Tokenization can prevent future data breaches by replacing account information with single-use tokens that cannot be intercepted.\u201dStill, as many experts have noted, and even EMV advocates acknowledge, EMV offers no security improvement for online, or \u201ccard-not-present\u201d transactions.But its advocates point to evidence that it curbs fraud. \u201cWhat we do know from EMV chip-mature regions of the world,\u201d said Jeremy King, International Director of PCI Security Standards Council, \u201cis that EMV chip, no matter how it is implemented, results in a significant reduction in counterfeit fraud at the point of sale.\u201dLane agrees that better security, not to mention decreased liability for fraud, are good reasons to adopt EMV. But, he argued in his paper that they are both secondary to the benefits of the much more major shift that is coming: Mobile payments.Companies like Starbucks, he wrote, have, \u201cdemonstrated conclusively that consumers will use mobile phones for payment.\u201dAnd he believes that, \u201cthe move from passive magnetic stripe cards to smart cards is a big jump, but from plastic cards to smartphones will be the payment industry\u2019s equivalent of the shift from horses to automobiles.\u201dHe goes into considerable detail in his paper, but summarizes what he called, \u201ca wealth of advantages for merchants (from mobile payments), delivered with minimal to no operational disruption, including:Better customer experienceBetter tracking and analyticsBetter fraud detection through reference tokensImplements P2PE with no loss of functionalityReduced breach potential through systematic removal of PAN data\u201cThese are in addition to the trumpeted reduction in liability,\u201d he said.