• United States



Contributing writer

Why have most merchants missed the EMV deadline?

Oct 08, 20159 mins
Data and Information SecurityDLP Software

The Oct. 1 deadline to shift from “swipe-and-signature” credit cards to EMV, or “chip and PIN” has been known for years. But merchants, and even some of the card brands, have been slow to respond. One major reason, according to merchant advocates: It’s too expensive and too complicated

Last Friday’s Oct. 1 deadline for so-called EMV or “chip-and-PIN” credit card technology to replace the 1960s-vintage “swipe-and-signature” magnetic stripe card system should not have been a surprise to any of the major players in the payment card industry (PCI) – merchants, card issuers and banks.

Visa, one of the three developers of the EMV standard (along with Europay and MasterCard) announced in August 2011 – more than four years ago – that it would be moving to EMV in the U.S. (it has been in use in Europe for more than a decade). The EMV Migration Forum was created by the Smart Card Alliance in July 2012.

For the past year and a half there have been regular, increasing reports of the impending deadline, along with warnings that if merchants or card issuers did not have EMV technology, they could be on the hook for the cost of fraudulent use of cards.

But, based on how many of the participants met that deadline, it looks like a lot of them were unaware of it or ignored it. Estimates last week of the percentage of merchants that lack the new payment terminals ranged from 50 percent to as high as 75 percent.

[ ALSO ON CSO: Predicting winners and losers in the EMV rollout ]

Gilles Ubaghs, ‎senior analyst of financial services technology at Ovum, an independent analyst and consultancy, noted that his firm found, “30.2% of merchants reported that they had never heard of EMV at the beginning of this year, and a further 36.8% report they have no interest in launching EMV in the future.”

Another survey, by Randstad Technologies, found that, “as late as this summer, 42% of businesses had either taken no steps or were unaware of any progress toward the transition.”

Jason Oxman, CEO of the Electronic Transactions Association, cited a survey by The Strawhecker Group that found only 27 percent of U.S. merchants were EMV-ready by last week’s deadline. That is expected to increase to 44 percent by December, but not get to 90 percent until 2017.

He said the survey showed the card issuers doing better – that 70 percent will have issued EMV-enabled cards by the end of the year.

jason oxman

Jason Oxman, CEO, Electronic Transactions Association

And Joram Borenstein, a vice president at NICE Actimize, reported last April on a less scientific but more entertaining personal survey in greater Boston, where he tried to use the chip portion of his credit card at more than a dozen brand-name chains and independent retailers.

“In the majority of cases, the clerk behind the counter had no clue what I was doing … They almost always looked annoyed and instructed me to swipe; I think they thought I had gone mad,” he wrote, adding that he thinks Boston is typical and that, “hardly anyone is ready for chip-and-PIN. Merchants certainly aren’t …”

The obvious question is: Why? Especially given the liability risk. Especially since EMV makes “card-present” transactions much less vulnerable to fraud, and the U.S. currently holds the dubious distinction of leading the world in that area of cybercrime.

Not to mention that the U.S., which prides itself on being among the most technologically advanced nations in the world, lags behind most other countries in implementing this technology.

[ ALSO ON CSO: Is EMV the silver bullet to credit card fraud? ]

According to experts, there are a number of reasons. First, the deadline is not a law. Failure to meet it will not produce fines or criminal sanctions.

The most widely reported “incentive” to adopt it is the so-called liability shift, which means that whichever party – the merchant or the card issuer – has the “lesser” technology will be held liable for fraudulent transactions.

Adrian Lane, security analyst and CTO at Securosis, argued in a recent research paper that there is much more involved than the liability shift – much of it very good for merchants – but he said much of the resistance to the change is because, “merchants are being asked to incur significant costs and operational disruption to solve a banking problem rather than a merchant problem.”

He added that it is much more complicated than, “a straight equipment swap.”

Mark Horwedel, CEO of the Merchant Advisory Group, agrees. He said the large majority of the burden – especially the financial burden – of this transition falls on the merchants.

“This is the most complicated and most costly point-of-sale (POS) project that’s ever been foisted on merchants. They’re making us pay for 75% of the conversion,” he said, adding that in Europe, networks lowered their interchange fees or offered to share some of the cost of installing new equipment. Besides that, he said, U.S. merchants pay transaction fees that are seven to eight times those paid in Europe.

“Credit cards are a bank product,” he said, “and on their face they are unsafe, but the industry has made a one-sided effort to shift the expenses (of making it more secure) to the merchants.”

He also complained about the time allowed for the shift. “Four years is not enough,” he said. “In Canada it was eight to 10 years. It is a huge overhaul.”

mark horwedel

Mark Horwedel, CEO, Merchant Advisory Group

Dick Mitchell, solutions director at Randstad, said there is no big push from consumers demanding the EMV system, “so many businesses just aren’t feeling the urgency to upgrade their systems. Part of that is because consumers have historically been insulated from the liability, but there has also been a lack of education.”

He said it would likely take another major retail data breach, such as that at Target in late 2013, “to really light a fire under some of these retailers.”

There are also warnings from security experts that such a major breach remains likely, since the American version of EMV won’t be as secure as that in Europe, because many banks are allowing “chip and signature,” instead of requiring a customer to enter a PIN number.

Ubaghs said such a move, “drastically reduces the effectiveness of EMV, as you remove one of the two factor authentication elements of EMV. A pickpocket could still use your card and forge your signature. It’s a bad move by the U.S. that will weaken security.”

He and others note that consumers in every other market are using PINs, and that U.S. customers do it with debit cards and ATMs.

The main reason, they say, is that card issuers and banks fear that if customers are required to enter a pin, they won’t use their cards as much. “They risk falling into a back-of-wallet position or even consumers abandoning cards,” Ubaghs said. “Remembering a PIN on a card isn’t that difficult, but if you have five or six cards, you might change or abandon some if you have too many PINs floating around.”

Lane warned in his paper that another flaw, at least so far, in EMV is that it, “does not mandate the use of point-to-point encryption (P2PE), much less full end-to-end encryption. PAN (primary account number) data is still transferred in the clear, along with any other data passed, if payment tokens are not being used.”

dick mitchell

Dick Mitchell, solutions director, Randstad Technologies

A lack of encryption was one of the things that made the Target breach so catastrophic.

The token problem is being addressed, Oxman said, with the deployment of, “new, cutting-edge technologies that along with EMV present a multi-layered defense of our complex networks. Tokenization can prevent future data breaches by replacing account information with single-use tokens that cannot be intercepted.”

Still, as many experts have noted, and even EMV advocates acknowledge, EMV offers no security improvement for online, or “card-not-present” transactions.

But its advocates point to evidence that it curbs fraud. “What we do know from EMV chip-mature regions of the world,” said Jeremy King, International Director of PCI Security Standards Council, “is that EMV chip, no matter how it is implemented, results in a significant reduction in counterfeit fraud at the point of sale.”

Lane agrees that better security, not to mention decreased liability for fraud, are good reasons to adopt EMV. But, he argued in his paper that they are both secondary to the benefits of the much more major shift that is coming: Mobile payments.

Companies like Starbucks, he wrote, have, “demonstrated conclusively that consumers will use mobile phones for payment.”

And he believes that, “the move from passive magnetic stripe cards to smart cards is a big jump, but from plastic cards to smartphones will be the payment industry’s equivalent of the shift from horses to automobiles.”

He goes into considerable detail in his paper, but summarizes what he called, “a wealth of advantages for merchants (from mobile payments), delivered with minimal to no operational disruption, including:

  • Better customer experience
  • Better tracking and analytics
  • Better fraud detection through reference tokens
  • Implements P2PE with no loss of functionality
  • Reduced breach potential through systematic removal of PAN data

“These are in addition to the trumpeted reduction in liability,” he said.