Are retailers ready for the looming October deadline?
Retailers may hear the faint sound of a clock ticking. It’s part of the countdown to the credit card industry’s deadline for merchants to be ready to accept new chip-based cards — or face increased liability if the cards are used fraudulently.
Payments experts say a lot of retailers won’t be ready by the October 1 deadline. Reasons range from ignorance about the mandate to justifying the implementation costs to a heated debate between retailers and the card industry on whether the new cards will provide all the security they could.
At issue are Europay MasterCard Visa cards, which will replace the easy-to-copy magnetic stripe currently used to store card data with a difficult-to-counterfeit computer microchip. Unlike EMV cards in the rest of the world, however, the cards most U.S. banks will issue have consumers signing for purchases rather than requiring a more-secure personal identification number.
The lack of a PIN is a matter of contention because of the change in card company rules on who is liable when a credit card is used to commit fraud. Under current policy, the bank is held responsible for guaranteeing cards are legitimate; they cover costs if cards are counterfeit. Retailers are responsible for verifying cardholder legitimacy; they pay fraud costs if that’s not the case.
Under the new system, if a retailer accepts a chip card but doesn’t have a chip reader, the bank will no longer bear responsibility for fraud if the card is counterfeit, shifting the burden to the retailer. If the fraud is on the user side, the retailer maintains responsibility.
National Retail Federation Senior Vice President and General Counsel Mallory Duncan says that’s not fair, because banks are adding a chip that makes the card hard to counterfeit but refusing to add the PIN that would ensure user legitimacy.
Retailers are being required to cover the $25-$30 billion cost of the new equipment.
“Why are they making us buy equipment that can do both, but refusing to do what they do in Europe and set up a system that does both?” Duncan asks.
“If they’re going to make us spend that kind of money and contribute to fixing the part they bear responsibility for, why not fix the part that we bear responsibility for?”
New card terminals can cost $1,000 or more; Duncan says some merchants are weighing the expense against the number of chip cards they are likely to see. A January CreditCards.com survey found only 31 percent of consumers had a chip card; with the average American holding four cards, Duncan says that translates into only about 8 percent of cards being chip-enabled.
The new cards are being pushed largely in response to recent high-profile data breaches; Duncan notes that while the cards make it difficult for criminals to use stolen data, they do not prevent data theft itself. Consequently, some retail companies looking to avoid the negative publicity of a data breach might instead invest in methods to stop breaches like end-to-end encryption or data tokenization.
There are other reasons that many merchants will miss the deadline. Some have technology vendors or processors whose services do not comply; others have equipment installed but may be caught in a bottleneck as certification companies are hit by a sea of last-minute requests.
“The top retailers have been working for the past year, but as you go down the tiers, the retailers are not all ready to go,” says Thierry Denis, president of card reader provider Ingenico Group.
“Most of the Tier I retailers may be able to roll out by October, but across the board, the readiness is not high,” says Sherif Samy, commercial director for Underwriters Laboratories, which recently formed an alliance with payments processor First Data to provide EMV migration and certification.
It’s not just technical details that have to be considered. Retailers must train staff and customers on handling EMV transactions, where cards are “dipped” into the reader rather than swiped.
“EMV is not just a technology implementation,” Samy says. “It will have an impact on businesses in terms of how their customers transact with them.”
A number of retailers “have underestimated what it is going to take to get through certification. This affects everything in their systems that touches payments, not just the POS,” says Ken Mathis, principal and payments leader for financial services with North Highland Consulting, a firm that is advising retailers on EMV.
Some retailers may still be unaware of the need to take action. “This is particularly true of companies like a flower shop that only has two or three locations,” says David Hogan, executive director of Heartland Payment Systems, a payments processor that works with a lot of small retail chains. “We’re trying to educate retailers now. We have 1,000 members of our sales staff who are out working with our merchant base.”
Once new hardware and software have been installed, getting systems certified may not be easy or quick. Mathias estimates certification could take three to four months; retailers could wait several more months to get a qualified company to even look at their systems.
“It’s not just retailers, but banks, health care companies and airlines that have to be certified,” Mathis says. “There are tens of thousands of terminals involved. This is a highly complex process and many companies may not pass certification the first time and will need to be retested.”
As Duncan notes, relatively few U.S. consumers currently have EMV cards. But banks have aggressive campaigns to increase those numbers, and Denis says industry projections show 50-60 percent of credit cards could be EMV by the end of the year.
The news is not all bad. Many large chains are already certified or close to it. Small retailers may not have to deal with the technical integration if using certified systems. And even if a retailer is not up and running with EMV on Day 1, the fraud risk may be minimal.
“The liability shift deadline is just a date. You have to have actual EMV cards presented with fraudulent transactions before there is a real liability threat,” Denis says.
Retailers “need to examine their risk profile and look at what degree of fraud they are seeing today. If they serve a segment of the market that is purchasing merchandise with a high-ticket value, they are much more likely to experience fraud and need to take action more quickly,” Samy says.
Heartland’s Hogan agrees: “Is someone going to take the time to clone a fraudulent card and use it to buy a $2 cup of coffee? Maybe, but it is more likely that they’ll use those fraudulent cards at stores that sell high-ticket items.”
Complicating the situation is the October deadline’s proximity to the holiday season.
“Once October hits, most retailers lock down their systems … . Nobody wants to make system changes just before or during the holidays,” Hogan says. “If they’re not ready by October, it will probably be after the holiday season before they can get ready.”
Retailers that don’t expect to be immediately compliant still need to be planning their EMV implementation today, if only to begin the education process. “EMV is not something you can just switch on,” Samy says. “It takes a lot of time and effort to roll it out and to make sure that not only does your system comply, but that you have a smooth customer experience.”
Even if EMV does not initially offer the combined security of both chip and PIN, most agree that it is an improvement over the current system.
“No retailer wants to risk a massive breach that could reflect negatively on their balance sheet,” says Chuck Winter, principal for retail with North Highland Consulting.
Changing to EMV systems also presents an opportunity for retailers to add other payments-related services like loyalty programs, on-line couponing, electronic wallets and mobile payments.
Innovations like Apple Pay have increased consumer interest in contactless payments and electronic wallets. For retailers that want to meet those growing customer expectations, converting to EMV provides a good time to look at other payment changes they want to make, Denis says.
The opportunity may be greatest for retailers with older point-of-sale systems.
“If a retailer has put in a new system within the last five years, they are more likely to make the least number of changes,” Hogan says. “But if someone has a system that is 15 years old, they’re likely to take a look at their overall POS ecosystem and replace it with a whole new system that can … include all kinds of contact and contactless card options.”
Walker & Company is reinventing the way consumers of color learn about, purchase and enjoy health and beauty produc… https://t.co/YjRLhl2izR11 hours ago