Retailers are coming up against the deadline for EMV card reader adoption in the US set by major credit card companies for this October, but many either aren’t prepared, aren’t aware of the incoming shift, or don’t believe it can impact their business.
The technology was pioneered in the UK in response to credit card fraud and named for the companies that spearheaded it: Europay, MasterCard, and Visa. EMV has become standard in most European countries over the last ten years. The technology was brought to the US in 2010 but due to the size of the US Market, they pushed back adoption to 2015 to allow enough time for retailers to get on board the new system.
The incoming switch is not just a technological one, but also a shift in liability. While card issuers have been the ones to cover the cost of fraud historically, now the liability for fraud will shift to the seller if they aren’t using the new EMV chip system. Point of sale liability shifts from card issuers to retailers on October 2015. ATM and pay-at-pump gas stations liabilities are both set to shift October 2017.
The new EMV-enabled cards that are to replace traditional magnetic stripe debit and credit cards will still have the strip, making them backwards compatible, but will also have a chip installed. The chip enables a dynamic authentication, creating a one-time authorization for every purchase, compared to the static authentication of a card swipe. It also permits other features, like contactless pay using radio-frequencies.
EMV, or chip-and-pin, reduces card-present fraud and theft that happens in physical stores, making it difficult for thieves to steal and repurpose the cards for use elsewhere. The new cards are resistant to skimmers and because of the pin required, it becomes two-factor authentication because it requires both an object (the card) and the pin number (known information). Countries have noticed steep declines in fraud from counterfeit credit cards after the adoption of EMV.
But that fraud hasn’t disappeared, not really. Having to abandon a less successful strategy, fraudsters shifted over to card-not-present fraud tactics, like account takeover and fraudulent account creation, both of which have seen a stark rise in countries that have switched over to the EMV system.
And companies in the US on the whole are not ready for the switch and some don’t even know that it is coming. Larger retailers have the money and the incentive to make the switch in order to avoid taking on the threat of liability. Smaller retailers, however, are either unaware or actively plan to avoid upgrading to the new system, namely because of cost. It’s believed that the cost to US companies to upgrade and replace the system will run over $8 billion dollars.
The Q3 2015 Wells Fargo Gallup poll of small businesses indicated that nearly 50% of responders don’t want to pay for a new terminal, 36% felt it’s unfair that the business has to shoulder the burden and 25% of respondents said they would just stop accepting POC credit cards for payments altogether instead of upgrading. More alarmingly, over 40% of responders said that they weren’t concerned about the liability shift in case of fraud, and nearly 50% felt that it wouldn’t impact their business as they did not consider themselves likely targets for fraud.
It’s not surprising that respondents feel that the problem won’t affect them as the majority of news reporting focuses on the big breaches, the Targets and Home Depots, even though as big companies lock down on their systems, fraudsters go after smaller targets because they still can.
But even worse? The same poll found that 68% of small businesses as of July weren’t aware that the EMV shift was coming.
Customers themselves aren’t sure about the EMV. As of late September, an ACI Universal Payments poll found almost 60% of respondents had not yet received their new EMV chip card and over 65% had not been contacted by their bank explaining why the change was happening or its impact.
What does this mean for the American market on the threshold of this change? A bumpy ride. Fraud rates from counterfeit cards may not drop as readily as they have in other markets where adoption rates are higher. Fraudsters excel at exploiting system gaps and inconsistencies. This is not to say that EMV isn’t a step forward – it is – but it isn’t the final blow to fraud. With EMV pushing fraudsters into account takeover and fraudulent account creation, it underscores the need for behavioral analytics to protect existing accounts from being hacked or socially engineered.