EMV holdouts: Why merchants are slow to make chip-card switch
By Jenny Hoff | Published: August 7, 2015
Shiny new EMV chip cards are making their way to consumers' mailboxes, but the majority of U.S. merchants is not ready for the new technology, and won't be by the time an October deadline rolls around, according to recent research. While cost is the factor most often cited for the foot-dragging, the cost of noncompliance could be even bigger.
EMV chips are designed to combat counterfeit fraud. Unlike magnetic stripe cards, every time an EMV card is used for payment, the chip creates a unique transaction code that cannot be reused. So even if a thief is able to intercept information during a transaction, it's useless to him.
Right now, card issuers eat the loss if credit card fraud occurs. But according to rules set by the major credit card companies, come Oct. 1, if a fraudster uses an EMV card and a merchant doesn't have the right equipment to verify the card's authenticity, the business will have to take the loss. This is what's known as the liability shift.
Although the card networks have been talking about the U.S. liability shift for years (and EMV is widely used in other countries), many merchants seem clueless about the matter. In a survey released Aug. 6 by Wells Fargo and Gallup, a majority of the small business owners surveyed were unaware of the liability shift. Only 31 percent said that their existing credit card processing systems accept chip-enabled cards, and just 29 percent said they intend to upgrade their point-of-sale credit card terminals to accept EMV chip cards by the Oct. 1 deadline. A fifth said they don't intend to switch at all.
Complaints from retailers
Among retailers who have heard of the deadline, the biggest complaint about the shift is cost. Another survey of small-business owners, released in June by Intuit, found 57 percent of respondents cited the cost of a new terminal or reader as the top reason for slow adoption. For complex, integrated systems, the upgrade can run into the thousands of dollars. But for small businesses with only one or two payment terminals, the upgrade is fairly inexpensive. Some basic EMV card readers cost less than $100.
There are other gripes, too. Merchant organizations such as the National Retail Federation call the October deadline unreasonable, citing a lengthy certification process merchants must go through when trying to upgrade in time. The testing and certification process for new readers can be time-consuming and expensive -- ranging from $500 to tens of thousands of dollars -- depending on the size of the business, how integrated its payment system is, and how much customization is required.
There are three certification levels -- Levels 1 and 2 involve testing the hardware and software for security and to ensure they work with EMV chips. But most small businesses will not need to worry about this -- unless they are coding their own applications for the terminals -- since the new readers will have been certified for the first two levels.
Level 3 is an end-to-end certification that tests the system with every brand of card and every kind of transaction it can do with each brand. For small businesses with stand-alone terminals, it can still be a quick process. Business owners who need more customized software can expect the upgrade to take a few months and require a greater investment.
EMV and online fraud
Mallory Duncan, the federation's senior vice president and general counsel, says business owners also worry that once they've upgraded, counterfeit fraud will just shift from their brick-and-mortar stores to their online shops, where there are no EMV readers to detect fraudulent cards.
"It's like the credit card companies locked the front door, but left the back door open," says Duncan. "Our members are still hoping they will do the right thing and allow for more time."
"I thought it would cost me thousands of dollars to upgrade. It ended up being much cheaper than I expected."
|-- Sheila Ferraiolo
Owner, DreamStar Dance Supply & More
But Stephanie Ericksen, vice president of global risk products at Visa, affirms the deadline is fixed. "The liability shift date was announced in August of 2011, so they have had four years to get up to speed," she says.
According to Ericksen, counterfeit cards account for 75 percent of credit card fraud and an estimated $3 billion annual loss. She asserts EMV technology is an important step to stop the theft.
Meanwhile, she says the card companies are battling online fraud by other means such as biometric identification -- fingerprint, voice or retina readers, for example -- and tokenization.
Tokenizaton is a security process for online and mobile transactions that replaces credit card numbers with randomly generated numbers and letters, or tokens, making the sensitive card information unavailable to hackers. Tokenization is expected to become more widespread, with the major credit card companies rolling it out for online use. Mobile payment services such as Apple Pay are also using tokenization as a security measure.
Chip-enabled cards provide a similar service for in-person transactions by generating a unique code for each transaction, making the card impossible to counterfeit. But in order for the security to work, merchants need special machines and software to read the chips.
Easier for some than for others
DreamStar Dance Supply & More is an independently owned and operated business based in the Boston area. The 1,500-square-foot store, stocked with high-end dance shoes and performance merchandise, has only one payment terminal. It is now EMV compliant.
"I wanted a more integrated system anyway," says owner Sheila Ferraiuolo, who started her store in 2007 after 32 years as a dancer. "I thought it would cost me thousands of dollars to upgrade. It ended up being much cheaper than I expected."
"We have told our members that they need to individually assess their situations to determine if the cost of the new technology will outweigh the cost of fraud."
|-- Mallory Duncan
National Retail Federation
Wanting a system that would accept mobile payments and help her keep track of inventory from any location, Ferraiuolo spent a year researching the POS offerings on the market. With a seasonal business on a tight budget, she decided to forgo buying her own expensive software and instead signed up with Highline, a company that offers integrated cloud-based payment software for a monthly fee.
She spent $700 on a reader that also accepts Apple Pay and she is paying $49 a month to lease additional equipment. "I just hooked up the reader to my iPad mini, so that part is easy," she says. "The hard part will be training myself to use the new system, as well as my five employees."
Large corporations have also upgraded their terminals, though with much more complex and costly systems. The NRF's Duncan says the hardest hit will be budget-restricted small- to medium-sized businesses with integrated payment systems that will need both software and hardware to become EMV compliant, and will require testing and certification, which can take months to complete.
"We have told our members that they need to individually assess their situations to determine if the cost of the new technology will outweigh the cost of fraud. Some businesses are more vulnerable than others," says Duncan.
The most vulnerable
Your business is in a higher-risk category for fraud if you:
- Are coastal: Duncan says merchants located near the coasts are more at risk for fraud than businesses in the middle of the country, where credit card fraud is less prevalent.
- Sell easily fenced goods: Merchants with high resale-value items such as TVs, cellphones, jewelry and luxury products, as well as gift cards and even baby formula are greater targets than laundromats or coffee shops.
- Own a gas station or unattended terminals: Criminals sometimes use unattended terminals to first see if a chip card works before trying to purchase more big-ticket items. The liability shift deadline for gas stations and ATMs is Oct. 1, 2017.
Ferraiuolo has already seen brands that she sells sold online illegally. As a small-business owner, she says she can't afford losing thousands of dollars' worth of merchandise to fraud. "It would definitely hurt us, maybe not bankrupt us, but definitely affect our ability to make payroll," she says.
EMV technology adoption is not a mandate. But Randy Vanderhoof, executive director of the Smart Card Alliance, recommends merchants invest in the technology sooner rather than later.
"It is probably very disruptive for their business and the costs [of the technology upgrade] are high based on their current experience with fraud, so they aren't seeing a benefit at this time," says Vanderhoof. He worries it may take businesses getting stuck with the cost of fraud before they take the EMV shift seriously. "Then they will have to not only pay for the loss, but they'll still have to pay to update their systems."
For businesses that have not already started the transition process, Vanderhoof recommends the following steps:
- Meet with your acquirer or card processor to determine the best course of action for your specific situation.
- Determine what kind of upgrade is best for your business, whether it is upgrading your existing terminals or purchasing new ones with EMV software already integrated.
- Schedule an appointment with an acquirer to test and certify the system.
For medium-sized businesses worried about the lag time between installing the software and getting it certified, Visa's Ericksen says there is a prequalification service that allows value-added resellers (VAR) and independent software vendors (ISV) to start testing their solutions before they work with acquirers for final certification. This shortcut can speed up the certification process for small businesses, which normally have to wait months to have an acquirer test and certify them.
Business owners who are waiting to upgrade can also follow best practices to protect themselves against counterfeit cards, such as comparing the last four digits of the card to the last four that appear on the receipt.
Under the new liability rules, consumers are still protected if their card is lost or stolen. But Vanderhoof believes that without the technology of chip-enabled cards and tokenization, everyone will end up bearing the cost. "Even if the consumer is not directly responsible, they are still paying part of that cost in higher fees and higher cost of merchandise," he says.
In her eight years as a business owner, Ferraiuolo has never had a fraud issue. Still, she says she is not willing to take any chances. "I say be compliant in everything. Why risk it?"
- Yes, merchants can get new card info on recurring charges – Updater services allow merchants to know when your credit card information changes, and to alter their records accordingly. If you don't want to continue the subscription, you'll need to cancel it directly ...
- Is it time to negotiate a new merchant account? – Some business owners stick with a merchant services account they secured as a startup, but that now costs them more than they should be paying ...
- 8 steps to fighting chargeback fraud – Credit card chargeback fraud is an ongoing problem for small businesses, which can have dire consequences. Though it's hard to detect, there are ways to fight back ...