Many U.S. retailers and banks have not made changes to accommodate new EMV standards (named after the organizations that developed it, Europay, Mastercard and Visa in the 1990s), despite an October 1 deadline that shifts liability from banks to merchants. The banks that fail to do so not only risk increased exposure to fraud, but could lose out on potential revenue and market share.
EMV technology uses encrypted microchip data on a customer’s credit or debit card. The card numbers and cards are much harder to counterfeit or steal than magnetic stripe cards. The card number isn’t transmitted on a point-of-sale system (POS), as a new code is generated for each transaction. Also, an EMV-enabled POS system recognizes cards that are supposed to have the encrypted chip data, even if a counterfeiter has stolen a card number and created a magnetic stripe card, says Deborah Baxley, principal at Capgemini Financial Services.
Magnetic stripe cards are still used by about 59 percent of U.S. consumers, according to a survey by ACI Worldwide, an electronic payments company headquartered in Naples, Florida. Boston-based Aite Group, a research and advisory firm, estimates that as many as 60 percent of POS systems will not be ready for EMV by the end of the year. Gas stations have until October 1, 2017, to comply.
But for most retailers, after October 1 of this year, the liability for card fraud shifted. Previously, banks were liable for any in-store fraud. But now, any retailer breached that hasn’t updated its POS system to accept EMV is on the hook to make the bank whole—as long as the bank has migrated its card portfolio to EMV. If both bank and retailer are on the same playing field, the liability shifts back to the bank. Retailers with an inadequate focus on cybersecurity will now pay the piper.
What about banks that missed the October 1 deadline? “If you don’t have a plan, and you’re not informed enough to know what you should do, then you’re probably lagging,” says Bob Legters, senior vice president, payment products at FIS. Many banks are making decisions on who gets the new EMV cards first, and typically prioritize lost, stolen and expiring cards.
Despite the much-ballyhooed shift in liability, most banks haven’t migrated all their customers to chip cards. Aite Group estimates that 70 percent of credit cards, and 40 percent of debit cards, will be replaced with chip cards by the end of the year. Debit cards have been more difficult to replace, due to merchant routing restrictions under the Durbin Amendment of the Dodd-Frank Act that mandated that retailers have a choice of at least two unaffiliated networks to authenticate a transaction made with a debit card. Until this year, EMV did not comply with that requirement, says Baxley.
Chip cards aren’t the magic bullet that will finally kill credit card fraud. Fraud is expected to shift online, where the retailer still bears the liability. More troublesome, crooks could target banks and merchants that haven’t yet shifted to safer standards, putting a target on the backs of community banks and mom-and-pop shops. Banks that issue their EMV cards sooner rather than later will have a competitive advantage, says Legters. “If you [the customer] have a chip card and a nonchip card in your wallet, [and] you perceive the chip card to be more secure, you’re going to tend to lean that direction with your spending,” he says.
The subtle shift to mobile wallets such as Apple Pay and the newer Samsung Pay is also working in consumers’ favor, as these wallets employ the EMV framework. As mobile wallet adoption increases, merchants have another reason to shift to EMV-enabled POS systems, as most are set up to accept these forms of payment.
Of course, new technology means that the average American needs to learn a new way to pay. Once banks have issued EMV cards, “the biggest thing they need to do is worry about communication, because from a customer perspective, all of the sudden you’re using a card that works a little bit differently,” says Gil Mermelstein, managing director in the banking practice at West Monroe Partners.
Most consumers that have received chip cards don’t really know why, according to the ACI survey. Sixty-seven percent have not received any information from their financial institution to explain why this card is safer.
Banks don’t have to replace every card in their portfolio this month, or even this year. But delaying implementation will only harm the bank in the long run due to a higher risk of fraud—and the reputational damage that comes along with it.
“I believe [issuers] need to wrap it up, and try to issue quickly. They are exposed to greater targeting of fraud from fraudsters that will migrate from more secure bank cards to ones that are less so,” says Mermelstein.