The EMV liability shift deadline has arrived.
But don’t expect immediate fireworks—at least until some noncompliant retailer suddenly gets hit with massive claims for fraud losses from its customers.
It will be hard to feel too sorry for these potential victims—other than commiserating with the fact that they are victims, and not perpetrators of fraud. But fraud’s a fact of life now. As has often been said, it’s not a case of if you’ll be victimized, but when.
Of course that was the impetus for EMV, or chip-enabled credit and debit cards, in the first place. The old magnetic swipe cards have proven just too vulnerable to the legions of sophisticated, devious, and greedy cyber crooks around the world.
Lots and lots of articles have been written about the EMV liability shift, including in this space, for at least three years. Yet the scope of its importance really hasn’t hit home.
Believe it or not…
As obvious as this may seem to bankers, studies bear this out:
On the consumer side, Harbortouch, which provides point-of-sale systems, polled 18,000 U.S. adults in August and found that 54% are unaware of what a chip credit card is. The lack of awareness reached all income levels—60% of those earning less than $50,000 annually, and 26% of those earning $150,000 or more.
“The findings of this study indicate that EMV could pose serious challenges for credit card companies and retailers as the busy holiday season approaches,” says Jared Isaacman, CEO of Harbortouch.
Mercator Advisory Group has tracked the adoption of EMV debit cards and notes a significant gap in adoption on the issuing side. In June, Sarah Grotta, director, Debit Advisory Service at Mercator, said:
“The variety of approaches to EMV debit deployment is as varied as there are issuers. Some are reissuing on an expedited timetable, some will include EMV with their already planned reissue schedule, and others will issue only to customers who are international travelers and those who request chip cards. What is certain is that the majority of debit cards will not be EMV capable for years.” [Emphasis added]
In August, Mercator issued an even gloomier report, stating that:
“With the long-awaited fraud liability shift just around the corner, the entire U.S. payments industry is actively (if not enthusiastically) preparing for the transition to EMV. While that preparation will yield a more robust and secure payments infrastructure in the long run, progress toward EMV compliance has slowed in 2015, as issuers and merchants deal with a range of technical, logistical, and educational challenges.”
Adds the report’s author, Alex Johnson, “We need to prepare ourselves for a longer and messier transition than many originally anticipated.”
Talking about Target
Not all merchants have ignored the issue.
Target, for example, has devoted $100 million toward placing EMV-enabled technology in all its stores, according to the blog syrinx.com. That blog writer also notes that this effort likely is related to Target’s massive and widely publicized consumer security breach in 2013.
It’s not too big a stretch to connect the two.
Talking about Target, a recent personal experience relates here.
The checkout line did indeed have a device in which the customer inserted a chip card, and then required the purchaser to sign with a stylus on a glass plate. All well and good, but at no time did the clerk compare the signature with the one on the card, bringing up the question—what’s the point with the signature?
It’s not just me wondering. Gareth Lodge, a U.K.-based analyst for Celent, says the same in his blog: “Asking for a signature, yet not even checking it seems odd.”
This chip-and-signature versus the chip-and-PIN issue has been raised by merchants as a reason why some haven’t invested in the required POS equipment. Doug Johnson, ABA senior vice-president, has rebutted this, saying that the chip in the new EMV cards is what really provides protection, and not a PIN.
“The EMV chip, not the PIN, is the key to keeping sensitive information safe by making the financial data nearly impossible for criminals to create, sell, and use for counterfeit cards,” he says.
Still, this particular debate is likely to continue.
On yet another personal note, during a recent vacation through the United Kingdom, I used my chip-and-signature credit card throughout without problem. Yet very few merchants ever checked the signature on the slip with the one on the card, even though by law they were supposed to. The motivating factor seemed to be to accelerate the transaction. (You can read about John’s vacation/banking exploration at "Pounds and pence, as you like it".)
Which also is a continuing issue. As reported in the September issue of Banking Exchange, it takes two to three seconds to process a chip transaction, vs. 200 to 300 milliseconds for a swipe transaction. Anybody standing in a Target checkout line, with four or five people ahead of them, will take notice and develop, at the least, a negative perception of that shopping experience. (See, “Will EMV boost mobile pay?”)
Outreach helps, if people reach back
Education seems to be the main argument toward overcoming such perceptions.
A year ago President Obama signed an executive order dubbed “BuySecure” requiring federal agencies to issue chip-and-PIN cards where appropriate and related to their operations, and cited private-sector efforts to educate card holders about the technology.
One of these private-sector efforts is led by Fiserv, which offers a free EMV Education and Marketing Program tailored to cardholders as well as financial institutions.
“People have been swiping their magnetic stripe cards for decades, says Jamie Topolski, director, alternative payments, at Fiserv. “In order to prevent confusion, it’s crucial to explain to cardholders how their new EMV chip cards will work and to educate staff, so that they can answer questions.”
Banks, also, have expended significant EMV educational efforts. Chase and Bank of America are two notable examples.
And right around the corner …
Still, EMV is at heart a technological issue. And when technology is involved, nothing stops. Now, from Visa, comes word about an effort to extend EMV even further, to incorporate biometrics.
In September Visa announced it had developed a new specification to use biometrics with chip card transactions, where the biometric—the first use-case being fingerprints—is validated by the EMV card and never exposed or stored in any central database. South Africa’s Absa Bank will be used to develop a proof-of-concept trial this fall. Visa plans to offer to contribute the technology to EMVCo., to further develop and administer the standard for the benefit of the entire payment industry.
That, no doubt, is way in the future.
Let’s all hope that there won’t be any fireworks this year as the EMV liability shift takes effect. In the meantime, as Harbortouch’s Isaacman says, “Varying rates of adoption and opinions on the benefits of chip cards means more can be done by all parties to ensure a smooth transition on Oct. 1 and beyond.”
Sources used for this article include: