In a few months, retailers not prepared to accept EMV credit and debit cards could find themselves liable for purchases made with counterfeit cards.
By Pat Pape, Contributing Editor
As the second quarter of 2015 begins, retailers have approximately 100 business days to prepare for the EMV fraud liability deadline of Oct. 1. Those merchants not prepared to accept EMV credit and debit cards by that date could find themselves liable for any purchases made with counterfeit cards.
EMV stands for “Europay, MasterCard and Visa,” a global standard for credit and debit cards that contain an embedded microprocessor inside. Unlike the magnetic-stripe cards now widely in use throughout the U.S., EMV cards create a unique code for each transaction the cardholder makes. A code can be used only one time.
EMV technology can’t prevent data breaches from occurring, but it is expected to discourage hacking into a retailer’s system. With chip-enabled technology, criminals can’t profit from stealing card numbers and then creating and selling counterfeit cards.
Currently, U.S. retailers aren’t liable for credit card fraud, a crime that costs about $3 billion annually and is expected to jump to $3.6 billion by the end of 2015, according to Visa. Industry observers say that widespread use of chip-enabled cards will eventually reduce that amount.
“Because EMV is such a complicated and highly complex payment infrastructure, it changes every element of the payment landscape inside your system,” said Patty Walters, senior vice president of corporate EMV strategy at Vantiv, a payment processing solutions organization, and an elected member of the Smart Card Alliance EMV Forum Steering Committee, a non-profit industry organization.
“This change might be considered one of the largest changes that the convenience store industry has ever experienced because of the magnitude and complexity associated with it,” she said. “It could be overwhelming to a convenience store operator who didn’t have enough time to learn everything necessary to make that transition seamless.”
TO SWITCH OR NOT TO SWITCH
No law requires store owners to replace or update their current card-processing equipment by Oct. 1, and no one will be fined if they fail to do it. Retailers will still be able to accept magnetic-stripe cards after the deadline. In fact, most newly issued EMV cards also will have a magnetic stripe that allows retailers to process transactions exactly as they do today. However, the threat of financial loss because of credit card fraud is enough to make most merchants—no matter what size—consider an update to their existing technology.
“It’s not a mandate [to update equipment], but Oct. 1 is the date when the rules change regarding how fraud is going to be shared between the merchant and issuers,” said Randy Vanderhoof, executive director of the Smart Card Alliance and the EMV Migration Forum, both of which are based in Princeton Junction, N.J.
“It’s always been and will be a big decision by retailers as to whether they want to accelerate their migration to enable EMV before the liability shift date or whether they want to take a longer view and perhaps wait until a time that is more appropriate for them,” Vanderhoof said. “The business decision is related to whether or not they are comfortable with the added risk for potential losses associated with fraud and theft.”
Any retailer who has purchased new card-reading hardware in the past few years probably has adequate equipment that will simply require an update in software, said Stephanie Ericksen, vice president of risk products for Visa Inc. “So in some cases, the hardware just needs to be updated with the new software to pass EMV. A new terminal is not always required.”
At of the end of December 2014, 48 million new EMV cards had been issued to consumers. At the same time, more than 100,000 merchant locations were technically prepared to accept the cards.
“Forecasts coming from multiple sources in the industry are that by the end of calendar year 2015 roughly 47% of the merchant terminals will be EMV chip capable,” said Ericksen. ”That’s a steep ramp up, but it’s very similar to what we’ve seen in other major markets like Australia, Canada and Brazil. They were at about 45% of penetration by the time of their liability shift date.”
2015 VS. 2017
The Oct. 1, 2015 EMV deadline applies to all retailers who handle credit and debit transactions. For convenience operators, this deadline applies to all transactions conducted inside the store. The EMV compliance deadline for card readers on automatic fuel dispensers is Oct. 1, 2017, and some convenience retailers may believe that gives them two extra years. Walters dispels that assumption.
“I highly recommend that the convenience store retailers fight that potential sense of having plenty of time to get there,” Walters said. “It will take every single minute of those two years for you to prepare for the automated fuel dispenser side.”
It is difficult to determine the amount of payment fraud that takes place at U.S. gas pumps due to the self-serve nature of the business. Some analysts suspect that fuel fraud at the pump is four times higher than other types of retail.
Authorities are aware that thieves have installed innocuous-looking credit card skimmers on hundreds of gas pumps. The devices steal card data of unsuspecting customers, and the thief either sells that information or uses it to create counterfeit cards.
“Once the liability shift occurs, the retailer who doesn’t have EMV [acceptance technology] will become the focus of counterfeiters looking to purchase gas with a counterfeit card because they’re unable to do so in other locations,” Walters said. “That is a concern.”
BECOMING COMPLIANT
EMV does not receive countrywide acceptance overnight. Canada started moving to EMV compliance in 2003, and a decade later, approximately 85% of merchants were compliant. Based on that and similar figures from other countries, Ericksen believes it will take a couple of years before U.S. credit card fraud experiences a significant decrease.
“Roughly two years after the liability shift date we should get closer to 60% or 70% of the market supporting EMV,” Ericksen said. “That should start to drive counterfeit fraud down.”
To determine if your stores’ existing hardware can be easily updated to EMV compliance or if it must be replaced, contact your technology provider. Once you determine that your system is compliant, you should schedule testing with the financial institution that handles your card payments. The demand for testing is expected to be high in coming months and requests will be put in a queue. You will want your system officially certificated as compliant before the Oct. 1 deadline.
“Retailers have a choice, but the choice of not doing it comes with significant risks and those risks are the same for everybody,” Vanderhoof said.
“If you’re a convenience store in a small rural community and the people who shop there are people you know and work with all the time, it’s unlikely that a big percentage of those people are going to turn into criminals and start making fraudulent transactions,” Vanderhoof said. “If you’re part of a more mainstream urban environment, criminal elements are going to find fewer targets than they’ve had up to now, and they are going to move their fraudulent activities to those merchant locations where they can still get away with it.”
Industry leaders hope all retailers—including those with convenience outlets—will respect the liability deadline and help curb the use of bogus cards by becoming compliant.
“Markets that have invested in EMV have seen counterfeit fraud go down by 60% or more within two years of the date of the liability shift,” said Ericksen. “And it continues to go down as the remaining locations and cards in the market convert over to EMV.”