Visa-chip-credit-card-security-programBy Mallory Duncan, Senior Vice President and General Counsel, The National Retail Federation

A new NRF survey proves what we’ve been saying for months about conversion to the new chip-and-signature credit cards – that retailers have done their part and it’s the card industry that’s dropped the ball.

The survey, conducted in May and June, found that 48% of retailers responding had already implemented the new “EMV” chip card system or expected to have done so by the end of June. A total of 86% expect to have EMV – short for Europay MasterCard Visa – up and running by the end of the year.

Of those who had not implemented, 57% said they had already installed the card readers and other equipment but were still waiting for certification by the card industry so they could turn it on. And 60% of those said they had been waiting for six months or longer.

Those numbers are considerably higher than those pushed out by the banking industry, which has tried to portray retailers as slow to adopt the new system. But the survey found that EMV is a top priority for retailers – 58% of those surveyed called it their top payments-related challenge for 2016, and 72% said it is their top payments initiative for the year.

The key issue here beyond the number of retailers who have installed the new equipment is the number waiting to get it certified. Certification is an important step, with a number of functions checked to ensure that the new technology is operating properly. It can also be complicated because systems must be tested to be sure they are working with not just one but all of the major cards including MasterCard, Visa, American Express and Discover. Depending on the size of the retailer and complexity of the point of sale system, the job can involve hundreds of tests, take anywhere from two weeks to eight months and can cost the retailer from hundreds to tens of thousands of dollars.

Disappointingly, the card industry has not provided enough personnel or other resources to ensure that certification happens in a timely manner. At this point, many retailers have had new chip card readers sitting next to their cash registers for nine months – ever since the target date for conversion last October – waiting for the card companies’ blessing. Many large national chains have been certified, but mid-size retailers are facing a long the wait.

The delays have left consumers confused – do they swipe or “dip” with their new cards?

It also means that many retailers have been stuck with millions of dollars in fraud costs they shouldn’t have to bear: Under new card companies rules that took effect in October, if a counterfeit chip card is used in a non-chip card reader – or a chip reader that hasn’t been certified – the retailer has to absorb the fraud cost. In addition to fraud involving the new chip cards, some retailers say fraud from traditional magnetic stripe cards – which is the banks’ responsibility – is being improperly attributed to lack of a chip reader and charged to retailers.

Visa and MasterCard acknowledged the delays in June, promising to streamline the process and provide more resources in an attempt to cut the wait times in half. They also promised to reduce the amount fraud borne by merchants.

Unfortunately, that’s too little too late for retailers who have already endured months of delay and millions of dollars in unwarranted “chargebacks” for fraud, not to mention complaints from customers about why they can’t use the chip function on their new cards even though the new readers are sitting right there.

The largest frustration in the debate over who’s to blame for how fast or slow EMV conversion occurs is that the cards being issued by virtually all U.S. banks are chip-and-signature rather than the chip-and-PIN used throughout the rest of the world. The new EMV card readers are costing merchants billions of dollars to put in place. Yet even if 100% of retailers had installed chip readers and 100% of those installations had been certified, chip cards that work with an easily forged signature provide a fraction of the security of those that work with a secure, secret personal identification number.

No matter how many chip card readers are installed, PIN-less half steps for card security aren’t enough to satisfy retailers in their efforts to protect their customers. And they shouldn’t be enough for banks, either.

Industry News, Industry Thought Leaders, Technology