Data Breaches: EMV Compliance is Everyone’s Responsibility
It has been about five months since the Target data breach made the vulnerability of retail POS data a hot topic. Investigation has since shown the Target breach did not involve POS terminals. However, high-profile thefts of customer payment card data from Target and other retailers including Neiman Marcus, Michaels and Sally Beauty Supply have highlighted the need for U.S. retailers to adopt the global Europass, MasterCard and Visa (EMV) standard for accepting payments from cards that store consumer information on secure embedded microchips, rather than on magnetic stripes.
Everyone’s Talking, But No One’s Getting EMV
Despite widespread recognition of the substantial security benefit EMV compliance, not many retailers are doing much about it. Target recently announced that it plans to incorporate MasterCard chip-and-PIN technology (which adds another security layer of verifying customers by secure PIN rather than signature) across its Target-branded REDcard portfolio by early 2015, and is converting existing payment terminals at its stores this year ahead of schedule.
A few other large chains, such as Wal-Mart, have also made some movements toward EMV compliance, but most retailers have not. The primary issue, no surprise, is cost. The NRF has estimated it would cost $20 billion to $30 billion in hardware and software upgrades during several years to bring the U.S. retail industry into general EMV compliance. And the chip-enabled cards themselves cost a couple of dollars each.
Considering the staggering financial cost of achieving retail EMV compliance, it is neither realistic nor fair to expect retailers to foot the whole bill. But retailers do need to pay their share. Following are brief explanations of why both retailers and financial institutions need to help pay the price of EMV compliance.
Retailers Could Lose It All
As of October 2015, liability for reimbursing customers who are victimized by POS data theft shifts from financial institutions to retailers, if the customer was using an EMV-compliant card and the retailer did not have EMV-compliant transaction technology. But the costs go far beyond potential reimbursement of customers.
Data breaches incur hefty costs in hiring security experts to review the breach and taking remedial steps to improve security, not to mention potential exposure to consumer lawsuits. They also erode consumer trust, resulting in lost sales and lost customers. Thus the after-the-fact costs can last for years, making preventive investment in EMV-compliant POS technology before a breach happens a wise long-term investment. But retailers are not the only ones who stand to lose in a POS data breach.
Financial Institutions Have a Stake
Card issuers, banks and other financial institutions have prudent reasons to help the retail industry shoulder the burden of paying for EMV compliance. First, there will never be widespread availability of chip-enabled payment cards unless the card issuers pay for them, meaning the fraud liability shift to retailers will be more theory than fact.
Second, high-profile retailer data breaches erode consumer faith in payment cards as well as in retailers. Especially as non-cash alternatives to payment cards, such as PayPal, Bitcoin, and even apps provided directly by retailers, become more prevalent, payment card issuers need to maintain public faith in their services. And banks hardly benefit when customer accounts are drained by fraudulent purchases.
So EMV compliance is everyone’s responsibility, for self-interested financial reasons as well as reasons of basic fairness and consumer protection. Leaders are taking the first steps, who will follow?