Skip to main content

EMV Deadline Approaching


The upcoming Oct. 1, 2015, mandate for U.S. retailers to adopt POS systems that can securely accept and process transactions using EMV (Europay, MasterCard, Visa)-compliant, chip-based payment cards is fast approaching. Retailers that are not in compliance with the mandate after that date will be held liable for any fraudulent transaction committed with a chip-based card. However, retailers that have not completed — or started — their compliance efforts should not necessarily panic.

“The liability shift is not a hard date,” said Tom Litchford, VP retail technologies, National Retail Federation (NRF). “It’s mandated by card providers from a risk-management business perspective. Whoever is least secure has the liability.”

According to Litchford, every retailer should examine its own unique situation when creating an EMV compliance strategy. Some retailers may be at higher risk for fraud than others, and not every bank will have all of its payment cards chip-enabled by the deadline, either. For retailers moving forward with compliance efforts, Litchford recommends a five-step process, along with some general advice.

“The longer you wait, the harder it’s going to get,” he stated.

Adding another potential wrinkle to the timing of the shift, the Food Marketing Institute (FMI) has asked major credit card companies to move the deadline into 2016. In April, the FMI sent a letter to Visa, MasterCard, American Express and Discover Financial Services saying the system will not be ready to meet the October mandate. The letter also said retailers have to wait 16 weeks to obtain EMV-compliant hardware and that the mandate takes effect as retailers enter the crucial holiday selling season. At presstime, FMI had not received a response to its request.

NO PANACEA: EMV compliance offers protection against fraudulent point-of-sale transactions conducted with lost, stolen or counterfeited cards. However, it is hardly a panacea against payment fraud or data theft.

“EMV is a great risk reducer, in conjunction with proper security hardening and PCI controls,” said Andi Baritchi, global managing principal, PCI Consulting Services, Verizon Enterprise Solutions. “It does not remove you from your PCI obligation.”

Baritchi referred to the Payment Card Industry (PCI) Security Council standards that require end-to-end encryption to help reduce the risk of online card fraud, as well as data breaches.

Baritchi warned that EMV compliance alone can cost tens or even hundreds of millions of dollars, depending on the size of the retailer. Because of the cost and importance, he said retailers should approach EMV compliance with the help of qualified partners.

“Payment card data is very attractive to criminals as it can be easily converted to cash,” explained Baritchi.

This ad will auto-close in 10 seconds