EMV is here, sort of

The highly anticipated EMV deadline of October 1 has come and gone, leaving many retailers and payment solutions providers to ponder what’s next?

As of Oct. 1, 2015, any U.S. retailer that does not have the necessary POS hardware, software, and operational and network protocols in place to process an EMV-compliant chip card transaction faces a shift in fraud liability.

So what exactly does this mean for U.S. retailers? How dramatic will the impact be? There is no one answer that applies to every retailer, but now is probably a good time for a general review of the new EMV landscape. First, let’s look at what EMV actually is.

EMV, or Europass, Mastercard, Visa, is a standard for encrypting sensitive consumer data in a secure chip embedded in a payment card, rather than storing it in a non-encrypted magnetic stripe. While EMV does not do anything to protect consumer data once it has been collected and processed at the POS, it does make hacking at the POS much more difficult.

In addition, it is much more difficult to make phony duplicate chip cards using stolen consumer data than it is to make illegal “clone cards” with magnetic stripes. The U.S. is the last developed country in the world to adopt the EMV standard. In other countries that switched to EMV, in-store payment card fraud dropped dramatically.

However, online fraud rates generally increased by 100% or more, as EMV does not protect against illegally using credit card data online. Experts generally agree there will be a corresponding rise in U.S. online fraud now that the EMV deadline has arrived.

This leads to the big question – what happens to retailers who have not yet complied with EMV?

Non-compliant? You’ve got company

Visa estimates that only around 300,000 of between six and eight million U.S. merchant locations have complied with EMV to date. Most of these individual stores are concentrated among major retailers with heavy payment card payment volume. For example, Wal-Mart and Target are both fully EMV-compliant in their U.S. stores.

Some retailers have a more urgent need to quickly comply with EMV than others. In general, larger retailers that attract more customers, or retailers that sell goods which would fetch a premium on the black market, such as luxury items, are more susceptible to fraud. Since criminals may also attempt o steal customer financial data at the POS to resell via underground websites, retailers with a high-income customer base may also face increased threat.

Many smaller “mom and pop” or regional chain retailers, as well as retailers in verticals such as fast food or convenience, may have less urgent need to comply with EMV. However, all retailers need to keep in mind that while the first generation of chip cards can also still work with traditional stripe-reading POS technology, at some point chip cards will no longer have this backward compatibility.

Confused? You should be

There are many aspects of EMV where there is no clear industry agreement. For example, retail advocacy groups such as the National Retail Federation (NRF) and Retail Industry Leaders Association (RILA) say that unless a chip card uses a unique consumer PIN for authentication, it is no more secure than a magnetic stripe card.

Banks and card issuers counter that using signature for authentication, which at least for now is the general standard being used in the U.S., provides sufficient security. The rest of the developed world uses PIN for authentication. The answer will not be known until EMV chip cards have been in circulation long enough to obtain fraud figures.

In addition, the NRF and RILA claim that banks and card issuers are lagging in providing consumers with EMV-compliant chip cards, a charge the financial institutions deny. There is no clear figure on how many consumers have actually received chip cards. Visa estimates that 57% of U.S. consumers have at least one EMV-compliant chip card (including non-Visa cards). However, a survey from ACI Worldwide indicates 59% of U.S. consumers with one or more payment cards have not yet received a chip card.

Need time? You’ve probably got some

There is general agreement that it is going to take a long time for the majority of U.S. retailers to comply with EMV. Visa estimates it will take four to five years for 90% of U.S. payment card transaction volume to be EMV-compliant, while The Strawhecker Group estimates only 44% of U.S. retailers will comply with EMV by the end of this year.

Fortunately, the experts agree that based on the experience of other countries, while there will be an initial rise in retailer fraud liability in the first year or two of EMV compliance, it will not happen immediately or dramatically. Visa estimates that within four to five years retailer fraud liability levels will drop back to pre-EMV levels.

Tom Litchford, VP of retail technologies for the NRF, told Chain Store Age in a previous interview that retailers do not have to look at Oct. 1 as any type of “drop dead” date for EMV compliance.

“The liability shift is not a hard date,” said Litchford. “It’s mandated by card providers from a risk-management business perspective. Whoever is least secure has the liability.”