Retail EMV Adoption: Eyes Wide Open

The U.S. banking industry has a sense of inevitability concerning adoption of the EMV (Europay MasterCard Visa) smartcard standard. And the threat of industry-imposed deadlines combined with the steady drip of recent high-profile security breaches at stores like Target and Neiman Marcus only help to strengthen that mindset.

But the fact is that EMV adoption remains in a holding pattern with U.S. retailers. While it may well be inevitable, the future is both uncertain and threatening for retailers. Banking executives—who have been well indoctrinated by the EMV talking points of Visa, MasterCard and American Express—would be wise to consider the issue from the retailers’ perspective. Indeed, it would better prepare everyone for what promises to be an expensive and disruptive transition to digital chip-and-pin cards in the U.S. market.

In a nutshell, U.S. retailers are feeling abused and confused. While they are being offered both a carrot and stick from credit card providers to upgrade their payment infrastructure to EMV-enabled cards, the carrot is puny and the stick feels more like a club.

The good news is that retailers who conduct over 75 percent of their transactions with EMV-enabled terminals will not have to submit their annual PCI (payment card industry) audit reports to the payment brands, saving them money on PCI compliance costs. However, the downside is that retailers still bear the burden of PCI compliance. In the event of a breach, retailers who are non-PCI compliant will not be protected by “Safe Harbor” provisions and will be held fully responsible for the fines associated with non-PCI compliance. So while cost of preparing annual reports may represent some savings, even EMV-enabled retailers will still incur all of the costs associated with insuring full PCI compliance. Card issuers say the smart chip standard will reduce retailers’ fraud exposure while increasing security. Yet, the current plan for EMV implementation in the US is lacking a critical security element— the PIN code. The U.S. implementation will be based on chip-and-signature. A signature doesn’t offer any meaningful protection. Fraudulent transactions are not rejected based on signature mismatches.

The fact is, card issuers and retailers experience fraud differently. While the difficulty in replicating the chip in an EMV card provides some protection for card issuers during POS transactions, the U.S. implementation of EMV does nothing to protect retailers from fraud associated with card-not-present (CNP) transactions. Consider that in 2012 there was $11.27B of credit and debit card fraud (Nilson Report, Aug 2012), of which card issuers experienced 63 percent of the losses primarily at the POS. Retailers on the other hand experienced a whopping 37 percent of the losses in card-not-present (CNP) transactions (e.g. Web, phone, mail order). To make matters worse, failure to comply with the card issuers mandate by the October 2015 deadline will shift the fraud liability for POS transactions from card issuers to non-EMV compliant retailers. From the retailers’ perspective, it is a lose-lose situation. Retailers will either make enormous investments in a solution that doesn’t provide CNP/PIN protection, or they will suffer the associated liability of fraudulent credit card transactions. It’s going to cost them one way or another.

How EMV impacts brand reputation with consumers is another issue retailers are trying to figure out. To be frank, consumers don’t care about EMV. The current card system is convenient and easy to use. In their minds, retailers, card issuers, and the rest of the “system” exist just to fulfill their responsibility to protect themselves and consumers from hostile attackers. Even as we learn that the personal information of an estimated 110 million consumers was stolen in the recent Target breach, there hasn’t been widespread consumer revolt…..yet.

But consumer opinions might change as these high profile breaches become regular occurrences. Consumer attitudes could also shift dramatically as some retailers slowly move to EMV systems. Suddenly, consumers may favor EMV cards—and the stores that support them—over those that don’t because of the perceived security benefit. Tech savvy millennials, for example, who came of age in the digital world may naturally gravitate toward EMV-enabled retailers.

Ironically, future technological uncertainty is also one of those factors holding retailers back. While a chip represents an improvement over a mag stripe, at the end of the day a chip is just a “dumb computer.” Today’s smartphones provide a far superior potential platform for implementing much-needed end-to-end security, capable of evolving ahead of future threats. And for the next generation of consumers, their personalized mobile devices are no less important than their wallets. During his Senate testimony, Mallory Duncan, National Retail Federation SVP and General Counsel, effectively described EMV as “spending billions to combine a 1990’s technology (chips) with a 1960’s relic (signature) in the face of 21st century threats.”

Regardless of what one may believe about EMV, retail as an industry is in desperate need of a solution for credit and debit card fraud. In the wake of the Target breach, J.P. Morgan and Chase did the unthinkable – they imposed spending limits on consumers in the middle of the holiday shopping season. Evidently credit and debit card fraud is now more painful than the lost sales caused by interfering with a consumer’s desire to buy. The bottom line is U.S. retailers, credit card issuers, banks, and everyone else with a stake in the future of credit card payment systems clearly need a comprehensive solution to reduce card fraud and increase security in the U.S. market. But to retailers, the current proposed implementation of EMV represents an extremely expensive investment for a solution that does not address basic problems (e.g. CNP transactions) and is lacking critical elements of fraud protection (e.g. PIN). Instead of threatening retailers through forced adoption of an inadequate solution, the U.S. should consider alternative approaches that not only meet current needs of all parties involved— but most importantly protect consumers from evolving future threats.