Why the EMV liability shift missed the mark
Dick Mitchell, solutions director in the technology deployment services practice of Randstad Technologies.
We're now more than a month past a deadline that was supposed to mark a major retail transition to a more secure credit card technology in the United States.
On Oct. 1, banks were to have issued EMV (named for Europay, Mastercard and VISA but now synonymous with “chip-enabled”) credit cards to U.S. consumers. By the same deadline, most merchants were to have upgraded their payment systems to accept the new EMV cards.
Much of the rest of the world already uses EMV cards, and the U.S. is years behind. The penalty for missing the Oct. 1 deadline: Liability for credit card fraud has shifted to the party using the less advanced technology — merchant if using swipe technology, bank if using a swipe-only card — rather than falling automatically to the issuing bank and card brand, as it seemingly always has done.
Yet it's estimated only 25 percent of U.S. merchants made the transition in time. Those missing the deadline include public companies with a fiduciary responsibility to shareholders they've failed to honor. The banks issuing the new EMV cards have decided to issue chip-and-signature cards rather than the more secure chip-and-PIN variety. How did we get to this state?
As the deadline does not carry the force of law, it's unclear to what extent the liability shift will be enforced. More concerning, however, is that many businesses had not even heard about the transition as late as this summer.
In a survey of C-level executives and IT decision makers that Randstad Technologies conducted this summer, 42 percent of respondents said they either had not taken any steps toward the transition or were unaware of any progress made. As it turned out, nearly 75 percent of retailers failed to meet the deadline. Lack of time was ranked as the top obstacle, followed by access to technology expertise. Even more surprising, though, was the finding that only about 30 percent of respondents believed that having EMV card readers would encourage customers to conduct business with them, and another 32 percent were uncertain about the new cards' impact on their business.
These findings suggest a lack of awareness among both businesses and consumers — about both the reason for the shift to EMV and the importance of who assumes liability for credit card fraud.
You'd think that for such an important initiative, there would have been more communications; but the major marketing outreach seems to have started late this summer. While 52 percent of survey respondents rightly thought it would take four months or more to complete the process, 43 percent had no idea how long it would take — another sign that information was scarce.
In addition, many small and mid-sized businesses seem to believe, “It won't happen to me.”
Upgrading to EMV terminals is costly and time-consuming, so many businesses delayed, likely thinking the investment to upgrade would outweigh the costs of paying fraud incurred from a credit card breach. Indeed, 15 million PIN pads needed to be replaced by retailers in the U.S. at upwards of $500 each with planning, hardware, application and deployment. That's $7.5 billion in transition costs. Consumers weren't demanding the change; in fact, most are still pretty unaware.
On the banking side, most banks have chosen the less secure card, which, while technically compliant, costs less to deploy and maintain. Their investment, with 1.2 billion debit and credit cards to replace at $3 or $4 each, is no small piece of change either.
So why haven't consumers demanded more secure credit cards in the wake of so many retail breaches? A strong outcry from consumers could have prodded issuing banks and merchants to action, at least letting both know that consumers were aware of EMV and cared about credit-card security. Whether consumers care about liability for fraud is even more doubtful, as most have been insulated from these costs.
They know that, for the most part, they don't have to bear the cost for fraud and that banks do. If merchants have to assume liability for fraud, consumers will absolutely end up paying higher prices to compensate for business losses. That message didn't seem to come across, either.
As it turned out, Oct. 1 was a suggestion rather than a hard deadline. The deadline for ATMs to transition to EMV is not until next October, and gas pumps have two more years to comply. Will those deadlines be any firmer? Unfortunately, it might take another massive retail data breach to make the EMV transition a reality. Let's hope not. Rather, let's hope that consumers and businesses alike see that the cost of the EMV transition is worth it to avoid the price we're paying for credit card fraud in the U.S. —— $12 billion in 2015, and growing every year.
Dick Mitchell is a solutions director in the technology deployment services practice of Randstad Technologies, based in Woburn. He has been in the technology space for more than 30 years, providing services to a variety of customers for whom point-of-sale infrastructure and wireless are critical components of success.
WBJ Web Partners
Most Recent
Most Recent
0 Comments