The state of EMV: Change is coming…slowly

Promoting the next big thing is part and parcel for a retail industry built on reinvention. When it comes to its own internal workings, however, change is hard to sell. So it goes with the transition to EMV payment technology.

Although the new chip-enabled smart payment cards—which are designed to make transactions safer and less vulnerable to fraud—have been rolling out for a while, not all merchants were on board to accept them. Then, in Oct. 2015, nine of the largest U.S. payment networks enacted a liability shift essentially stating that the financial burden for fraudulent transactions would be borne by whichever party possessed the lesser technology. This meant that if a bank—say, Visa—issued a chip-enabled card, and it was fraudulently used at a merchant that did not have an EMV chip reader, then that merchant, and not the bank, would be responsible for the charges.

Naturally, some merchants balked. Others found themselves stymied by a backlog in terminal availability and processor accessibility. Still others simply took a wait-and-see attitude, and decided to hold off on making the costly, time-consuming upgrades until it was clear that consumers would be comfortable adopting the new technology at checkout.

Another issue with the liability shift was that it was widely misreported and misinterpreted as a mandate, which left many retailers scrambling to make sense of the technology and assessing the potential repercussions of not complying. But these new guidelines are not government directives. It’s more accurate to call this a shift in responsibility, albeit a rather dramatic one.

What’s this about again?

EMV, which takes its name from the three companies that created its chip-integrated standard (Europay, MasterCard and Visa, respectively), is a technology designed to help better authenticate credit and debit transactions. Each time a chip-enabled card is used, it creates a unique and dynamic transaction that’s significantly more fraud-resistant.

This is a substantial upgrade from magnetic stripe (magstripe) technology. “Magstripe data is static,” said George Peabody, partner at management consulting firm Glenbrook Partners. “There’s data written on a magstripe that never changes, and that data can be copied endlessly and used endlessly. The magic with EMV is that chip is a little computer, and that computer talks to the terminal, and creates transaction-specific data that only the issuing bank can decrypt.”

Unfortunately, processing EMV cards is slightly more time-consuming: EMV cards are dipped into a reader, as opposed to swiped, and they cannot be removed until the transaction is complete. In some cases, that delay can create longer lines, impatient customers and even result in missed sales.

“The EMV transaction process takes a lot longer than the magstripe,” said Jared Drieling, business intelligence manager at The Strawhecker Group (TSG), a management consulting company focused on the global electronic payments industry. “It took one second for a magstripe card, and now it’s 15 seconds with a chip-enabled card. Those extra seconds have implications in a busy season. It can make people jump out of line.”

Consumers, who may not have read the flyers and pamphlets enclosed with their new cards, are less aware of the technical processes involved in the new security measures. Additionally, many merchants were loathe to make the switch during the busy holiday season, when even a few seconds’ delay could create a cascade of problems at the register.

The cumulative effect of these issues has been that the rollout has progressed somewhat slower than some forecasters anticipated. According to a survey released in Feb. 2016 by TSG, an estimated 37% of U.S. merchant locations are currently EMV-ready following the October liability shift. A previous TSG survey, released in September 2015, estimated that more than 40% would be ready by this time.

“This is the largest card network in the world, in terms of the number of retailers, the number of banks and the number of consumers,” said Darren McCue, president of Dunbar Security Solutions. “And just because the [liability shift] date is thrown out there doesn’t mean it’s going to happen.”

McCue points out that although the processor backlog is easing somewhat, and the terminal backlog has almost disappeared, the massive disruption caused by the liability shift meant that there were bound to be a few bumps in the road. “It’s moving faster than I expected,” he said. “And now that the equipment backlog has been satisfied, it’ll move even faster.”

There’s still a cost and a time commitment involved that may make upgrading to the new terminals impractical for smaller stores. “If I’m a dry cleaner or a small coffee shop, what’s my incentive to splurge on new terminals to migrate to EMV?” said Drieling. “If you don’t see a lot of fraud, there’s very little incentive, unless you want to be able to accept contactless pay and Apple Pay. That said, if you’re a jewelry store or an electronics store? These merchants really felt some of that fraud liability, and they’re playing catch-up now and trying to become EMV-compliant.”

The expense can be especially significant for larger chains. "There’s the cost of the machines, the cost of the training, the cost of the integration to work with the card processors to get this up and running. You don’t just install a new system and get it up and running," McCue said. "And when you have any kind of disruption in your business, that also costs money.”

The terminals themselves cost about $200 each, McCue said. "[B]ut the disruption may cost $2,000. And for Target, it costs $2.6 billion."

What’s the outlook?

The general consensus seems to be that despite the challenges, there will be a significant uptick in merchants adopting EMV technology throughout 2016. But experts also caution patience, and indicate that this process will take time.

“In other markets outside the U.S., it takes six to seven years to make the shift,” said Peabody. “In the U.S., with most national retailers, if they haven’t made the switch already, they’ll turn it on in 2016, and then we’ll see a bump, maybe up to 60% in the coming year.”

According to Drieling, those numbers might be even higher if there weren’t other issues involved. “There’s been a backlog since the liability shift,” he said. “In some cases, merchants couldn’t get terminals. In other cases, you’d have a terminal, but it wasn’t activated, because the processors and acquirers also have a backlog. So some merchants might be feeling some heartburn if they have a terminal and they can’t turn it on. But at the end of 2016 we predict that 72% of all U.S. merchants will at least have a terminal.”

From a consumer perspective, this is not simply about compliance but about safety. However, McCue warns that it’s not really a big upgrade in terms of consumer protection, which is yet another reason why retailers are not completely thrilled with the idea of making this switch.

“This doesn’t make our cards safer,” said McCue. “Today, even if you go to a merchant that’s EMV-enabled, you have to sign. What they should be asking for is your PIN. It’s safer for the consumer because it prevents cloning, because it’s dynamic. But if someone stole your chip-enabled card today, they could use it with no problem. In Europe they need a PIN. So again, this is not a security deal. This is a shift in liability. So if I’m a merchant, I’m not happy about this. This is making consumers safer, but it’s negligible.”

At the end of the day, the switch is inevitable, though, and that’s in part because the upgraded terminals will also allow for newer transaction systems such as contactless payments and mobile payments.

“I think there was a huge misconception about EMV and calling it a deadline,” said Drieling. “This is going to take some time. We have a complex ecosystem here, and we’re ahead of the curve compared to what’s happening around the globe. When a merchant hears ‘deadline’ they hear Y2K, but I like to view it as a starting line.”