There’s no sense of urgency for EMV – even as the liability shift hits
The EMV liability shift happens today. Yet there’s no fanfare that tells the world we have finally arrived. In fact, as predicted most U.S. merchants and card issuers aren’t prepared and those that are might find the hoopla isn’t all it was cracked up to be.
Last week while browsing in a local retail store I overheard the owner declare, as he was checking out another customer, he had a new credit card reading machine. His exact words were, “and the beauty of it is that it only takes three times as long to process your card!” The customer was patient and friendly while waiting for his transaction to go through, but it did seem excessively long.
In an age where immediate gratification rules supreme the EMV process is like going back in time. Considering this is 20 year old technology, I guess we are.
The EMV movement will continue to be a slow one and plenty of challenges lie ahead including; consumer and merchant education, certification of EMV terminals, and possible new fraud threats.
We don’t know what we don’t know
Arroweye Solutions commissioned a survey of more than 1,000 Americans and uncovered that as of September 2015, 61 percent of consumers still haven’t received an EMV card for their current financial services provider and 65 percent don’t know how to use one. Additionally, 73 percent have not received any communication regarding the EMV shift from their issuer. Not exactly a glowing endorsement of our country’s preparedness.
Many merchants don’t believe the cost to upgrade their systems is commensurate to their losses. Banks caution that merchants may not fully understand the number of fraudulent transactions occurring, because they typically come directly back to the issuer. The liability shift will change that dependent upon which party is compliant.
The question is also being raised whether chip cards are going to prevent fraud if they aren’t PIN protected and require only a signature. How many merchants actually check your signature or ask for an I.D. to verify the card is yours?
Hurry up and wait
EMV certifications are taking much longer than traditional point-of-sale terminals—anywhere from 3-6 months depending on how complex the system is. If a merchant has software from one company, hardware from another, and payment processing from a third, all components must meet the technical standards for EMV transactions. This backlog is frustrating to merchants who have invested in the equipment necessary to accept EMV cards, but can’t use it because they haven’t been able to get certified.
Even when the systems are in place, consumers find themselves waiting longer at the check stand while their transactions process.
Fraud is lurking around every corner
As for fraud threats, I recently received a credit card statement in the mail that I didn’t recognize. The balance showed $0.00, however there was a charge for $128.24 and a credit in the same amount. It turns out the card was one I had for more than 20 years, but stopped using about 10 years ago. Somebody got my information somewhere and used it fraudulently.
The card company in this case was vigilant about reversing the charge and as the consumer I immediately called and canceled the account. The point is—fraud is going to happen with or without EMV.
In fact, thieves have already taken advantage of bad implementations of EMV protocol. The technique they use is called a “replay” attack. In short, the fraudsters have possession of payment terminals and stolen cards then manipulate the data fields for transactions to encode them as EMV. If a bank isn’t checking the cryptograms or counter codes necessary for the EMV transaction, it goes through.
Staying one step ahead of fraud will continue to be a constant battle. Fraudsters don’t just try once and say well that didn’t work; they keep looking for loopholes because they have nothing to lose.
At a recent information-security conference in Britain, the audience cheered when the topic of the EMV liability shift in the U.S. came up. The reason; stolen European payment cards and related data typically end up on the U.S. black market.
Perhaps the only people truly excited about the EMV transition in the U.S. are Europeans.