The adoption of chip-enabled or EMV cards by retailers has been painfully sluggish despite the ability of the technology to provide more secure transactions.
While 70% of U.S. credit cardholders have a chip credit card, estimates demonstrate that only 22% to 37% of retailers have implemented the technology to accept these cards, said CreditCards.com, the Austin-based online credit card marketplace. The deadline set by the credit card industry was October 1, 2015 for converting to these new cards, which are intended to thwart hackers from accessing consumer accounts and personal details.
Merchants who missed the deadline and have not converted to using these new EMV cards are now financially responsible for any charges which are fraudulent. Boston Retail Partners, a retail consulting firm, estimates that only 22% of retailers have the software and card readers to accept the cards while Strawhecker Group, an Omaha, Neb.-based consulting firm, predicts a larger amount or 37% of retailers who made the switch.
“National retailers such as Target have adopted the technology, but other companies have failed to complete these upgrades even though it can expose them to a lot of fraud and liability,” said Matt Schulz, CreditCards.com’s senior industry analyst. “The retailers are willing to take the risk to avoid spending money.”
Many retailers do not understand the threats they are accepting by not implementing the use of EMV cards, said Mark Parker, a senior product manager at iSheriff, a Redwood City, Calif.-based provider of enterprise cloud security solutions. Even a small data breach would make them liable for “tens, if not hundreds of thousands of dollars depending on its size,” he said. “ In many cases, the costs of a data breach like this would put a non-compliant small or medium-sized business out of business.”
A survey conducted by CardHub, a Washington, D.C.-based credit card comparison company, found similar alarming results, leaving consumers exposed to hackers. Among retailers who were the targets of data breaches in the past five years, 43% have not updated their terminals and 42% of retailers have not updated the terminals in any of their stores.
Retailers are facing other demands as consumers increasingly are seeking greater fraud protection and want the option to pay for purchases through mobile payment options such as Apple Pay, Android Pay or Samsung Pay.
“With all of these changes, retailers have remained hesitant to invest in a technology they may be obsolete very quickly and they are hoping that a payment standard is eventually settled upon,” said Parker.
The potential penalties for retailers who do not comply remain minor, said Nathan Wenzler, executive director of security at Thycotic, a Washington D.C.-based provider of privileged account management solutions.
“Since fraudulent credit card activity is not held against the user or the merchant, but rather the responsibility of the banks to resolve, there is little incentive for either users to advocate for better security or for merchants to spend large amounts of revenue to replace older credit card processing systems and hardware,” he said.
The current regulations which make merchants accountable “for exercising better security efforts to protect this data” remain weak and the effect is that the citations are viewed as speeding tickets, Wenzler said. “Merchants know they can go months or even years before they are ‘caught’ in violation of the guidelines or other regulations,” he added.
Even when retailers are found guilty, the companies view the fines and penalties as “manageable and are significantly less than what it would take to implement the new hardware,” he said.
“The incentive simply isn’t there for merchants, banks and users to spend the financial resources to quickly implement the systems that would create a stronger security posture around the processing of credit card data,” Wenzler said.
The potential for retailers to lose money due to fraud is immense and consumers are also at great jeopardy of having their personal information stolen and sold to cyber criminals, said Schulz.
“Consumers are all dressed up with nowhere to go and nowhere to use them,” he said. “They should check their online statements and credit score and report anything that looks suspicious.”
Shoppers need to remain vigilant about their credit card purchases and accounts until more retailers make the switch, said Wenzler.
“Consumers need to check the activity on their cards to discover and report any fraudulent charges quickly that they didn’t make and be aware of where they use their cards for purchases,” he said.
Obtaining cash from an ATM, especially ones that are located in stores or entertainment locations still remains precarious because they are a prime target for credit card skimmers.
“If a consumer doesn’t have a chip-enabled card and they use a non-bank ATM, there is a higher chance their card information can be captured,” said Wenzler.
Online retailers are also a threat to consumers because some of the retailers are merely fake sites that are created to capture credit card information, he said. Other web-based retailers are not trustworthy, because they lack the proper security that larger, more commercial websites have implemented.
“They could already be compromised by an attacker who is siphoning off credit card data from new purchases,” Wenzler said. “The key is for consumers to be more aware of where and how their credit cards are used and to take a more active role in managing and protecting their critical information.”
While the new EMV system is a step in the right direction, until they are more cost-effective to implement from mom and pop shops to large companies, “it will be a slow process to get everyone over to the new systems,” he said.
Retailers should ramp up their launch of the use of EMV cards this spring and summer, Schulz said.
“Even though chip and PIN is a good step toward greater security, it’s far from an end all be all solution against fraud,” said Schulz. “In the past, these transitions have taken awhile, so it is not unexpected that the change has been bumpy and slow. Most of the retailers will do it eventually.”