On that day, merchants -- theoretically -- will turn on terminals that accept smart so-called EMV (Europay-MasterCard-Visa) cards that are much more difficult to counterfeit than traditional magnetic stripe cards. By then we will also -- theoretically -- have wallets full of EMV cards from MasterCard (MA) and Visa (V) (sometimes called chip and PIN because of their built-in technology), so we will be ready to use those terminals.
There are just a couple of problems with that scenario. Not all retailers will be EMV-ready, and not every card in our wallets will be either. That matters because, as of October, liability for credit card fraud shifts. Traditionally, card issuers -- banks, primarily -- ate losses due to counterfeit cards. They had the opportunity to reject the sale but they processed it, presumably because their processing systems did not smell a rat. Magnetic stripe cards also are easy to counterfeit, leading to billions of dollars in credit card fraud every year -- over $7 billion in the U.S. alone by some estimates.
On Oct. 1, the rules change. Retailers that have not installed EMV terminals will be on the hook for fraudulent transactions, particularly when the issuer has issued EMV cards. By fiat of the card networks, whichever party has the least secure technology loses.
You would think there would be a stampede to get ahead of that fraud. That is not how it is shaking out, however. Avivah Litan, a Gartner vice president and an expert in fraud, said she anticipated that by October “about 35% of merchant terminals will be EMV chip-enabled -- not necessarily turned on -- and between 15% to 25% of cards will be EMV chip cards.”
Julie Conroy, a fraud expert at consulting firm Aite Group, offered a somewhat more optimistic estimate: “Our projections are that 70% of credit cards, 41% of debit cards and 59% of terminals will be EMV-capable by the end of this year. The largest issuers and merchants are moving forward quite aggressively with their upgrades; the smaller issuers and merchants will be the long tail.”
But even with that Aite estimate, a lot of merchants -- and also many issuers -- will be facing risks in October. Who stands to win, and who stands to lose?
Experts agree the big national retailers -- Wal-Mart (WMT) is a case in point -- are well positioned to win because most are well along the path to full EMV implementation. “No CEO wants to be on TV talking about a data breach,” said Steve Mathison, a vice president at big Atlanta-based card processor First Data. He added that after the Target (TGT) breach in late 2013, big merchants suddenly got religion about EMV and the technology quickly went from a nice-to-have to a must-have.
According to Thierry Denis, president of Ingenico North America, one of the largest sellers of terminals, the cost can be upwards of $200 per terminal.
Wal-Mart told TheStreet that 100% of its U.S. Sam's Club and Wal-Mart stores are already EMV-compliant. The technology, said a spokesperson, was turned on Nov. 1, 2014. Target, experts said, is racing to achieve compliance. Also in the chase is just about every retailer with a significant national footprint. Smaller and regional merchants are left to fend for themselves. Experts say there is an EMV implementation queue that is so long, merchants that have not already announced plans to be compliant by October won’t get there.
Are they all at risk of seeing huge jumps in fraud? It depends how risky is their merchandise. Sellers of electronics -- from flat screen TVs to iPhones -- face real risks. Greengrocers face just about none.
The big national banks already have in place roll-out schemes for EMV-enabled credit and debit cards. Regional banks so far have largely sat this out and, said experts, and there is no way for them to crash this party now. “There is not an infinite supply of EMV chips,” said Mathison. These institutions face the possibility of real spikes in fraud losses.
Also directly in the cross-hairs come October will be online merchants, said Mathison. The reason: EMV makes it very hard for average criminals to physically counterfeit credit cards. But the credit card numbers still can be used in online transactions. When the United Kingdom implemented EMV in 2005, so called "card not present" fraud -- that is, online sales -- stood at $277 million, or 183 million pounds. It jumped to $497 million, or 328 million pounds, in 2008, according to Aite. Everybody expects similar in the U.S.
Said Mathison: “'Card not present' fraud will increase -- that’s almost a sure thing. Criminals will not become school teachers. It’s been proven in every country where EMV has been implemented.” In the best managed online retailers -- ones with polished data analytics such as Amazon (AMZN) and the large online travel agencies such as Expedia (EXPE) -- they are already far along developing tools to predict when transactions are fraudulent. Smaller, less sophisticated retailers may be facing overwhelming waves of criminality.
Add it all up and, come October, the biggest banks, merchants and online retailers are primed to win. The smaller players, both banks and merchants, almost certainly will see their fraud losses rise.