NEW YORK (TheStreet) – Mom-and-pop shops know they have to switch to chip-and-PIN credit- and debit-card readers by October, but many of them still haven't figured out what that new technology is yet.
Visa, MasterCard, Discover, American Express and their banking partners have set a government-enforced deadline of Oct. 15 for a “liability shift” that, for the first time, would make merchants liable for fraudulent charges resulting from using point-of-service readers that can't read chip-and-PIN EMV cards. Unfortunately, a survey indicates that just 42% of small-business owners plan to make the switch.
Intuit, the company that produces Quicken and TurboTax financial software, conducted a survey that discovered that was the percent of small-business owners who haven't heard of the EMV liability shift deadline. Nearly 60% of those surveyed cited the cost of a new terminal or reader as the top reason keeping them from upgrading, while 85% who aren't making the switch are unaware of the financial and legal liabilities they will be responsible for starting in October.
“The biggest barriers for small businesses to become EMV-compliant are cost and lack of time or resources required to research terminals,” said Eric Dunn, Intuit's senior vice president for payments and commerce solutions.
Granted, Intuit has its own motivations here: It's offering a card reader of its own. But it brings up the valid point that 58% of small businesses have higher sales transactions when customers pay with a credit card — and 86% of small-business owners who aren't switching may not be able to handle the financial and legal liabilities of fraudulent card transactions.
“This is something I actually worry about … smaller merchants who resist the terminal upgrade and then have a local fraud event, and eat the losses,” says Seth Ruden, senior fraud consultant at Naples, Fla.-based banking and payments systems firm ACI Worldwide. “Bigger corporations who have a project management team to oversee this, as well as the funds to execute it with the best technology will be a big benefactor.”
Home Depot, 7-Eleven, Target, Kroger stores and others are already using new readers and had some ready by last year's holiday season. But the 7.3% adoption rate in the U.S. at the end of 2014 was just a small fraction of the 83% adoption rate in Europe, the 50% rate in Africa and the Middle East and the 59% of Canadian, Latin American and Caribbean cardholders using EMV technology, according to chip-and-PIN management and testing firm EMVco.
“The fact is that the conversion will take quite a while, presently estimated into 2017 at the least, and the current teams of card-present fraudsters will be moving in the same channel they have worked until there is less opportunity there,” says Seth Ruden, senior fraud consultant at Naples, Fla.-based banking and payments systems firm ACI Worldwide. “So the net is that there will be plenty of options in that space for a long time to come.”
It isn't just the mom-and-pop retailers who have to worry. Smaller card issuers are bearing the brunt of this change as well. Curtis Arnold, founder of credit card industry rating and monitoring sites CardRatings.com and BestPrepaidDebitCards.com, notes that it costs four times as much to issue an EMV card as it does to make cards with only magnetic strips.
“Smaller issuers and retailers, as might be expected, are going to have more difficulty,” he says. “I do think if you have a card with a smaller issuer that you should call and ask about how the are progressing.”
Ideally, an EMV card should provide increased protection for the cardholder and merchant. Used in Europe since the early 1990s, EMV cards — which take their name from Europay/MasterCard/Visa — contain an embedded microchip that is authenticated using a personal identification number. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip. There isn't a magnetic strip with all a user's data embedded in it, and there's a far lesser chance of a chip-and-PIN user's data being stolen.
Ideally, a shopper would simply slide the chip end of their card into a slot at the bottom of a checkout card reader, enter their personal identification number and be done with the transaction. But with new readers just trickling into retailers, your chip-and-PIN card is reduced to chip-and-signature on a magnetic strip reader.
That makes cards every bit as vulnerable as they were when Home Depot's breach put 56 million credit card numbers and 53 million email addresses into jeopardy last year or when 70 million Target shoppers had their data stolen in 2013. However, those companies could afford quick upgrades. According to market research firm Javelin Strategy & Research, there are 15 million card readers, 360,000 ATMs and more than 1.1 million credit and debit cards that would have to be replaced at a cost of roughly $8.7 billion. That cost falls a lot heavier on small businesses, but it's still less expensive than the cost of another breach. Without chip-and-PIN card readers, however, everyone is still at risk when a card is accepted as a form of payment.
“The heist is on and has been on a while, it’s been close to a gold rush since around 2009,” Ruden says. “Again, we’ve got a handful of years, perhaps as many as five, until we really have a fence around card-present transactions.”
— Written by Jason Notte in Portland, Ore.
To follow the writer on Twitter, go to http://twitter.com/notteham.