Visa, MasterCard, Discover, American Express and their banking partners have set a government-enforced deadline of October 1 for a “liability shift” that, for the first time, would make merchants liable for any fraudulent charges that result from using point-of-service readers that can't read chip-and-pin EMV cards. Unfortunately, with banks no longer bearing responsibility for those charges, they haven't been in any great hurry to educate either customers or businesses about the new chip-enabled cards they've been issuing all year.
As a result, point-of-sale technology company Randstad Technologies notes that 42% of business technology decision makers, including corporate executives, have either taken no action to install new card readers or don't know if their companies will hit the deadline. That cutoff date, by the way, is roughly two months away.
“There isn’t one industry that is more prepared than the other,” says Dick Mitchell, Randstad Technologies Solutions Director. “This 42% is made up of businesses of all shapes and sizes – including good sized businesses with 100 or more sites in the retail, hospitality, restaurant, financial services industries – all of which should have a vested interest in the liability shift.”
They likely would, if they had any clue what that liability shift meant for their businesses. Small-business website Manta, which hosts 2.5 million businesses, conducted a survey that found 28% of small business owners don't know what EMV technology is or how it impacts their business. Used in Europe since the early 1990s, EMV cards -- which take their name from Europay/MasterCard/Visa -- contain an embedded microchip that is authenticated using a personal identification number. A reader detects the chip and asks the card user for a PIN that matches the one found on the chip. Since there isn't a magnetic stripe with all a user's data embedded, there's a far lesser chance of a chip-and-PIN user's data being stolen.
However, 16% of small business owners says they don't see enough EMV chip-enabled cards in their business to make the transition worthwhile -- despite the fact that banks and other credit card issuers have been doling them out all year. Manta also found that 12% disagree with the liability shift itself, which isn't going to help them in the event of a data breach, while the remaining small business owners (2%) believe the new card readers are too expensive. Manta chief executive John Swanciger says that tech companies are helping alleviate the cost of the readers themselves, but that businesses still aren't getting the message about their increased liability.
“I don't think the point-of-sale providers are doing a great job of educating businesses about what this means,” he says. “What we're seeing as a result of that are new entrants Square will give you a new reader for free and now PayPal will be doing the same thing in the fall. The education around EMV is from companies trying to get market share, but they aren't really scaring small businesses into the fraud risk.”
There's plenty of reason for businesses to be frightened. As Randstad notes, credit card fraud in the U.S. is estimated at $10 billion to $12 billion this year alone -- and growing. Credit card companies stop absorbing the hit after October 1, meaning businesses without EMV capability will be picking up at least a portion of that tab. While 55% of the businesses Randstad surveyed say the deadline for the EMV switch should be delayed, there is no indication that a reprieve is coming for either them or consumers.
Oh, that's right, shoppers: You have a stake in the EMV switch, too. Robert Harrow, credit card analyst at ValuePenguin, notes that while consumers are still protected from fraudulent charges by the CARD Act of 2009, their personal data and ability to use their card is still at risk as long as banks continue to issue chip-and-signature cards with magnetic stripes rather than the more-secure chip-and-PIN EMV cards.
“One of the other major problems with the EMV implementation in the U.S. is the type of chip being standardized,” Harrow says. “Most EMV cards in the U.S. will be chip-and-signature as opposed to the more secure chip-and-PIN, which is standard in many European countries. If you travel with a chip-and-signature credit card to, for example France, you will be unable to use your card at many unmanned point of sale terminals, which accept only chip-and-PIN EMV cards (this includes gas stations, train ticket terminals, etc.).”
Beyond that, the magnetic stripe makes it a lot easier for thieves to lift your personal data from your credit or debit card. Randstad's Mitchell notes that magnetic stripes will endure in a widespread fashion until gas stations are forced to convert to EMV card readers in October 2017. Despite the fact that 28% of businesses surveyed by Randstad believe that chip-and-signature is more secure than chip-and-PIN, Mitchell says that magnetic stripe data will still be easy to read -- and that businesses that learn this the hard way will pass the cost of their mistakes on to consumers.
But it isn't just retailers pushing this insecure chip-and-signature stopgap measure. Curtis Arnold, founder of credit card industry rating and monitoring sites CardRatings.com and BestPrepaidDebitCards.com, notes that it costs four times as much to issue an EMV card as it does to produce cards with only magnetic stripes. Oh, and banks think you're kind of dumb. Mitchell notes that banks feel that requiring consumer to remember a PIN might make them less likely to use their card or complete a transaction, because they won't be able to remember the number -- ignoring the fact that this nation assigns pass codes to everything from bank accounts to bike locks.
Mitchell thinks it will take consumer uproar or legislative action to get chip-and-PIN readers and cards to the U.S. public any sooner. Manta's Swanciger, however, believes it will only take one big shopping period and a slow news cycle to prompt both banks and tech companies that provide EMV readers to quicken the pace.
“My guess is that's exactly what we're likely to see,” he says. “Back-to-school season is going to be over, there's going to be a fraud issue and then a story will probably be made about a small store that takes a hit on this one and then, maybe, POS and banks will align and get these readers in the hands of businesses.”