= Subscriber content; or subscribe now to access all American Banker content.

Countdown to the EMV Deadline: Who's Ready, Who's Not

The big moment is just a few days away.

For several years Oct. 1, 2015, has loomed as a turning point in the U.S.'s migration to EMV chip-and-PIN cards — the cards with computer chips that have already been deployed in most parts of the world.

Rules set by Visa and MasterCard suggest that by Thursday, ideally, banks will all be issuing EMV-compliant cards and retailers will have the technology to accept them. If one party is supporting EMV and the other is not, the delinquent entity will have to cover the cost of any fraud that ensues.

It is an enormous change, with the potential to disrupt bank card issuers, retailers and consumers as everyone learns to deal with the new technology that requires consumers to insert their cards and leave them in the store machines throughout a payment transaction, rather than swipe.

Here's what we can expect to see on EMV migration day:

Most credit cards (about 70%) will have chips on them. But most of these cards will be chip-and-signature cards, not chip-and-PIN.

Some criticize banks' adoption of chip-and-signature, arguing that signatures are useless as a fraud deterrent.

"Our position in the U.S. has been that the chip helps eliminate the vast majority of fraud, and we wanted to get the chip deployed as fast as possible," said Mark Nelsen, senior vice president of risk products and business intelligence at Visa.

For Visa, that means replicating the current environment for consumers, which means debit cards will have PIN numbers associated with them, and credit cards will have a signature.

"We felt that was the fastest way to get chip deployed," Nelsen said. "We absolutely support issuers who want to deploy a PIN on their credit card."

Many small merchants won't be ready. Depending on which study you believe, somewhere between 20% and 30% of merchants have purchased and deployed the EMV-capable point-of-sale terminals and software they will need to handle EMV chip cards. Big-box stores like Target that have suffered data breaches have done this work.

But most small stores and restaurants have not. New EMV equipment is expensive and sometimes difficult to implement, and many seem unaware of the dangers of not adapting.

"A big portion is because the merchants don't understand the risk associated with this," said Wade Barnes, director of retail banking at 1st Mariner Bank in Baltimore. The $850 million-asset bank has about 25,000 debit cardholders and 10,000 on credit cardholders.

"Target, Walmart, they get it, they've been involved with enough card issues that they understand the risk it presents," Barnes said.

One of his bank's customers is a bar that is not going to upgrade because its owner sees no reason to do so since the business has not experienced any losses.

"We remind them that, you wouldn't know of any losses because in today's world, it comes directly back to the bank," Barnes said. "Moving forward, that liability will be on the merchant if the customer presents an EMV card. They don't realize what the impact is going to be to them. I don't think most merchants understand the amount of fraudulent transactions that actually happen."

Counterfeit card fraud should drop. For years, criminals have had a relatively easy time of "skimming" the data off traditional magnetic-stripe cards, using easily obtained devices that cost about $20. About $3 billion worth of counterfeit credit card fraud took place at the point of sale last year, according to Aite Group's estimates. That was out of $16 billion in total card fraud.

Duplicating the chip on a chip card is difficult if not impossible. Most new cards are being issued with both a magnetic stripe and a chip and the new EMV terminals accept both the chip and the stripe. So theoretically you could duplicate just the magnetic stripe on the chip card, create a new magnetic stripe card and try to use that. However, if an EMV card is swiped on an EMV-compliant merchant terminal, the system will reject the transaction and force the consumer to insert the chip.

However, in the scheme of things, counterfeit card fraud represent only about 37% of overall card fraud in the U.S.

Online card fraud is expected to rise. So-called "card not present" fraud — where someone uses a card but does not physically present the card (this could be over the phone, over a fax machine, on a mobile device or a computer, but most people equate "card not present" with using a card on a website) — represents the bulk of card fraud in the U.S.: 45%, according to Aite Group. The analyst group expects online card fraud to more than double from $3.1 billion in 2015 to $6.4 billion in 2018.

Many point to the U.K.'s experience in switching to EMV cards: online e-commerce fraud rose 79%. Other countries have experienced similar post-EMV effects.

However, as Nelsen points out, the U.K. adopted EMV in 2006, when online e-commerce was just getting under way. So the escalation of Internet fraud was natural as everyone, including fraudsters, recognized all the possibilities of website commerce.

JOIN THE DISCUSSION

(2) Comments

SEE MORE IN

RELATED TAGS

Comments (2)
RE:"The bank card processing company can go right into your account..."
Due diligence before commenting, please. The card brands' rules DICTATE chargebacks are done this way. It’s THEIR brand, their game, their ballpark, THEIR rules, it sucks, get over it. They do this to protect cardholders first. Without cardholder confidence in that protection, they wouldn’t bring their cards to your business and spend 40% more. Then you and many people who work for the brands would probably not have the same jobs/businesses.
The “processing company” doesn’t remove money and go on vacation with it! The issuing bank HAS it removed; it’s called a chargeBACK, because money goes BACK to the cardholder’s account. The “processing company” charges you because THEY are charged for it by the processor, because they are charged by the issuing bank, because it’s like an NSF fee; if goods or services are either 1)not as described or 2)not received, etc., what do you expect customers to do? Cardholders, on the other hand really need to get a grip and contact the vendor/business first to resolve, but they generally choose what they feel is the easier route of calling their issuer and whining to them.


There is so much hype and confusion about EMV, reminiscent of Y2K, 12/12/2012, PCI. Let’s step back from the fray and think for a moment to gain real perspective. First, please don't conflate "chargebacks" in general with fraud. Chargebacks for reason codes like "not as described” or "goods not received" are IRRELEVANT to the EMV discussion, and cause confusion and panic. Let’s confine discussion to the ONLY things that matter:
#1) "CARD FRAUD" (faked plastic that was swiped) and for AMEX and MasterCard
#2) "LOST /STOLEN FRAUD" (genuine plastic that was dipped or swiped)
While we're at it, let's rule out what is out-of-scope of this whole EMV chip card mess. EMV is irrelevant, IF:
1) *the transaction is keyed
2) *the transaction is e-commerce (for now, at least)
3) @the PAN (card number) is not compromised
4) @the physical card is not lost/stolen
5) ^the card is not issued as a chip card
6) the terminal is a “pay-at-pump” petroleum dispenser or ATM (for now)
WHY?
@ and *Remember: EMV and the liability shift ONLY pertain to (*)CARD PRESENT transactions, where being able to process EMV chip cards could have prevented the (@)card fraud from occurring.
^Largest (B of A) to smallest (your local small credit union or community bank) institutions will issue chip cards. It will take a year or maybe more to reach near 100%, because issuers must justify added cost for new chip cards in their respective budgets.
You have until October 2017 to get with the program, but the pressure is really on you since the criminal element knows this, too!
Also, if you’re a medical facility where patients must ID themselves, especially an office of a specialist, you’re likely at lower risk. It's too much trouble and less likely for a card fraudster to target medical merchants. Analyze logically, put on your “black hat”. You're a “carder” who buys stolen cards or compromised card numbers on the illegal market. Where do you hunt your prey best?
A) Medical offices where you’ll be purchasing co-pays, physical examinations, medical procedures? Or,
B) Retail merchant 1) where you can “buy” easily resold goods, and 2) that has outdated hardware? (the “dark house with overgrown vegetation”)
I’m NOT saying it shouldn’t be done! You must do this for your business’ survival! I’m saying let’s not panic. Eventually those old terminals will fail for some reason anyway; NO processor, First Data, Heartland, Global, TSYS in his right mind will support one that cannot process chip card transaction data. Without software, your hardware is dead. So do it as soon as you can, as soon as your provider can. Be patient. Be smart. If you have a POS provider who has no plan to integrate (or semi-integrate, the smarter choice, really),either get a separate terminal that CAN do EMV, or in some cases, just get a better more modern solution and move on!
Posted by d-money mmg | Wednesday, September 30 2015 at 9:20PM ET
Barnes could'nt be more wrong, the Merchant is on the hook for the loss. The bank, card processing company can go right into your account and take the money back without any recourse. Plus the fee charged to take the money back. I'm offended by the ignorance! "We remind them that, you wouldn't know of any losses because in today's world, it comes directly back to the bank," Barnes said. "Moving forward, that liability will be on the merchant if the customer presents an EMV card. They don't realize what the impact is going to be to them. I don't think most merchants understand the amount of fraudulent transactions that actually happen."
Posted by diy | Tuesday, September 29 2015 at 10:52AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.