It's November 2015 and the owner of an upscale women's clothing store has just learned that the $1,500 dress she sold earlier in the week was purchased with a fake credit card.
Two months earlier, the issuing bank or the credit card network might have covered the store's loss, but because the owner had yet to upgrade the security of her credit card readers, she must now absorb the loss herself.
It's a hypothetical scenario now, but one that could become a reality for retailers come Oct. 15. That's when major credit card networks expect banks and retailers to adopt new technology known as EMV as a way to minimize theft of card data. After that date, liability for fraud shifts from the card networks and issuing banks to whichever party in a transaction the bank or the retailer is the least EMV-compliant.
Small merchants in particular are in no hurry to install EMV card readers, contending that losses from counterfeit credit cards are minimal. Moreover, many merchants only recently replaced their equipment to make them compliant with card industry security standards, so they are reluctant to swap out equipment again, says David Matthews, general counsel of the National Restaurant Association. "For small restaurants in particular, margins are so low that to do capital expenditures, especially on something that is not broken, is not something they want to do," Matthews says.
That foot-dragging concerns some bankers, who fear that they could end up looking bad if a small business is victimized by fraud and is then left to absorb the loss. "I don't want to see headlines saying, 'Big Bad Bank Put Mom's Pizza Shop Out Of Business,'" says David Pollino, senior vice president and enterprise fraud prevention officer at the $71 billion-asset Bank of the West in San Francisco. "But it's coming if merchants don't take it seriously."
EMV cards are embedded with micro chips and are widely viewed as being more secure than magnetic-stripe cards. While stolen data is more common with online purchases, thieves still pilfered an estimated $3 billion from retailers in 2014 using fake or stolen credit cards at the point of sale, according to Aite Group. EMV proponents say that figure would decline sharply if all cards used chip technology.
Still, according to a recent Aite Group survey, 46% of merchants said they had not yet begun any preparations for EMV acceptance. Moreover, 34% said they had never even heard of the U.S. migration to EMV cards.
Liz Garner, a vice president at Merchant Advisory Group, a Minneapolis trade group that represents 85 of the nation's largest merchants, says that her members are still waiting for the card networks to publish testing specifications for certifying merchant technology as EMV-compliant. "But even if the merchants had specs in hand right now, there's no way to get everybody on speed, certified and go live by October," she says.
Bank of the West's Pollino warns that merchants could be exposing themselves to huge chargebacks if they miss the Oct. 15 deadline.
The restaurant group's Matthews says most of its members aren't too concerned because they typically sell low-ticket items and chargebacks at that level aren't "significant" compared to, say, the losses a consumer electronics retailer might suffer.
"They just don't have enough counterfeit experience to make them as afraid as you think they should be," he says.
While the rest of the world has embraced EMV, perhaps the United States could leapfrog to adopting even more recent technology instead, Matthews suggests. "We do believe tokenization and point-to-point encryption offers the most secure solutions."
There's also concern that the EMV upgrades would do little to thwart "card-not present" fraud, essentially online or phone purchases using stolen data.
Even smaller restaurants are utilizing CNP transactions to enable customers to order online for later pickup or delivery, Matthews says. As such, many would rather just wait and adopt EMV technology when it becomes more widely available.
The Merchant Advisory's Garner is more blunt: "What's the point in implementing this now when the methods are likely going to be changed again?"
Implementing EMV chip now would be "extremely costly, extremely disruptive and extremely complex across the board," she says. "With our folks there is a lot of uncertainty of its value, because of the availability of other types of technology that are better."