As the Move To EMV Nears, Will the Deadline Be Met?
Many retailers have been preparing for the mandatory October migration to EMV payments. Those chip-embedded payment cards offer improved protection against fraud, and shifts the liability in the case of fraud from the banks to the retailer. The plan has been on the books for three years, and although some retailers have made headway in preparation, one trade group, the Food Marketing Institute, has asked the credit card companies to move the deadline to next year.
U.S. retailers are late to the EMV party; MasterCard’s risk movement happened on Jan. 1, 2005, for instance. According to EMV Connection, the standard has been implemented in more than 80 countries, with roughly 1.5 billion EMV cards issued globally and 21.9 million POS terminals accepting EMV cards at the end of 2011. In March 2012, Visa, MasterCard and Discover reported EMV migration plans for the United States, and American Express followed in June 2012.
The mandate puts the responsibility for investing in the required new hardware and software in the merchants’ hands, an investment some have been slow to make. In an interview with the Wall Street Journal, the letter from Leslie Sarasin, president and chief executive of the trade group noted: “Regardless of how strong the commitment or how many dollars invested, the reality is that the system will not be ready to meet the card networks’ arbitrarily-set mandate for the liability shift in October 2015.”
However, the National Association of Federal Credit Unions is petitioning Congressional leaders to reject the FMI’s request. In a letter to Senate Majority Leader Mitch McConnell, R-Ky., Minority Leader Harry Reid, D-Nev., House Speaker John Boehner, R-Ohio, and Minority Leader Nancy Pelosi, D-Calif. NAFCU President and CEO Dan Berger wrote:
Merchants, retailers and credit unions are all targets of cyberattacks. The difference is that financial institutions have developed and maintain robust internal protections to combat these attacks; they are required by federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. By contrast, merchants and retailers are not covered by any federal laws or regulations that require them to protect the data and notify consumers when data is breached.
The WSJ reported that MasterCard and American Express had no arrangements to change the date, while Visa and Discover did not respond.
However, as the deadline gets closer, more critics are voicing concerns that the standard is being compromised for expediency. CNN Money recently interviewed Mike Cook, Wal-Mart’s assistant treasurer and a senior vice president, who said that the giant retailer would have preferred the standard be chip and PIN, rather than chip and signature, which some retailers are adopting. Some critics think that move is a half-measure, one that would protect against counterfeiting, but not fraud.
CNN Money reported that Cook said during a presentation at the recent Electronic Transaction Association’s Transact conference: “Signature is worthless as a form of authentication. If you look at the Target and Home Depot breaches … not a single PIN debit card needed to be reissued in those breaches. The card number was worthless to the individual thief and fraudsters, because they didn’t know the PIN.”
The next several months will see how Chip and PIN vs. Chip and Sign play out, but it’s clear the public is ready for improved measures. Gallup reports that 69% of Americans report they frequently or occasionally worry about credit card information they used in stores stolen by computer hackers — the most common concern. And, if 2014 is any guide, retailers would be wise to adopt the most aggressive security measures possible, because fraudsters are becoming increasingly sophisticated.