The problematic US EMV rollout and the larger question: Is EMV actually protecting retailers against fraud?

In this guest post, Vlad Branin, VP, Professional Services, Zooz, talks about the ins and outs of US EMV adoption: process of rolling out and the specific benefits.

EMV adoption in the US has been a favorite topic for discussion among payment industry experts over the past few years. Prior to the liability shift in October 2015, pundits disagreed as to how long the migration period would take. Aite Group forecasted that by the end of 2015, 70% of US credit cards would have EMV capabilities. TSG believed that 50% of merchants would have EMV-equipped terminals by June 2016, and predicted that the US would not reach a 90% threshold until 2017. Javelin Strategy & Research estimated that penetration of EMV cards in the US would reach parity with the rest of the world by 2018.

 

The actual numbers tell a different story: At the end of 2015, 5% to 10% of merchant transactions in the US featured chip cards read by EMV terminals. Today, a year after the October 2015 liability shift, somewhere between 17% and 37% of all US merchants have adopted EMV POS terminals.

 

Problematic Rollout? Not Necessarily

Due to the disparity between the predicted timeframes and actual implementation periods, some experts declared the rollout problematic and attributed the delay to a variety of causes from processor and terminal supplier backlogs and time-consuming hardware programming to red tape connected to acquirer certification, and finally procrastination on the part of merchants who choose to sit on the fence as long as they can.

But were the predicted schedules even realistic? While some parties were bemoaning the delay and seeking reasons to explain it, Electronic Transactions Association pointed out that total US adoption was expected to take five years, which is the same amount of time it took European nations to get to just 50% market penetration of chip transactions.

There are always bumps on the road to new technological adoptions, and the truth is that the US market has come a very long way in a short period of time. Most of the largest brick-and-mortar retailers in the US have already invested significantly in new EMV hardware and have upgraded their POS terminals with chip slots. Several large enterprises (led by Wal-Mart, which completed activation of EMV for both credit and debit cards at the end of 2015) have achieved EMV enablement at all of their stores.

 

Is EMV Actually Protecting Retailers against Fraud? Yes, Indeed!!

There are those who question EMV’s ability to protect retailers against credit card fraud. Criticism from some quarters maintains that EMV doesn’t really offer the solid security it lays claim to. For example, some critics blast the existing paradigm of chip card use in the US, namely “chip-and-signature,” saying that it still exposes consumers to fraud. Throughout the world, the EMV chip is employed along with the user’s PIN, providing two-factor authentication against fraudsters. US issuers decided on gradual adoption of EMV in order to ease the process. In due course, they will move on to the more secure “chip-and-pin” model. In any case, even the existing “chip-and-signature” offering provides robust protection against skimming.

Some pundits argue that the renowned cyber-attack on Target could not have been prevented by EMV, but factually this is not the case. The attack was on Target’s system, from which the Track2 images were stolen. When using an EMV card, the Track2 data is drawn from the chip, and it is different than the information stored on the magstripe. The chip contains a special element which contains the data stored in Track2, in addition to all of the data stored on the EMV itself. Any attempt to steal Track2 from the chip and place it on a magnetic stripe is doomed to failure, because the Track2 element on the chip is different than the Track2 element saved on the magnetic stripe.

If the retailer had used only EMV for credit card payments instead of allowing payment through magnetic stripe swipes, the thieves might have been able to breach the Track2 from the chip, but it would have been of no use to them. Retailers that allow the use of the magstripe on EMV cards in their stores expose themselves to the risk of card cloning, which is not possible when using the chip. Target paid a high price for the breach in the form of compensation to hack victims of over $252 million (up to $10,000 each) and offered one year of free credit monitoring and identity theft protection to all customers who shopped in US stores.

 

The Benefits of EMV

Here is a list of the wide range of benefits that the EMV chip credit card system offers retailers, despite the initial expense and resources incurred by installation:

  • EMV chips cannot be copied, unlike magnetic stripe data. Aside from which, there would be no point in copying the data because the transaction signature (ARQC) changes regularly.
  • As part of the EMV incorporation process, credit card schemes obligate terminals to support point-to-point encryption (P2PE), which prevents POS intrusions.
  • EMV cards do not require online connectivity to process entities such as banks to handle a transaction. Verification data embedded in the smart chips can be used to authenticate PIN codes.
  • EMV enables the bank and customer to use a wider variety of payment applications in a single card such as a debit card, bank account, credit card, etc.
  • EMV enables credit cards to manage additional applications unrelated to payments such as online identification using a social security number, or charging a personal electronic public transportation card.
  • The shift to EMV necessitates the purchase and installation of special POS terminals. But these terminals also enable the use of NFC cards such as mobile wallets, which will provide a smooth and rapid transition to alternative payments when they become more widespread.
  • In the past, Americans using their magstripe credit cards abroad were faced with high rejection rates. Now they can expect to enjoy increased acceptance when using EMV cards overseas.
  • EMV offers a more secure means of payment for customers. Not only do relaxed customers usually buy more, but they will also want to repeat the pleasant experience in the future. When retailers give shoppers a sense of security, they are rewarded with reciprocal long-term loyalty.

 

The Future of EMV

Some lessons are hard learned, and investing money and resources in new technologies is never easy. And there are always those who argue that soon EMV will not be enough to repel hackers. Be that as it may, experience has proven that security is a crucial component of the successful payment model. EMV is not about to disappear, and those who disregard it may pay a high price for their procrastination. At least for the time being, EMV provides an essential level of security in the ever rockier seas of payment fraud.

Related reading