Card Not Present Fraud , Fraud Management & Cybercrime , Incident & Breach Response

EMV: U.S. Won't Make October Deadline

Experts Assess the Hurdles to Overcome
EMV: U.S. Won't Make October Deadline

U.S. card issuers and merchants likely won't complete a shift to EMV for many years to come, despite the card brands' October 2015 liability shift date for counterfeit card fraud, many forecasters say.

See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks

In fact, some security experts question whether the U.S. will ever complete its adoption of chip cards and POS terminals that conform to the Europay, MasterCard, Visa standard, better known as EMV (see Infographic: U.S. Migration to EMV).

The card brands' October liability shift date is an incentive, not a mandate. So, missing the liability shift date won't result in fines or an inability to conduct transactions. It simply means that as of October, a card issuer or merchant that does not support EMV assumes liability for fraud that results from compromised magnetic-stripe card transactions.

Weak Incentive?

Missing the October 2015 liability shift date is a bigger concern for larger merchants than it is for card issuers and smaller retailers. That's because they have the most to gain by ensuring the high volume of card transactions they conduct are not susceptible to fraud.

For banking institutions, which already assume liability for losses associated with card-present counterfeit card fraud, the only incentive to move to EMV is to shift that liability onto the retailer. But issuers with smaller card portfolios, or those with cardholders who mainly shop at merchants that already have made the shift to EMV for their point-of-sale terminals, have little incentive to rush to the EMV finish line.

"Community banks are evaluating what the liability shift means for them, and they are balancing that against the cost of issuing chip cards, as well as evaluating the cost of services related to issuing those cards," says Cary Whaley, vice president of payments and technology policy for the Independent Community Bankers Association.

But Doug Johnson, senior vice president of risk management policy for the American Bankers Association, argues: "There is a real interest [on the part of bankers] to get the migration done because they want to dramatically cut the losses they suffer because of counterfeit card fraud."

Meanwhile, smaller merchants with relatively low card transaction volumes may find that the expenses associated with EMV upgrades are greater than simply accepting liability for the low levels of fraud they might experience from mag-stripe transactions, Whaley contends.

On the other hand, Avivah Litan, an analyst for the consultancy Gartner, argues that smaller merchants have a strong incentive to get their POS systems EMV compliant before the October liability shift date because they don't want the liability for any counterfeit card fraud to fall onto their shoulders. That's why they're diligently working to upgrade and replace systems, she contends.

No Magic

For banking institutions, there's nothing "magical" about the October 2015 liability shift date, says Johnson of the American Banker's Association.

The migration to EMV will be gradual, Johnson says, and it won't have a significant impact on the overall payments environment.

"Frankly, what I look forward to is getting past EMV and looking toward our move with tokenization," he adds. "That is where the bigger bang for the security buck is going to be. ... EMV only addresses part of the puzzle."

Whaley sizes it up this way: "Stepping back, I think they're [community banks] really looking at what is the holistic approach to card security. And while I think EMV is one important component of that approach, it is not the only component. End-to-end encryption plays into that and so does tokenization."

Looking Ahead

The Merchant Advisory Group, which represents 85 of the country's leading merchants, the EMV Migration Forum, and others project that card issuers will make more progress by year's end on EMV-card issuance than U.S. retailers will make on POS upgrades and replacements to accommodate EMV.

And Randy Vanderhoof, executive director of the EMV Migration Forum, says that until the mag-stripe is completely removed from the ecosystem, counterfeit card fraud will continue to grow.

"The number of cards and terminals is important, but the more important metric to pay attention to is the percentage of chip-on-chip transactions, meaning the volume of EMV chip cards used at chip-enabled POS terminals," he says.

And while Vanderhoof predicts it will take some time for all of the country's smaller merchants and issuers to conform to EMV, larger merchants' and issuers' efforts this year to ramp up EMV compliance will even things out.

"Because large merchants and issuers will be chip-enabled this year, there will likely be a big increase in chip-on-chip transactions in 2015," he says. "This is despite the long lag time it will take for all of the smaller merchants and issuers to catch up, because they represent a smaller percentage of overall transactions."

The ABA's Johnson predicts 50 percent of the nation's debit and credit cards will be chip-enabled by year's end. Gartner's Litan, however, says that assessment is far too optimistic. "I don't buy into projections that 50 percent of U.S. cards will be chip by the end of the year," she says. "That's way too aggressive. Maybe 50 percent of the merchant terminals will be chip-enabled, but they won't be turned on."

Most large bank issuers are already ahead of retailers in their EMV migration, contends Shirley Inscoe, a fraud analyst at the consultancy Aite. "But we will see many smaller issuers and many, many retailers fail to be EMV compliant by the end of this year," she says.

And Vanderhoof argues that the biggest challenge the U.S. must overcome in its migration toward chip cards is getting the necessary software tested and installed on merchants' POS terminals (see The Biggest Challenge to EMV Migration).

The Forecasts

Forecasters' estimates for how much EMV migration progress will be made this year vary widely. Here's a sampling:

  • The EMV Migration Forum estimates that at the end of 2014, about 120 million of the 1.2 billion credit and debit cards in circulation in the U.S. were EMV-chip compliant. But the forum estimates that only 4.5 million of the approximately 12 million POS devices at U.S. merchant locations were apparently EMV-ready by year's end. The forum predicts that by the end of this year, the U.S. will have 600 million chip cards in circulation and 7 million EMV-compliant POS terminals in operation.
  • The Merchant Advisory Group says only 15 percent of the 13.9 million POS devices at U.S. merchant locations are now EMV capable, and it predicts that figure will grow to just 20 percent by the end of this year, says CEO Mark Horwedel
  • Aite estimates that by the end of this year, 70 percent of the country's credit cards and 41 percent of its debit cards will be EMV-enabled, while about 59 percent of POS terminals will be chip-enabled.
  • John Buzzard, who heads up FICO's Card Alert Service, predicts only 30 percent of U.S. cards will be chip-enabled by year's end.
  • Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, estimates that between 40 percent and 50 percent of the cards in the U.S. will be EMV ready by October. He estimates that between 25 percent and 30 percent of U.S. merchants will have completed their EMV upgrades by the end of the year.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.