We have all experienced some form of the EMV wave – a new credit card arriving in the mail, an ATM or merchant’s machine requiring the insertion or “dipping” of the credit card into the device (as compared to swiping the card), or – as a merchant – experiencing the fear of now being responsible for fraudulent charges and the need to upgrade to an EMV-compliant platform. This article will provide background on EMV, an update on the state of EMV in general, and information on some familiar software.
Unlike Y2K, the October 1, 2015 (EMV compliance) deadline was not a do-or-die date – it was the starting line. Regardless, the adoption of EMV has been slower than anticipated. Only 37% of merchants in the U.S. are able to accept chip cards, accordingly to a February 2016 survey by the global payments consulting firm, The Strawhecker Group. And that figure seems high, based solely on my personal experience.
You might already know the background of EMV but I think it prudent to review. Even while writing this I discovered new interesting tidbits.
What Is EMV?
EMV is an abbreviation for Europay, Mastercard and Visa, the three organizations that developed the initial specifications. It is an open-standard set of specifications for smart card payments and acceptance devices. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. Today, EMVCo manages, maintains, and enhances the specifications. EMVCo is owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa, and includes other organizations from the payments industry participating as technical and business associates.
Why Is it More Secure Than Swiping a Card?
When you swipe a card with the thin black magnetic stripe, cardholder information and confirmation codes relevant to the purchase are transmitted. This information is static for each card and is sent in clear view, allowing the collection of this information for use on a counterfeit card or for entry online manually.
An EMV card has a computer chip right on the card itself. Instead of swiping the information, the card is “dipped” into the credit card device and this credit card terminal/reader audits the card’s information with a cryptogram utilizing a one-time, unique signature. This signature is authorized throughout the request by all the various entities and, once authorized by all, the request is granted, and the card can be removed from the terminal. This digitally signed signature (some call it a token) is only valid for this one transaction and will not be accepted ever again.
What Are the Benefits of EMV?
EMV chips have been reported to substantially reduce counterfeit credit-card fraud. According to UK Cards Association, “Fraud on lost and stolen cards is now at its lowest level for two decades and counterfeit card fraud losses have also fallen and are at their lowest level since 1999. Losses at U.K. retailers have fallen by 67 percent since 2004; lost and stolen card fraud fell by 58 percent between 2004 and 2009; and mail non-receipt fraud has fallen by 91 percent since 2004.” And there are similar stories from other parts of the world as well.
What is really eye opening is that, according to the EMV Migration Forum, 47% of all card fraud occurs in the United States, yet the U.S. makes only 25% of all credit card sales. And U.S. card fraud losses soared over $5 billion, up 14.5% in just one year from 2013-2014, for all U.S. credit card issuing institutions. Wow. On the surface, it’s no wonder that the credit card companies want to adopt a more secure system. Some experts say the introduction of EMV in the overseas markets caused counterfeiting operations to move to the U.S. due to the less secure magnetic stripe processing.
Aite Group estimates that EMV will significantly reduce U.S. counterfeit card fraud from an estimated peak of $3.61 billion in 2015 to $1.77 billion in 2018.
What Is the Merchant’s Fraud Liability?
Merchants were not liable for in-store credit card fraud prior to 10/1/2015. Subsequently, if a chipped credit or debit card is swiped and is fraudulent, the merchant is now liable. That can be quite scary to a merchant, as many POS systems are not yet fully EMV-compliant. If the merchant has a chip terminal but the card doesn’t have a chip, the card issuer (and not the merchant) continues to be responsible for any fraud.
Many merchant service companies do not offer EMV-compliant processing and have elected to cover fraudulent charges as a result of the swiping of chipped cards. I applaud owning responsibility while going through the transition (though I am curious about how much that is actually costing them).
An important caveat to keep in mind is that this addresses in-store purchases only – not online purchases. Many gas station pumps and ATMs have already made the shift, but their target date for full adoption is October 2017.
Rate of Adoption
There are a number of moving parts and stakeholders in the adoption process – card manufacturers, card issuers, cardholders, merchants, ISVs and VARs, acquirers, payment processors, etc. The United States is the last major market where people primarily use magnetic stripe cards. Adoption in the U.S. is slow but steady.
Here are some interesting stats from a nationally representative survey by CardHub of 55 major retailers and 1,000 individuals between February 26, 2016 and February 27, 2016.
- 42% have not updated terminals in any of their stores.
- 43% of retailers who have experienced data breaches in the past 5 years have not updated their terminals.
- 56% of consumers don’t care if a retailer’s payment terminal is chip-enabled.
- 41% of people say they don’t have or don’t know if they have a smart-chip credit card.
- 62% of people don’t understand the difference between major card security standards.
- 41% of people falsely believe debit cards protect them from fraud better than credit cards
The survey also lists the upgrade status of about 50 different retailers, with some interesting results. Here’s a snippet as of end of February 2016:
- Walmart was the first major chain to upgrade 100% of its terminals. This was in November 2014. Others that have upgraded 100% include Target, The Home Depot, Walgreens, CVS, Best Buy, Rite Aid, Kohl’s, Nordstrom, and Trader Joe’s.
- Others that are a bit behind include Costco (13%), Safeway (17%), McDonald’s (13%), Kmart (0%), Albertson’s (0%), Taco Bell (20%), Starbucks (7%), Burger King (0%), and Victoria’s Secret (7%).
And some other interesting factoids:
- Visa says that more than 212 million Visa cards were issued with EMV chips by 12/31/2015, and more than 766,000 merchant locations accept Visa EMV cards. There are more chip cards in the U.S. than in any other country
- According to MasterCard, 59% of its U.S.-issued consumer credit cards had EMV chips as of 12/31/2015, and more than 800,000 merchant locations can accept EMV MasterCard products.
- Seven out of 10 consumers in the U.S. have at least one EMV chip card in their possession, according to Visa research, and about 93% of consumers are aware of the EMV migration, whether or not they have a chip card.
- It’s not just the U.S. that is adopting at a fast pace. According to EMVCo, one-third of payments worldwide were made with an EMV card as of mid-2015. In Western Europe, it was 97% of all card payments; in Latin America, 87%; and in Africa and the Middle East, 84% – based on data published in December 2015.
- As the EMV shift continues, fraudsters are paying more attention to gift cards. Many scammers are using counterfeit credit or debit cards to buy gift cards at non-EMV merchants, causing some of those merchants to restrict the way they sell gift cards, according to gift card giant Blackhawk Network.
- It has long been expected that the shift to EMV at the point of sale would drive more fraud online – and that the fraud migration would begin even before EMV took hold. According to research from Forter Analysis group, overall fraud attempts increased 163% in the first three-quarters of 2015, with digital goods seeing a spike of 254% in attempted fraud.