SMB Preparedness for the Transition
to Chip-Based Credit Cards
IndustryView | 2014
EMV refers to a global standard for payment cards equipped with computer chips that are used to authenticate card transactions. (“EMV” stands for Europay, MasterCard and Visa, the founding card brands that developed the technology.)
In October 2015, the U.S. will transition to this new standard, which is intended to help reduce fraud. This report will investigate how well prepared small and midsize businesses (SMBs) are for the change, and offer recommendations for how these businesses can use EMV technology to best protect against fraud.
EMV payment cards have been the standard in Europe, Canada and many other parts of the world for several years. The chips within these cards, combined with either a PIN number or a signature, offer enhanced security during transactions.
The U.S., however, has lagged behind in terms of adoption, and is currently the last major industrialized nation relying on antiquated magnetic stripe technology, which is easy to copy. So it is little surprise that 50 percent of global fraud occurs in the U.S.—even though Americans only hold 25 percent of the world’s cards.
Things are changing, however: On Oct. 1, 2015, liability for fraud will shift from card issuers to merchants—unless their terminals are upgraded to accept EMV cards. Eager to encourage the process, President Barack Obama signed an executive order this year accelerating the transition for government organizations.
But while big retailers such as Target or Wal-Mart may have the funds and infrastructure to prepare for the upcoming change, what about SMBs? With less than 12 months to go, the clock is ticking. To gauge the state of preparations for the shift, Software Advice surveyed consumers, business owners and decision-makers in the U.S. Here’s what we found.
First, we surveyed consumers to gain some visibility into how many people are currently carrying EMV cards in their wallets. After all, aside from the occasional article in the financial or business pages, there has been very little public discussion about the coming switch, and virtually no visible effort to educate consumers about the new technology.
As an example, even though this very thorough EMV information site suggests that 100 million chip cards should already be in circulation, the site’s present author does not possess one, nor does he know anyone else who does. With less than one year to go before the switch, banks and lenders are still issuing traditional, easily cloned magnetic stripe cards—the beloved targets of fraudsters everywhere.
The results appear to confirm that the migration to EMV cards is still in the very early stages: 82 percent of respondents said they did not possess a chip card. It appears that card issuers have a long way to go in the year leading up to the switch—consumers can anticipate a flurry of envelopes containing EMV replacement cards arriving much closer to the deadline.
There is a simple explanation for the absence of chip cards from the nation’s wallets: cost. Simon Gamble, president of network management company Mako Networks North America, describes why issuers may be taking their time.
“You can imagine the cost to the banks of issuing new cards [with chips in them] to their customers. That’s not an inexpensive undertaking,” Gamble says. “A chip card costs a lot more than a magnetic stripe card, so that’s millions and millions of dollars the banks are having to spend.”
Our initial findings also indicated that merchants have yet to upgrade their point-of-sale (POS) terminals. An EMV card reader requires the consumer to insert his or her card into the reader instead of swiping it (in most countries, consumers also have to enter a four-digit PIN; in the U.S., consumers will only need to sign).
Of the combined 19 percent of our consumer respondents who had chip cards, only 12 percent had ever made a purchase using an EMV terminal. The remaining 7 percent possessed a card, but had yet to use it.
In the absence of EMV point-of-sale terminals, chip cards function exactly like magnetic stripe cards, and offer no extra security—the chip becomes little more than a decoration.
Having surveyed consumers to get a general feel for the EMV landscape, we next polled SMB owners and operators to gauge how confident they were about their readiness for next year’s change.
A combined majority—55 percent—were either “not at all confident” that they could meet the deadline (30 percent), or did not even know that it existed (25 percent). Add to this a further 14 percent who described themselves as “minimally confident,” and you have a combined total of 69 percent of respondents essentially expecting that their businesses will fail to upgrade to EMV terminals in 2015.
On the positive side, 11 percent had already switched to the new technology, while 6 percent were “extremely confident” that they would meet the deadline. A remaining 13 percent were either “moderately” or “very confident” that they would be able to upgrade in time.
The overall takeaway is that anyone in banking or retail hoping for a smooth transition is likely to be disappointed. Most SMBs will not be ready in time, meaning they will be at far greater risk of suffering serious losses as a result of card fraud than they are presently.
With the knowledge that EMV terminals are decidedly scarce on the ground—and are likely to still be sparse among SMBs next October—we next wanted to explore why SMBs are reluctant to adopt the technology.
First, 30 percent of respondents said they had not invested in new terminals simply because they did not think it was necessary to do so. Technically speaking, this is accurate: there is no law obliging merchants to switch to the new terminals.
On the other hand, the liability switch is very real, so this response suggests one of two things: One, that there is a great deal of confusion among SMBs—which would not be surprising, given the low level of coverage the coming shift has received. Or, two, that SMBs are assuming their business is unlikely to fall victim to credit card fraud, and that the cost of replacing existing terminals is thus not justified.
More worryingly, just over one-quarter (26 percent) of respondents admitted that they did not even know what an EMV terminal was—further evidence that more must be done to make SMBs aware of the new technology, the coming deadline and how it applies to them.
As for those who acknowledged the necessity of switching to EMV terminals (but did not already have them), 17 percent replied that they were “too expensive,” while 16 percent said they did not have time to conduct the necessary research or implementation.
Since many SMBs lack dedicated technical staff, the job of investigating new terminals may fall on the shoulders of an operator or manager who is already juggling multiple responsibilities, so it is easy to understand the “not enough time” response. Concerns about cost are also reasonable; the cost of a new EMV terminal varies, but replacing an existing system is no simple matter.
According to Gamble, “More than 50 percent of merchants in the U.S. have what’s called ‘integrated POS,’ which means that the payment entry devices, [in this case] the EMV device, is generally plugged into a computer that’s managing the stock control and all that.”
In this scenario, upgrading to EMV can be “ridiculously expensive” because merchants “have to replace not just their PIN pads, but their whole point-of-sale system,” he adds.
For many businesses, then, the choice of whether to switch to an EMV terminal may very well come down to simple risk analysis: Is the cost outweighed by the risk? It’s likely that, until SMBs begin to experience serious instances of fraud that they are financially liable for, many will opt to stick with magnetic stripe technology.
Finally, since the only “stick” driving adoption is the threat of increased liability for fraud, we decided to gauge how well respondents understood its significance.
Only 23 percent of respondents were “extremely confident” they understood the coming liability shift. This maps closely to the total percentage of respondents in our first question (21 percent) who either already had EMV terminals in place, or who were “extremely” or “very confident” that they would meet next October’s deadline.
Strong awareness of the heightened risk facing SMBs next October does seem to correlate to EMV adoption and/or confidence in preparedness. This suggests that more, and better, public awareness campaigns—whether on behalf of the government, SMBs or the card-issuing companies—are necessary, as they could improve merchant security.
After all, as Dave Tushie, EMV expert at Magellan Consulting, explains, the shift itself is not that difficult to grasp.
Come next October, he says, “chip-on-chip” transactions, where there is a chip in the card and a chip in the POS terminal, “...will maintain the current status quo for fraudulent transactions,” where the card issuer is liable. “However, if the card has an EMV chip and the POS terminal is unable to transact an EMV transaction, liability will shift for any counterfeit card fraud loss to the merchant.”
On the other hand, Tushie adds, “If the POS terminal is able to conduct an EMV transaction, but the card is only able to conduct a magnetic stripe transaction, the issuer will be responsible for any counterfeit fraud loss.”
With just under a year to go, 22 percent of SMB respondents admit they know nothing about the liability shift, and 15 percent and 9 percent are “minimally” or “not at all confident,” respectively. However, there is still time for SMBs to learn how it could affect them, and adjust their plans accordingly.
There is another aspect that SMBs must consider regarding the transition to the era of EMV: Although chip-and-signature is more secure than magnetic stripe technology, it is by no means a “magic bullet” for defeating fraud. Merchants must be aware of the limitations of EMV as they begin to adopt it.
For instance, EMV terminals only protect against “card present” fraud when the card is used in a physical location; if a merchant also accepts online payments, the chips offer no protection in these transactions. Evidence suggests that, in countries using EMV terminals, credit card fraud shifts into the virtual space—in the U.K., for instance, “card not present” fraud tripled following EMV adoption.
Bryan Jardine, product manager at fraud prevention firm Easy Solutions, explains that in other countries, the “shift to EMV simply pushed counterfeit card claims into the ‘card not present’ field. You might reduce counterfeit card [or ‘card present’] losses, but you’re really not affecting overall losses from a percentage perspective.”
Criminals are interested in low-hanging fruit, he continues, and online fraud is “very simple” to do. If I send you an email, you click on a link and download some malware. Then, if you do any type of shopping online—eBay, Amazon, any of those types of ecommerce sites—you’re giving me card credentials.”
If criminals can simply shift their attention to online fraud, they almost certainly will—so merchants who work in online as well as physical retail should make sure their networks are secure.
Here, Gamble says, SMBs should look to the Payment Card Industry Data Security Standard (PCI DSS) to complement EMV.
“EMV and PCI do go together,” he explains. “They are the two cornerstones of what card schemes and banks are trying to do to curb credit card fraud internationally. EMV is primarily about securing the transaction; PCI is about securing the network environments that the payment terminals reside in. You need to take care of both of those to really lock things down.”
Another potential hiccup is that even fully functioning EMV terminals can disrupt business, so SMBs should be alert to the law of unintended consequences. As Gamble notes, many small businesses still rely on a dial-up connection for magnetic stripe credit card processing.
But when businesses in Australia, for example, switched to EMV technology, many were “forced to go to broadband, because the EMV transaction has so much more encryption that the time it takes for an EMV transaction to happen is significantly longer on dial-up,” Gamble says. “Instead of a transaction taking two or three seconds, now a transaction takes 20 or 40 seconds to go through.”
To prevent customer frustration, Gamble recommends that SMBs sign up for broadband service ahead of the EMV switch.
EMV technology is coming to the U.S., but it will not be a smooth transition. While large firms may be aware of the liability shift and what it requires, our data suggests that only a small percentage of SMBs are prepared. We may anticipate a lot of broken eggs along the path to full adoption, and can expect that, even now, criminals are working on ways to defeat this enhanced security.
However, there is still plenty of time for SMBs to take matters into their own hands and prepare for the switch. Indeed, this could represent a golden opportunity for merchants to seize the moment and make their businesses more secure from fraud. EMV terminals are currently available to purchase, and when this technology is combined with protection techniques stipulated by PCI—such as network segmentation, rigorously enforced password policies and other tools such as encryption—they can make a business much more secure.
To find the data in this report, we conducted a one-day, single-question survey, and gathered 385 responses from random consumers within the U.S. We also conducted a three-day survey of three questions, and collected 160 responses from SMB owners and executives. We worded the questions to ensure that each respondent fully understood their meaning and the topic at hand.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection. Interview sources are chosen for their expertise on the subject matter, and software choices are selected based on popularity and relevance.
Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you’d like to further discuss this report or obtain access to any of the charts above, please contact firstname.lastname@example.org.