Most issuing banks are not allowing recent retailer data breaches to change their schedules for adopting EMV-chip cards, even though Target and other companies have said they would fast-track their own plans.
In the wake of its 2013 holiday-season card data breach, Target executives have promised to have EMV technology in place and chip-based cards issued to customers about six months prior to the October 2015 liability shift for EMV migration in the U.S. That puts Target so far ahead of the pack that other companies may not catch up, says Render Dahiya, CEO of Chicago-based card provider Arroweye Solutions.
"It's totally understandable why these issuers are not looking at accelerating EMV yet because they don't know what the impact will be, and they are of the stance that there is no return on investment on it," says Dahiya, who has met with some of the top banks in the country the past couple of weeks. "Even though the Target breach has scared people, there is a significant value out there when you look at the costs."
Banks continue to be wary about issues surrounding EMV debit cards in the U.S., particularly about what may come out of federal Judge Richard Leon's ruling last year that the Federal Reserve Board has to re-examine its debit fee caps and routing mandates, Dahiya says.
While Target has the resources needed to engineer a switch to EMV early next year and the company is intensely focused on delivering on its promise for an earlier migration, the same sense of urgency does not exist for others. "One remains skeptical that EMV will ever take place," Dahiya says.
Prior to meeting with issuers, Dahiya says mainstream media coverage of the retailer breaches provided an impression that all issuers might consider moving EMV forward. "But they are sticking with their wait-and-see approach, especially on the debit side," Dahiya says. "One said that credit cards are a clearer path and that would be the first to move and learn some lessons, then move to debit later in 2015."
EMV smartcards would not have prevented the malware-triggered breach at Target, but would have rendered the stolen data less valuable because of the difficulty in counterfeiting chip-based cards.
But the breaches create a timing dilemma for banks that have to reissue large numbers of mag-stripe cards, which would soon be rendered obsolete by the EMV cards issuers are planning to deploy.
"To reissue now and then reissue again for EMV in a year is a big question the issuers are asking," says Bob Legters, senior vice president of product at Jacksonville, Fla.-based payments technology and financial services provider Fidelity National Information Services (FIS). "They know that if they have to jump to EMV now, to what is going to be the end game, they will have to take some losses in the short term."
Issuers who work with FIS had originally planned to wait until late 2015 issue EMV cards as customers' magnetic-striped cards expire, Legters says. But he acknowledges the Target breach provided some motivation to examine other strategies.
"One advantage Target gives to the issuers is they get an opportunity to advertise the advantage of a chip card," Legters says. "Without some level of a breach in the marketplace, and the heightened awareness, it would be more difficult to put out a product for security as a value-add."
Many banks may initially dip their toes into chip-card technology by following the lead of those issuers already providing EMV cards to wealthy, international or traveling clients, Legters says.
But the issuers' return on investment will continue to be a key parameter in timing their switch to EMV cards, says Sharon Pazlar, director of card solutions at Brookline, Wis.-based payment technology provider and processor Fiserv.
In addition, banks have to monitor the readiness of other players in the industry before forging ahead with EMV card issuing.
"I can assure you that pretty much 100% of the processors, including regional networks, are ready to process EMV transactions," Pazlar says. "But the banks must identify which cardholder segments they want to issue to, and then the merchants' availability."
Even if other banks and retailers don't accelerate their EMV plans, the card networks say the recent breaches have brought on a new awareness of security concerns and a new spirit of collaboration to resolve other issues holding up EMV progress in the U.S. Visa, for example, worked with First Data to offer a free, long-term license for Visa's debit routing technology.