Bashas' Inc., Arizona's largest independent grocery chain, was certain it was prepared for the October 2015 EMV liability shift. After all, it had begun purchasing terminals for all of its 1,400 checkout lanes a year in advance.
But when the card networks' fraud liability shift arrived, those terminals were collecting dust — and Bashas' had to absorb the losses through no fault of its own, said Jim Buhr, CFO of Bashas', at the Western States Acquirers Association's annual meeting in Scottsdale, Ariz., this month.
"We were one of the few retailers in the (supermarket) field that was completely chip-enabled with our hardware," Buhr said. "But because of all the industry slowdowns, software vendors and payments gateway providers weren't ready when the liability shift went into effect. We spent millions on terminals that sat on a shelf for two years and we got penalized by absorbing the chargebacks on counterfeit card fraud in the following months."
What made this sting even worse was that Bashas' had already suffered a serious data breach in 2013 as a result of a malware attack, and its EMV implementation was meant to provide a much-needed boost to its defenses. EMV-chip cards are designed to deter the counterfeiting methods that are prevalent with older magstripe technology.
"We experienced a data breach that was extremely painful, but what's worse is that authorities told us there was no way we could have foreseen that breach, and nothing we could do to prevent it," Buhr said during a panel discussion.
Bashas', which has 130 locations, ultimately had to wait almost 10 months after the liability shift went into effect to begin accepting chip cards because vendors were unable to provide the necessary supporting software and services any earlier, due to industrywide bottlenecks. One contributing factor in the slowdown was the fact that the payment card industry didn't resolve EMV specifications for debit network routing rules until April 2015.
Bashas' finally began accepting chip cards in all of its stores in July 2016, but chargebacks continue to pour in, Buhr said.
Other EMV-compliant retailers attribute the ongoing chargebacks to delayed notification of transactions that predate their EMV migration. It can take up to five months for issuers and processors to provide merchants with details about counterfeit card transactions, because of the time involved in reporting and verifying each case.
Ultimately, the experience has not deterred Bashas' from encouraging the use of payment cards. The company attributes 70% of its transactions at its Bashas', AJ's Fine Foods and Food City stores to credit, debit and EBT cards.
The tough lessons Bashas' has learned over the last few years have forced the company to take a more active role in supervising its own card security and having a bigger voice in driving payments policies, Buhr said.
"You don't find out what you need to know until you have a breach," Buhr said, describing the crash course he undertook to put the brakes on losses during the 2013 malware attack. "Afterward, we learned a lot about the technical side of things, and we got to know everyone at our processors and the card brands. Now we have all their contact numbers, we know them very well, and we know the FBI very well.
"We also looked more closely at what the PCI security standards, and we didn't like some of it, so we went to speak to them, and now we're getting directly involved with the PCI Council," Buhr said.
Payment card interchange also casts a growing shadow over Bashas' card-acceptance program, Buhr added. "Rewards credit cards cost us a lot of money, and now we're seeing a whole new wave of expenses from the new Costco Visa card, which has a very big rewards program," Buhr said.
And with the EMV shift behind it, Bashas' can focus its attention on the effects of newer payment options such as mobile wallets. "When Apple Pay became available, we were accepting it 30 days later," Buhr said, adding that customers appreciated the convenience and "it seems like it's more difficult to hack."