The Target Corp. data breach just before the holiday shopping season triggered another round of rhetoric on the merits and shortcomings of chip-based cards. But the breach's direct effect on merchant EMV plans is largely up in the air.
In fact, after experiencing the EMV migration in Canada the past four years, Stephen Braceland, CEO of STJ Retail in Ontario, says the Target breach should ignite an even faster pace to EMV migration in the U.S., suggesting card brands consider moving up the EMV timeline rather than pushing it back.
"I appreciate that retailers need the time to do this, but they've had a lot of time already, and many of them will wait until the last minute," he says.
Some merchants may feel their progress in migrating to chip-based payment cards in the U.S. is no farther along than when Visa first announced its EMV smartcard plan to establish timelines for fraud liability shifts in August 2011. Still, it appears many merchants are resigned to the fact that they have to meet the EMV timelines or pony up for any potential fraud.
Even though EMV migration is wrought with regulatory potholes and now, the backwash of the Target data breach, the card brands' liability shift timeline of October 2015 remains in place and looms ever larger. In less than two years, merchants or acquirers not equipped to handle EMV smartcards will be liable for any fraudulent transactions that occur.
If Target had EMV in place "in its purest state," fraudsters wouldn't even bother targeting the data because it would be useless to them, except for in the card-not-present environment, says Braceland, whose company provides consulting and payments technology for retailers.
"It costs too much to duplicate the cards and you can't just replicate the EMV chip and its communication capabilities," he adds.
There have been hints that Visa might consider extending the EMV liability shift beyond October 2015, but has not yet announced anything official.
Even those who have been outspoken against EMV technology in the past acknowledge that most merchants will make the move to smartcards, with the Target breach heightening concern.
In the case of the petroleum industry, such a transition will come in two phases because of the separate October 2017 for EMV conversion at gas pumps, says Bill Deichler, manager of payment methods, for Arkansas-based Murphy USA.
"I think a lot of the major petroleum chains will definitely embrace EMV inside the stores at the register and will hit the October 2015 deadline," Deichler says.
But the majority will hold out on converting at the pumps for the Oct. 2017 deadline because of exorbitant costs and "the massive operation to get all pumps transitioned to EMV," Deichler adds.
"There is just no way if you started right now that you could get the whole U.S. petroleum industry done by 2017, both from a hardware perspective and a service-tech perspective," Deichler says.
Whether timelines are shifted or not, some remain steadfast that the entire EMV process should be thoroughly reviewed, even more so in light of the Target incident.
The card brands should withdraw the EMV implementation dates until a compliance standard is established and the payments ecosystem determines if the current chip technology is the most cost-effective and efficient solution, says Dean Sheaffer, SVP Financial Services' chief compliance officer for Boscov's Department Store, LLC.
The compliance standard for debit transactions remains in a state of flux, a result of federal Judge Richard Leon's ruling that the Federal Reserve Board has to revisit its debit fee caps and routing network options related to the Durbin amendment of the Dodd-Frank Act.
"The Target data breach reinforces the merchants' position that mag-stripe is an inherently risky 60-plus-year-old technology that the issuers cannot be allowed to perpetuate," Sheaffer says.
"EMV should be developed under a transparent, open process, such as those of ANSI and ISO, with balanced representation and input from all stakeholders," Sheaffer adds.
Of all the EMV-related topics that merchants must take into account, most continue to agree that a cardholder PIN must accompany acceptance of EMV smartcards.
If signature were a viable cardholder verification method, the mag stripe data stolen from Target would be useless, says Mark Horwedel, CEO of the Merchant Advisory Group.
"Similarly, a chip card using signature as the CVM is only half of a solution," Horwedel says. "Chip alone solves nothing. The current Implementation plan for EMV not only ignores the need for PIN, but continues support for the mag-stripe on the card as a backup mechanism."
Signature is "simply not a CVM and continues to exist for the sole purpose of shifting liability to merchants," Sheaffer says. All transactions should require a PIN or no CVM, depending on the amount and risk of a given transaction, Sheaffer adds.
In Canada, regulators plan to prohibit use of the mag-stripe on EMV cards as a fall-back technology by 2015 for local debit spending, Braceland says. "The only reason it will stay on the card is to allow cross-border shopping in the U.S."
During an EMV migration, merchants and acquirers may start the process with chip-and-signature, but "always eventually go to chip-and-PIN," Braceland adds. "I agree with merchants wholeheartedly that chip-and-PIN is the only way, and that signature is absolutely useless."
The EMV Migration Forum, established to represent all facets of payments and focus on implementing smart card initiatives to meet the October 2015 timeline, reported last month that it continued to make progress last year despite some roadblocks.
Because of the holidays, the forum and its working committees have not had a chance to communicate with merchants regarding the effect of the Target breach on any EMV initiatives, says Randy Vanderhoof, director of the EMV Migration Forum.