October 1 marked the dawn of a new era in the U.S. payment card marketplace. While there are not yet rules from the card brands that demand all parties utilize EMV technology, the financial liability shift is a significant first step across a line in the sand that cannot be erased.
Not only are EMV cards more resistant to compromise and counterfeit, but the chip technology also makes it possible to embed on a single card multiple payment applications—debit and credit, for instance— and nonpayment applications such as loyalty points and membership accounts. Issuers also can remotely manage cards: If a card is reported stolen, the issuer can remotely block the account; if the card is subsequently found, the issuer can unblock the card.
The EMV standard involves the use of embedded microprocessor chips on each card that protects customer data by creating and encrypting a unique code for each transaction. As a result, they are much less vulnerable to compromise and counterfeiting compared with magnetic-stripe cards.
A string of massive and high profile data breaches of merchant systems in recent years galvanized support among card brands and issuers to move away from magnetic stripe-based cards and strengthen the security of the payments infrastructure by implementing a more advanced standard for cards.
In addition, the re-terminalization which has occurred alongside of the preparations for EMV have dramatically increased the number of contactless capable terminals which paves the way to support a wide variety of EMV compatible mobile transactions. While not every merchant has deployed contactless capable terminals – and many have deployed their capable terminals without actually enabling the contactless capability – many have used this opportunity to upgrade their infrastructure to be ready to support future innovation.
While much of the world converted from magnetic stripe-based cards to "chip cards" years ago, the U.S. was a lone holdout … until now. For the first time, merchants that accept EMV compliant cards via non-EMV capable point of sale (POS) terminals will be liable for losses regardless of whether they were actually liable for the loss under the pre-EMV rules.
For merchants, the magnitude of the financial liability depends on several key factors such as the number of EMV cards issued in the market, the percentage of chip versus magnetic stripe cards that are used at their POS locations and, of course, the actual amount of counterfeit magnetic stripe card fraud (and the resulting chargebacks) that is perpetrated at their POS locations.
Over the past 6 months, consumers have gotten used to receiving new cards from their issuers with the now very recognizable microprocessor chip on the front of the card. These EMV compliant cards have both the chip on the front of the card as well as the traditional magnetic stripe on the back of the card, which serves as a “fall back” means of initiating a card transaction authorization if the EMV process fails for some reason.
In its report “EMV:Lessons Learned and the U.S. Outlook,” Aite Group estimates that 70% of credit and 41% of debit cards in the U.S. will be EMV compliant by year end 2015 and it predicts that 59% of retail locations will be chip-enabled at year end based on merchant surveys.
EMV ready merchant locations have trained their cashiers and sales associates to prompt chip cardholders to insert – or “dip” – their cards into POS reader devices instead of swiping their card as in the past. New consumer-merchant behavior is being practiced and learned in tens of thousands of locations across the country as more and more people learn, for instance, that they must keep the card inserted in the reader device until the authorization process is completed.
Beyond just training their customer-facing staff, becoming EMV compliant can be a complex, lengthy and expensive process for merchants and, while many have made the necessary investments, many others have not for various reasons. Unlike past payment acceptance upgrades, EMV certification requires modifications to and/or replacement of systems, technology, processes on a transformative scale. Because of the enormity of the undertaking, some merchants have chosen to add other strategic initiatives to their EMV migration such as the installation of mobile payment capabilities and the implementation of point-to-point encryption and tokenization solutions.
Although the current card network brand requirements do not mandate that merchants be EMV compliant, they clearly stipulate additional risks beyond the liability shift to consider. One of the biggest risks for merchants that are not EMV compliant is that they could be singled out and targeted by criminals who are passing cards with counterfeit magnetic stripes that have been encoded with sensitive payment card data stolen in various breaches. This risk illustrates the primary reason the why the U.S. market finally embraced EMV.
Drew Luca is a partner and co-lead of the payments practice at PricewaterhouseCoopers.