Card Not Present Fraud , Fraud Management & Cybercrime , Incident & Breach Response

EMV: U.S. Won't Make October Deadline

Experts Assess the Hurdles to Overcome

U.S. card issuers and merchants likely won't complete a shift to EMV for many years to come, despite the card brands' October 2015 liability shift date for counterfeit card fraud, many forecasters say.

See Also: Top 5 Log Sources You Should Be Ingesting but Probably Aren't

In fact, some security experts question whether the U.S. will ever complete its adoption of chip cards and POS terminals that conform to the Europay, MasterCard, Visa standard, better known as EMV (see Infographic: U.S. Migration to EMV).

The card brands' October liability shift date is an incentive, not a mandate. So, missing the liability shift date won't result in fines or an inability to conduct transactions. It simply means that as of October, a card issuer or merchant that does not support EMV assumes liability for fraud that results from compromised magnetic-stripe card transactions.

Weak Incentive?

Missing the October 2015 liability shift date is a bigger concern for larger merchants than it is for card issuers and smaller retailers. That's because they have the most to gain by ensuring the high volume of card transactions they conduct are not susceptible to fraud.

For banking institutions, which already assume liability for losses associated with card-present counterfeit card fraud, the only incentive to move to EMV is to shift that liability onto the retailer. But issuers with smaller card portfolios, or those with cardholders who mainly shop at merchants that already have made the shift to EMV for their point-of-sale terminals, have little incentive to rush to the EMV finish line.

"Community banks are evaluating what the liability shift means for them, and they are balancing that against the cost of issuing chip cards, as well as evaluating the cost of services related to issuing those cards," says Cary Whaley, vice president of payments and technology policy for the Independent Community Bankers Association.

But Doug Johnson, senior vice president of risk management policy for the American Bankers Association, argues: "There is a real interest [on the part of bankers] to get the migration done because they want to dramatically cut the losses they suffer because of counterfeit card fraud."

Meanwhile, smaller merchants with relatively low card transaction volumes may find that the expenses associated with EMV upgrades are greater than simply accepting liability for the low levels of fraud they might experience from mag-stripe transactions, Whaley contends.

On the other hand, Avivah Litan, an analyst for the consultancy Gartner, argues that smaller merchants have a strong incentive to get their POS systems EMV compliant before the October liability shift date because they don't want the liability for any counterfeit card fraud to fall onto their shoulders. That's why they're diligently working to upgrade and replace systems, she contends.

No Magic

For banking institutions, there's nothing "magical" about the October 2015 liability shift date, says Johnson of the American Banker's Association.

The migration to EMV will be gradual, Johnson says, and it won't have a significant impact on the overall payments environment.

"Frankly, what I look forward to is getting past EMV and looking toward our move with tokenization," he adds. "That is where the bigger bang for the security buck is going to be. ... EMV only addresses part of the puzzle."

Whaley sizes it up this way: "Stepping back, I think they're [community banks] really looking at what is the holistic approach to card security. And while I think EMV is one important component of that approach, it is not the only component. End-to-end encryption plays into that and so does tokenization."

Looking Ahead

The Merchant Advisory Group, which represents 85 of the country's leading merchants, the EMV Migration Forum, and others project that card issuers will make more progress by year's end on EMV-card issuance than U.S. retailers will make on POS upgrades and replacements to accommodate EMV.

And Randy Vanderhoof, executive director of the EMV Migration Forum, says that until the mag-stripe is completely removed from the ecosystem, counterfeit card fraud will continue to grow.

"The number of cards and terminals is important, but the more important metric to pay attention to is the percentage of chip-on-chip transactions, meaning the volume of EMV chip cards used at chip-enabled POS terminals," he says.

And while Vanderhoof predicts it will take some time for all of the country's smaller merchants and issuers to conform to EMV, larger merchants' and issuers' efforts this year to ramp up EMV compliance will even things out.

"Because large merchants and issuers will be chip-enabled this year, there will likely be a big increase in chip-on-chip transactions in 2015," he says. "This is despite the long lag time it will take for all of the smaller merchants and issuers to catch up, because they represent a smaller percentage of overall transactions."

The ABA's Johnson predicts 50 percent of the nation's debit and credit cards will be chip-enabled by year's end. Gartner's Litan, however, says that assessment is far too optimistic. "I don't buy into projections that 50 percent of U.S. cards will be chip by the end of the year," she says. "That's way too aggressive. Maybe 50 percent of the merchant terminals will be chip-enabled, but they won't be turned on."

Most large bank issuers are already ahead of retailers in their EMV migration, contends Shirley Inscoe, a fraud analyst at the consultancy Aite. "But we will see many smaller issuers and many, many retailers fail to be EMV compliant by the end of this year," she says.

And Vanderhoof argues that the biggest challenge the U.S. must overcome in its migration toward chip cards is getting the necessary software tested and installed on merchants' POS terminals (see The Biggest Challenge to EMV Migration).

The Forecasts

Forecasters' estimates for how much EMV migration progress will be made this year vary widely. Here's a sampling: