This week a management consulting company called The Strawhecker Group (TSG) released the results of a study that found that only 37 percent of US retailers were ready to process chip-embedded credit and debit cards. The slow adoption of chip-embedded cards leaves merchants open to accepting liability for fraud perpetrated with traditional, less-secure magnetic stripe cards.

The US officially migrated over to the so-called EMV standard (eponymous for Europay, Mastercard, and Visa, the companies that developed the standard) in October 2015, and at that late date, it was one of the last countries to make the shift. The upgrade in technology has forced card issuers to send out new, chip-embedded cards to users (which still have magnetic stripes to complete transactions on now-"legacy" magnetic stripe terminals). It also required merchants to upgrade their terminals to be able to accept the new credit cards. Credit card networks like Visa and MasterCard instituted a liability shift in October to get merchants to speed things up on their end—either upgrade your terminals or you’re liable for any fraud that happens with a card that could have made a transaction using the chip technology.

The liability shift was in the works for years, with President Obama even signing an initiative called “BuySecure” to speed the adoption of EMV in the US. But despite that high-visibility endorsement, the major card networks have failed to get many mom-and-pop stores to understand what they have to do to be compliant, and even big-name retailers have struggled to find a cost-effective way to roll out new terminals. Part of the problem, too, has been that big terminal manufacturers weren’t ready to roll out EMV-compliant terminals on October 1. (Startups like Square even offered to cover any liability its customers might incur between the October 1 deadline and whenever the new terminals arrived.)

Shortly before October 1, 2015, The Strawhecker Group surveyed payment service providers that collectively worked with more than a quarter of the merchants in the US. It found that only 27 percent of those merchants had a plan in place to allow them to process EMV-based transactions as of October 1, 2015. While a 10-percent jump in EMV-ready merchants in four months might seem like a positive development, TSG at the time predicted that 40 percent of merchants would be EMV-ready by now. (It should be noted that TSG’s sample for its January 2016 survey was larger than its September survey sample—this time around the consultancy surveyed payment service providers that represented about 50 percent of the US card-accepting market.)

In a press release, Jared Drieling, Business Intelligence Manager at TSG, wrote that some merchants decided to delay their migration to EMV-compliant terminals “until the holiday season ended to prevent friction and confusion at the checkout line.” Drieling added that companies may have already subsumed some liability since October 1. "I suspect that many merchants that have delayed, especially merchants in higher risk categories, felt the impact of the liability shift last year and we’ll see them aggressively ramp up plans to migrate," he said.

TSG estimates that 50 percent of merchants will have EMV-equipped terminals by June 2016, but it also expects that the US won’t reach a 90 percent threshold until 2017.

Yet the slow rollout of the ecosystem to support chip-embedded cards is just one issue. Currently, terminals in the US will accept chip-and-signature transactions instead of the more secure chip-and-PIN, so the full cost benefit of rolling out the new hardware may not come to fruition for several more years. Although debit cards generally need a PIN to authorize a transaction, one of the benefits of the EMV standard is that it supports PIN authorization on credit cards as well. But with merchants and card issuers hand-wringing about customer confusion and increased friction at the checkout counter (possibly resulting in lower sales), card networks are still accepting signatures as authorization on credit card transactions, even if they’ve been processed with a chip-embedded card.

Certainly, PIN-authorized transactions are no guarantee that fraud won’t occur, as evidenced by an ingenious scam by a criminal ring in Europe, but they’re certainly more reliably secure than the old John Hancock method.

Still, retailers seem to be getting in line, albeit slowly and with some whining (PDF). According to individual comments submitted with TSG’s survey, one payment survey provider said, "This has been a major pain in the a$$. Terminal manufacturers weren’t ready, the processors and certification people weren’t ready; we spend more of our own $$ to clean up their mess."