With news of data breaches in the past few months and, most recently, Target’s announcement that the company will reissue all REDcards with chip-and-PIN technology, why has it taken the United States longer than other countries to adopt EMV technology?
In the United States, most credit and debit cards have magnetic stripes, which share each consumer’s personal financial information with the payment terminal. The United States is one of the last countries in the world to upgrade to EMV technology, which stands for Europay, Mastercard and Visa.
Europe, Canada and Asia are already using smart card technology, and it’s becoming the standard for payments everywhere, according to Merchant Warehouse, a payment solutions provider.
Forty-five percent of all cards in the world are chip-enabled. That’s more than 1.5 million EMV cards worldwide. Seventy-six percent of payment terminals in the world are EMV enabled. That’s 21 million payment terminals.
“The U.S. is behind the rest of the world on EMV primarily because the cost to ‘re-terminalize’ the merchants will be enormous, combined with a lack of demand from the consumer,” Merchant Warehouse says.
The cost to upgrade the infrastructure and reissue cards is high, but how does it compare with enduring another massive security breach that costs millions of dollars?
Mercator Advisory Group estimates that credit and debit card fraud costs card issuers more than $2.4 billion annually. “The U.S. has been the No. 1 country for card fraud in the last 5 years due to lack of chip payments,” according to Merchant Warehouse.
The Target data breach is estimated to have cost the company $17 million ($61 million in direct expenses less $44 million in insurance payouts), not counting loss of revenue and profits as a result of the event. Some analysts expect the total cost to surpass $1 billion. New payment terminals, on the other hand, are estimated to cost $500 to $1,000 each.
John Mulligan, Target’s executive vice president and chief financial officer, said in a statement in February that our country’s lack of advancement in EMV technology has become a problem.
“In the United Kingdom, where smart card technology is widely used, financial losses associated with lost or stolen cards are at their lowest levels since 1999 and have fallen by 67 percent since 2004, according to industry estimates,” he said. “In Canada, where Target and others have adopted smart cards, losses from card skimming were reduced by 72 percent from 2008 to 2012, according to industry estimates.
“A reason the United States has been slow to embrace change is that all players in the payments system — merchants, issuers, banks and the networks — have not been able to find common ground on how to share the costs of implementation.”
Oliver Manahan, vice president of emerging payments at MasterCard, shared Mulligan’s sentiments that cost collaboration – not cost amount – is the biggest factor to our country’s slowness in adopting EMV technology.
The cost for American merchants to upgrade point-of-sale equipment tends to go down along with business size. Average prices for EMV-compliant card terminals cost $200 to $500, and a mom-and-pop shop can currently buy one for as little as $110. Larger businesses that require a more complex upgrade, new software or multiple payment terminals will face a higher cost, proportional to their needs, including a new terminal at each physical payment location.
“Merchants who are using a Point of Sale (POS) system with integrated processing will require an EMV-capable add on peripheral device, which will cost between $300 – $1000. Some payment providers are helping merchants with the cost of the upgrade by providing equipment to the merchants with little or no upfront cost, and instead charging merchants a monthly service fee in the range of $25 – $50 a month,” says Marc Castrechini, Vice President of Product Management and Solution Engineering at Merchant Warehouse.
Online-only merchants have it a little easier and face no upgrade costs. “The EMV compliance deadline is only necessary and relevant for those merchants accepting card-present transactions, which take place at brick-and-mortar retail stores or restaurants, for example. Online merchants will not need to make changes to avoid the liability shift,” says Castrechini.
Although online-only merchants will not face new liability issues under the EMV guidelines, they should take the upgrade seriously. Experts predict that fraudsters will shift their attention to online vulnerabilities.
“EMV is expected to greatly reduce card-present fraud through the counterfeiting and duplication of stolen card data,” points out Castrechini. “This is important because fraudsters will likely migrate to online merchants where a path of lesser resistance may exist. Though online merchants aren’t required to perform EMV upgrades, they should take the opportunity assess their current acceptance solutions to ensure they are utilizing the most current fraud prevention tools ,such as address verification, card verification and tokenization.”
To head up coordination efforts for EMV technology, a non-profit association of multi-industry leaders known as The Smart Card Alliance came together to help move smart card technology forward in the U.S. and Latin America. The Smart Card Alliance then started the EMV Migration Forum on July 31, 2012, to help coordinate the switch to EMV technology in the United States.
Contrary to what some consumers may assume, the switch to smart cards was not a direct response to recent data breaches.
According to the EMV Migration Forum, Visa announced it would move toward EMV technology in August 2011; MasterCard announced its U.S. roadmap to smart cards in January 2012; Discover announced a 2013 mandate that all its card issuers and directly connected merchants in North America support EMV; and in June 2012, American Express announced its U.S. roadmap to begin issuing smart cards in late 2012.
Manahan said the data breaches just added fuel to the fire. The EMV transformation is a process. “You can’t just make an announcement … and expect smart cards and chips to just show up.”
For U.S. cardholders, when a current card expires, the issuer will replace it with a chip-enabled card. Any issuer or merchant who doesn’t upgrade to smart card technology by October 2016 will be liable for any fraud that would have been prevented with EMV. The only exception may be automated fuel terminals, which have a deadline of 2017 for upgrade, due to more complicated engineering, Manahan said.
Card issuers and merchants can check out the EMV Migration Forum to find out how to can get involved in the upgrade. Consumers can check with their credit card issuer to find out when their existing credit card(s) will be upgraded.