Two months on from the EMV migration in the United States, traction among merchants has been anything but fast. Early reactions to the EMV liability shift in the U.S. can be filed under Excited, Mired, and Varied.
The card schemes have been excited (they will, after all, benefit from the fraud liability shift in the long run), merchants have been mired with complaints of expense and complexity, while the reaction from consumers has been varied as they acclimatise to long queues during the bedding-in period.
Interestingly, EMV was initially brought to the fore in rather an unexpected fashion when Netflix cited ‘higher-than-expected involuntary churn – driven in part by the ongoing transition to chip-based credit and debit cards’ as a reason for missing their Q3 2015 subscriber forecast.
Not many believed this explanation but there it was in black and white, bringing the EMV migration under the microscope.
While, in time, the EMV migration will be a boon for mobile payments, it has sparked criticism from those providers of next-generation mobile payments like Apple Pay. Put simply, the suite of mobile payment options, promised by these providers, depends on merchants upgrading their terminals to accept NFC contactless payments enabled by the EMV migration. A delay in merchants upgrading leads to a stagnation of mobile payment growth.
Retailers battle back on interchange
More recently there has been a high-profile spat between banks and retailers over fees stemming from the introduction of the new chip cards.
The battle lines are drawn as follows:
Retailers want chip-and-pin. The October 2015 EMV fraud liability migration introduced a new payment card with chip-and-signature. Retailers are frustrated that they have been ‘coerced’ into committing a massive expense to upgrade POS terminals to a standard that they feel does not eliminate all fraud – only fraud that affects banks. Retailers want a reduction in interchange fees for what they perceive to be work carried out above and beyond what is expected of them.
Banks, on the other hand, have accused retailers of ‘deflecting’ from the real issue, which they believe, is insecure payment terminals. Banks have insisted that chip-and-signature is more than adequate. This dispute, to which no obvious resolution has been proposed, has already received the scrutiny of attorney generals as well as the FBI.
In the background to this dispute is the deal that Apple cut back in September 2014 when they first revealed Apple Pay. The Apple Pay deal meant Apple received a significant reduction in interchange fees. In the banks’ rush to become the default card in iPhones using Apple Pay interchange fees were slashed. Bloomberg revealed that Apple had negotiated a deal with five major U.S. banks (Bank of America, Capital One, Citi, Wells Fargo, and Chase) to give it between 0.15 to 0.25 of a percentage point of the interchange fees in return for being allowed onto Apple Pay.
It was a significant win for Apple: one that hovers in the background of the current EMV dispute between banks and retailers.
As expected card-not-present fraud continues to grow
Annual fraud costs to US retailers rose 38% to $32 billion in 2014, according to Business Insider Intelligence estimates based on available data from Lexis Nexis in their ‘2014 True Cost of Fraud’ study. The study also noted that in 2015, it is expected that one out of every 86 card-not-present transactions will be fraud attempts compared to one out of every 114 in 2014.
Card-not-present fraud has already increased since the introduction of the EMV liability shift on October 1, 2015. Recent reports have estimated an increase of up to 30% this year alone in card-not-present fraud.
The 2015 holiday season is also expected to see a considerable rise in attempted online fraudulent card activity in the eCommerce and mCommerce sectors.
It had been predicted that this type of online fraud would increase post the liability shift as fraudsters are seeking out a weaker link, but even the scale of this fraud has surprised many industry experts.
Andy Smith, former senior vice president, identity and fraud at Equifax, outlined the ‘new’ types of online card fraud that are becoming increasingly popular: “We’re already seeing, for instance, auto lending fraud getting more prevalent; seeing rises in mortgage fraud, and defrauding commercial accounts. The other thing that we’re going to see is a move to application and account takeover identity-related versions of fraud and the move to online channels to avoid having to swipe that payment card.”
Online fraud is maturing, and offering a significant outlet to fraudsters feeling the initial squeeze of the EMV migration. Security analytics firm DataVisor, has already predicted a “perfect storm” in 2016 that will result in a high level of fraudulent transactions, powered by three trends:
- A significant increase in eCommerce websites and mobile apps.
- Growing comfort among consumers to transact online.
- Adoption of EMV cards and digital wallets.
Separating fraud between card-present and card-not-present is of no benefit, however, to merchants operating in an omnichannel retail environment.
To this end the study contains some significant advice for merchants and their acquirers: “Do not rely on EMV to eliminate fraud: tokenization must be used in conjunction with 3-D Secure because multichannel merchants are attractive data-breach and fraud targets. While EMV is highly effective at preventing POS fraud, when used for eCommerce purchasers, card data is still vulnerable to compromise and subsequent misuse – including static CVC2 data. Merchants can safely store and transmit tokens as proxies for primary account numbers (PANs) during authorization without the fear of compromise because they are often more limited in their use than true card data and are also more easily replaced.”
The Independent Community Bankers of America agree with LexisNexis on this point. In their statement to the Attorney General, defending the introduction of chip-and-signature, they had this to say on tokenization: “The truth is, there is no single technology that is a panacea when it comes to preventing data breaches and the payments-related fraud that results from it. Effectively fighting these threats requires multi-layered and flexible solutions that work in different situations to effectively secure the system.”
Just four in every ten small merchants are EMV compliant
As of November 10 (six weeks after the liability shift introduction) a survey by The Small Business Alliance found that the majority of merchants were still not EMV compliant, thus potentially exposing themselves to any card-present fraud perpetrated in their stores.
The key finding from the October survey were that “only 41% of business owners have a point of sale (POS) terminal or other method of taking credit and debit payments that is EMV compliant. Of those who do not have an EMV compliant terminal, 53% do not plan on upgrading their terminals to become EMV compliant.”
It’s on the agenda, but many merchants just haven’t made the move . . . yet.
Why is that? Well, EMV migration is a major undertaking for a merchant, potentially exposing them to significant cost, resource, and time issues.
For certain merchants the migration is a terminal-only project, once their terminals are upgraded to accept the new EMV chip payment cards the process is complete. For others the potential migration can lead to major front-end and back-end upheaval as their payment systems may also incorporate inventory analysis; loyalty programmes, and other value-added services (e.g. gift cards, or branded prepaid cards). In this scenario, any potential EMV migration decision takes on a different complexion for affected merchants.
Remember, this is a fraud liability shift – it is not a legislative deadline. Merchants are fully within their rights to continue operating as normal.
Merchants are in a difficult position. The migration has been long flagged – first revealed by the EMVCo group in August 2011. The majority of merchants have either chosen to ignore the liability or simply believe they will be unaffected, having weighed up the pros and cons.
The problems for merchants arise when fraudulent payments are perpetrated at one of their terminals that do not meet the EMV requirements. If the merchant is deemed to be the weakest link in the fraud chain then they are liable for this fraud. Serious fraud can lead to greater urgency in the months and years to come, by 2017 it is expected that 90% of merchants will be EMV-compliant. It was always going to be a slow churn process.
A short two months into the process, data is neither sufficient nor sufficiently substantiated to allow us to draw any conclusions or insights into its effect on merchant behaviour.
For now the reaction is: Excited. Mired. Varied. It all depends on who you ask.
Fexco Transaction Services
Fexco Transaction Services is dedicated to continuing innovation across the entire payments value chain. Our Transaction Services solutions provide a secure infrastructure enhanced by a wide range of modular business services and client specific features which facilitate an end-to-end transaction solution for merchant’s acquirers and card schemes. Please contact us to discuss your payment transaction needs.