EMV: The three little letters that represent the single most hotly debated and discussed topic in the U.S. payments and commerce ecosystem for nearly the entirety of the last two years.
The walk to the liability shift in this market last October was technically four years long, but in reality, EMV didn’t become an absolute certainty until Dec. 19, 2013. That was the date that lives on in payments history, since it was the date that Target announced it had been the victim of a massive POS breach that exposed the card data of some 40 million consumers.
Not that EMV would have cured the reason for that breach — but let’s not get bogged down with details at the start of our story.
Rather, as Verifone CEO Paul Galant told Karen Webster in a recent interview, at that moment, industry, legislative and consumer attention all converged into a perfect storm that made EMV bigger than the card counterfeit fraud it was created to fight. Instead, it became symbolic of the payments and commerce sector’s collective need to upgrade its security infrastructure to keep pace with a rapidly changing world.
“When people say that EMV has ‘taken too long,’ they are absolutely right,” Galant told Webster.
“But it’s not just EMV. It’s using the opportunity that EMV created to reengineer, reimagine and then recertify the entire payment architecture of some of the biggest merchants in the biggest commerce center on the planet.”
To say it’s a big job really buries the lede — it’s possibly the biggest job ever conceived of in payments since the jump to using written ledgers to keep track of trades.
And although the 18 months between the Target breach and the liability shift were spent discussing the scope, scale and importance of the shift — and how EMV fit into a bigger security picture that also included such relatively new ideas to the public consciousness as tokenization and P2PE — the year since the liability shift has mostly been dedicated to bringing this behemoth of rethought POS into reality.
It’s been an interesting ride so far, and the data tells a mixed story.
There’s plenty of positive data to look at.
According to the card networks, at the one year anniversary of the liability shift, the proudest stat to report is the decline in counterfeit card fraud at EMV merchants. Counterfeit fraud has declined by more than 50 percent compared to the same period a year earlier. A top retailer said that its counterfeit fraud rates declined by 90 percent the first 30 days after flipping the switch.
Nationwide, there are roughly 2 million chip-enabled businesses, and 1.3 million of those merchants are local establishments. EMV is not only for the big guys. Additionally, according to newly released data from Cayan, consumers are getting increasingly used to using EMV in their day-to-day lives — 42 percent of consumers use chip cards three or more times per week while shopping. Not surprising, since there are more than 700 million chip cards in circulation in the U.S. market.
Those are the more cheerful figures.
Not so encouraging are the stats that suggest that there are more merchants with EMV terminals than certified EMV terminals or EMV terminals that are actually turned on. Cayan data suggests that 91 percent of consumers have encountered terminals that can’t (or won’t) accept chip cards and still relied on swipe to complete the transaction. The biggest beef, merchants say, is the change in the consumer experience. Slower, clunky and unfamiliar turns a transaction that used to be a few seconds into half a minute. Merchants would rather tape than switch.
Relying on swipes in the interim has been costly since, according to some estimates, non-certified and non-EMV merchants en masse are reporting a big spike in chargebacks since the liability shift date. And those chargebacks will be a cost of doing business for some time — certification has turned out to be a slower than anticipated process. Though the numbers are increasing, optimistic estimates put full EMV adoption at about 70 percent by the end of next year, but many think that is overly optimistic.
So, what to do when the data tells a mixed story?
We asked the experts, of course. Specifically, six of the players that got to live EMV Year 1 from many sides of the table: the merchants, solution providers, restaurateurs and the card networks.
The stories they told — like the numbers — are mixed. But all were mixed within various opinions. We spoke to no one that said EMV one year in was an unqualified perfect 10 with no needed upgrades, nor did anyone say that EMV is the worst idea in the history of human ideas.
What we heard is that EMV is a part of a solution but not a cure for the epidemic of fraud that is plaguing payments and commerce. We heard that good intentions don’t always lead to great outcomes, especially when trying to certify millions of merchants on the quick. We learned that everyone wants security to be better, and everyone understands EMV is part of the equation, even if it isn’t solving all of it.
Mostly though, we learned that, in a year, EMV in the U.S. has come a very long way.
And that it has an even longer way still left ahead of it to go.
Chief Technology Officer and Chief Security Officer, Creditcall
I wouldn’t say it is an absolutely fantastic scorecard, but I think it has the basic metric of something we can absolutely build upon here. I think what we’re really going to see is the smaller retailer — the mom-and-pop stores — leading the way. They are smaller environments that are simpler to upgrade, and they have a lot more off-the-shelf solutions, like Creditcall Chip DNA, that let them get to EMV and beyond. I think we will see small retailers overtake the larger ones for sheer breadth of innovation.
Harder than expected.
If Creditcall’s Jeremy Gumbley had to put EMV adoption into a three-word description for the U.S. in the first year, that would probably do it. Some of it came from poor communication and real limitations on the part of merchants for being able to make major changes to their POS.
Part of it is just the reality that, given the scale and scope of what’s happening with the liability shift, there was never a chance this was going to be something that was even close to wrapped up in a year.
“If we’re expecting EMV to be wrapped up in six months, or 12 months or 24 months, that was just sheer fantasy. Even in mature markets, like the U.K., where they have been deploying EMV en masse since 2005, you still find merchants that still don’t have it for a variety of reasons. We should be viewing this in units of five years instead of units of six months.”
And reality setting properly calibrated — the progress in Year 1 has been reasonable, if not record-setting. EMV transactions are going up, and more merchants are adopting as more ISVs are getting on board — a lot of the right number are going in the right directions.
“I think over the next couple of years we’ll see a lot more retailers, big and small, adopting the tech. And I think that will coincide quite nicely with cardholders learning to dip card instead of swiping.”
The challenges will continue to proliferate. Gumbley noted it isn’t exactly “rocket science” to find that fraudsters have moved online as counterfeit fraud is becoming a hard line. He also noted that consumers are living with growing pains, dealing with transactions getting rejected and various security settings needing to be customized so that transacting digitally happens seamlessly.
But, he noted, there is also reason to believe that that progress is being made across the board, that payments is becoming more flexible and that companies like Creditcall are using the great EMV migration to think big about incorporating cardless payments, tokenization and “whatever outlandish payments method we can’t think of today that will need to be integrated into the platforms of tomorrow.”
EMV has been a bump in the road, but the ecosystem is moving forward.
SVP of Product Development – EMV, Mastercard
EMV is the foundation for the next generation of payments. It’s not just about cards; it’s about the underlying base we need to establish in this market. We are doing all of this so we can enjoy this digital transformation of the way we accept payments and the way consumers interact with payments in a variety of environments. With tokenization and biometric authentication. And it is critical to keep that in perspective because I think sometimes people think about EMV and focus on whether mobile should be leapfrogging it because it’s cards and out of date. And it’s not either/or; it’s complimentary. It’s about the foundation that allows us to enter into this new era of how we as consumers want to do payments.
Hindsight is 20/20.
Mastercard’s Chiro Aikat, on the whole, is satisfied with the progress EMV made in the United States and its consistent march toward installation and certification. In many ways, he noted, EMV has become “the new normal.”
But EMV hasn’t had a perfect rollout, and left to do it over, he wonders now if consumer enrollment and understanding could have been better.
“A lot of the noise is the aspect of change. This is the biggest change in payments in 25 years. We should have had the consumers more wired in.”
The process of debit cards being folded in also could have been smoother — the standards settled on are good, Aikat noted, but could have been out earlier.
But bigger than EMV’s limitations, he believes, are its successes. Issuers have gotten cards into the vast majority of users’ hands, and merchants at the end of Year 1 are making strong progress across the board.
“What is encouraging to me is that we always knew the top merchants would all adopt first — the Walmarts, Targets and Best Buys — and we saw that, with the top 200 retail merchants, they are overwhelmingly already active. But we are seeing, out of 2 million, 1.3 million are local and regional merchants. And that is music to my ears. Because that tells us that it is happening across the merchant community and not just at the top.”
And that wider adoption is exciting, because EMV isn’t just a card technology since it is undergirded with the same dynamic data technology that enables Apple Pay and contactless payments in general. Meaning EMV and the innovation it makes possible in the future — consumers being able to consolidate debit and credit accounts onto a single chipped card, opening up closed-loop systems for payments integration, wider distribution of tokenized security — are all made possible by the EMV framework going into place.
As for the future going forward?
“I think merchants will take the initiative in phase two to really optimize their point-of-sale experience.”Aikat noted. “This is the journey of getting this market mature on EMV.”
Vice President, Merchant Advisory Group
There is still a lot of frustration by merchants, and the reality is we’re not as far as we should be. I think, in the U.S., we had a very unrealistic timeline to start with. Four years was a really tall order and not one the industry was ever really ready to meet in the first place. The challenge for U.S. merchants facing those kinds of time constraints is that there were a lot of stakeholders upstream that were not, for a variety of reasons, able to get us a lot of what we need, like technical specifications, to be ready to roll by 10/1/2015.
From the word go, Liz Garner of the Merchant Advisory Group said the EMV timetable in the U.S. was always just a bit too ambitious. Canada, she noted, is one-tenth the size of the United States and gave itself three extra years, plus a six-month extension at the end. The push for speed in the United States, particularly in the last 10 months of 2015, she feels, created an untenable situation. Some merchants couldn’t get themselves technologically on the right page in time, and others managed to get all the right tech in place only to run into the certification bottleneck that left so many sitting with tape over their chip readers waiting in line.
And for all the touting of how small businesses are going to innovate with EMV, Garner pointed out that small businesses have been hit particularly hard with the costs of transition.
“I think CNP fraud is going to be a bigger issue for smaller businesses, particularly those that are not used to the online environment with things like gift cards. Merchants that are just now rolling out face a lot of challenges about the certification process.”
The card networks, she admitted, have done some good work to dampen the effects on the spike in chargebacks and to streamline the process, but the essential problem still remains one year into EMV.
“We just weren’t getting merchants certified fast enough, and for some, that is netting big losses.”
Optimization, which is happening at larger merchants, has to become more common because speed of service is an important issue. Garner also noted that it might just be possible that there are environments where the dip-and-wait won’t work — say, among consumers getting coffee, there is an actual loss of function in the loss of the swipe, and the fraud risks on a $2 cup of coffee are pretty low. Apart from freeing some merchants from security structures that don’t make sense, Garner also noted that the merchants are also incredibly concerned not to see the chip cards being paired with PIN authentication, instead of the continued reliance on signatures.
“The use of PINs has been shown around the world to reduce the rate of fraud dramatically. Period. This should simply be a merchant’s choice.”
EMV, Garner noted, is not a lost cause, and merchants are entirely supportive of things that enhance their security and that of their customers. But as things stand, Garner said, merchants are between a rock and hard place when it comes to certification and chargebacks.
Merchants, she said, want to feel the EMV love, but so far, the big upgrade hasn’t delivered enough value yet to make up for the cost, stress and hassle that has accompanied it.
Director of Commerce and Entrepreneurship, National Restaurant Association
I don’t think anyone really expected how hard it would be to become EMV-compliant. Nor did anyone expect the tidal wave of chargebacks that would crop up after 10/1/2015. If we could go back and do it all over again, there are a lot of things thing the restaurant industry would like to have seen done differently.
Not enough time.
Ultimately, the NRA’s (buns, not guns) Laura Chadwick said, restaurants just didn’t have enough time. Unique among POS systems, restaurants deal with incredible complexity and systems that manage not just payments but also inventory, scheduling and reservations. Finding software that works in those delicately balanced systems is far from plug-and-play for most owners, and even when the right solution is found, getting set for implementation is very difficult.
Add to that, Chadwick said, the reality that, once restaurants had done all this difficult legwork, getting certified was far from easy and often required waiting in a very long line.
“It has been a long, hard slog. There was not enough time to prepare to accommodate this.”
And on top of being just a huge logistical challenge from both a hardware and software perspective, the challenge layered over top is how very, very expensive the liability shift has really been. Many restaurant owners thought they might skip EMV, thinking their small organization doesn’t face real risk from chargeback fraud — or, at least, not enough risk to justify the cost of upgrading.
That has turned out to be far from true, but restaurateurs didn’t know it until after the liability shift.
“There should have been more information relayed to restaurants about the level of counterfeit card use in their operation before the liability shift last year. Restaurants could have had better outcomes if we knew how many times these faked cards were really being used. This wasn’t shared with us, and they were unprepared for how many would be coming.”
That wave of chargebacks hit restaurants particularly hard, because the margins are just so thin.
“The information was there, but the restaurants didn’t have it, and it would have been really important for us to be better prepared.”
Vice President Risk and Authentication Products, Visa
We’re seeing really good progress, especially when you look at the complexity of the U.S. card market. And we’re not only doing EMV chip, but we’re also, in many cases, doing contactless and mobile along with other big investments in payments technology, like tokenization and encryption. There is a lot of upgrade and enhancement that is being made to payments security, as well as functionality and convenience with mobile. And major investments are being made, and we are seeing very steady progress.
Visa’s Stephanie Ericksen chalks up much of the angst around EMV to problematic expectations. Ericksen pointed out that the three largest countries to make the jump to chip card-based technology were Brazil, Canada and Australia, and in all three cases, it took two to three years to get to 60–70 percent penetration. At present, the United States is on track to be at about the 70 percent mark by the end of Year 2, despite the fact that the U.S. is larger than all three and is making a simultaneous jump to mobile and contactless.
Ericksen noted that that doesn’t make the frustrations of the first year of EMV transition any less real, particularly for the merchants that are going through the system’s growing pains and being hit by waves of chargebacks while going through certification. However, she noted, Visa has moved to streamline the certification process, opened up for great acquirer autonomy in self-certifying and limited chargeback frauds for the next two years.
“We recognized many merchants were working on moving to EMV. We changed the chargeback requirements to a minimum of $25 or 10 chargebacks per account,” Ericksen noted. Visa has also aggressively been pushing Quick Chip technology, which is both smoother to implement and creates a much faster EMV checkout experience, answering merchants’ second major complaint: EMV is terribly slow.
More important, Ericksen noted, is that EMV signals the bigger changes coming in payments and commerce, and more consumers and merchants are adopting mobile contactless and operating in omnichannel environments. EMV does a good job of limiting counterfeit fraud, Ericksen noted, but EMV has also done a great job of opening up the entire ecosystem for an upgrade to face the fact that there are now a variety of security challenges to answer for in this new environment, too. And solutions are emerging to answer for them, including P2PE, tokenization and the more effective leveraging of data.
“Every transaction that goes through the Visa network examines 500 different data elements to check for the likelihood of that transaction being fraudulent, and we are sharing that with the merchant in real time.”
EMV hasn’t had a perfect year, according to Ericksen, but it’s had a pretty good start here in the U.S. And it’s started a conversation about POS and protecting consumers at the same time innovation is being ushered in at the point of sale that is of great benefit to the whole ecosystem.
Conclusion: From The Mouth Of A Major Retailer
That was the one word answer given by a major Tier 1 player who agreed to share their unvarnished opinion on EMV on the condition we not say who they are or where they work.
It wasn’t that the retailer couldn’t name good effects of the changeover — counterfeit card fraud is down, and the system is optimized well enough that they’ve had no complaints about time at checkout.
But when they stack up what EMV actually turned out to be versus what they feel their company and millions of other retailers were sold, at the end of the day, it just didn’t measure up. Chargebacks went crazy, certification was much more complicated than anyone had been open about and, in a lot of cases, merchants found themselves getting hit with chargebacks that had nothing to do with counterfeit cards and hit their bottom line — hard.
While they noted they would like to see the brave digital future, the reality of EMV’s present has been disappointment, confusion and more expense than they anticipated.
And while they said they are eager to see what EMV can deliver in Year 2 and beyond, they aren’t quite as interested in hearing about the next phase of innovation when the current phase still seems to be sputtering to life in some places.