The importance of pushing back the EMV fraud liability shift deadline

    Dan Alaimo

As the payment wars between retailers and credit card issuers rage on, both sides would be well served if the EMV October fraud liability shift deadline were pushed back, because neither group is fully prepared to meet it.

The dispute has been brewing for months and stems in no small part from the long and bloody conflict over card interchange fees. There's no love lost between retailers and their banking partners.

EMV stands for Europay, MasterCard and Visa. It is the global standard for inter-operation of integrated circuit cards (IC cards or chip cards), IC card-capable point-of-sale terminals and automated teller machines. It authenticates credit and debit card transactions. The card industry set an October deadline for retailers to be ready, or else become responsible for any resultant POS fraud.

The industry is unsettled over whether "chip-and-signature" or "chip-and-PIN" should be the way to proceed. Many retailers—including Walmart—prefer the more secure chip-and-PIN. Mike Cook, senior VP and assistant treasurer at Walmart, said choosing anything but chip-and-PIN would be "such a joke."

Unfortunately, this may be very true, as evidenced by a YouTube video showing two people conducting a "social experiment" where they openly signed fake names, like Oprah, Vin Diesel and Mr. Fake Name, while pointing it out on camera to unfazed cashiers. Signatures for credit card transactions are pointless, they concluded.

Why do banks and issuers continue to push chip-and-signature? Brian Krebs, writing in his respected KrebsOnSecurity blog, quoted Julie Conroy, a fraud analyst with The Aite Group, as saying Visa pushes chip-and-signature while MasterCard supports chip-and-PIN. The industry settled on chip-and-signature in the United States for competitive reasons: the banks and issuers want their cards to be as easy to use as possible, and signature is easier than PIN.

But the retailers prefer PIN, and a change would be easy because most of the new POS devices for EMV can handle either signature or PIN. The only challenge is presented by customers who forget their PINs in the midst of a purchase, but that's nothing new, considering debit card transactions often require PINs.

The Food Marketing Institute recently wrote to the major credit card companies expressing views consistent with other retailing groups, such as the National Retail Federation and the Retail Industry Leaders Association. In short, their position is that the system is not ready to meet the deadline, when fraud liability shifts from issuers to whichever entity—retailer or bank—is least prepared for EMV.

Then there is the matter of educating shoppers about new card processing procedures in the midst of the hectic fourth-quarter selling season. FMI's views are not to be taken lightly—the association remains very influential with government and suppliers in representing supermarkets and other retailers, although its events have declined in importance.

In addition, there's been a delay in the card networks' release of specifications and in the delivery of equipment to retailers. While major retailers, such as Walmart, are prepared, many others are not.

A consensus forecast is that only 47 percent of merchants will be ready to accept the new cards by the end of the year, while the Aite Group reported earlier this year that 34 percent of merchants had not yet heard of EMV, and 46 percent had not begun preparing for the transition. A report from the Strawhecker Group is more pessimistic, showing that 34 percent of U.S. merchants will be ready for EMV by October, with 53 percent fully compliant by 2017.

It's not just the retailers. Many banks won't be ready either, according to PaymentsSource. Banks that cannot pay for the expense of migration in one quarter are spreading it out over time. These include small banks, like Mechanics & Farmers Bank, and large ones like Fifth Third.

In a letter to U.S. Senate leadership criticizing FMI's stance, the National Association of Federal Credit Unions cited the imperative of fixing the POS data security problem, and blamed FMI's "unscrupulous tactics and falsehoods."

Banks and credit card issuers have worked hard to prepare for the EMV rollout this year, but it remains clear that many are not completely ready for prime time. Retailers and some banks need until next year before fraud liability changes over, lest consequences become widespread. It could even put some smaller retailers out of business if a very large purchase were charged to a fraudulent card.

So keep rolling out the EMV chip cards, change to chip-and-PIN, keep educating retailers and consumers, but in fairness, the liability deadline needs to be extended into next year when most merchants and banks will be ready for it.

Let's not revisit the interchange fee conflict. -Dan