Consumers were promised a new level of security after the October 1, 2015 EMV (for chip-based card technology) deadline. But now, six months later, how much has really changed?
Security magazine editors recently spoke with Dick Mitchell of Randstad Technologies, an often-cited expert on the status of the EMV transition.
Security: What did the deadline really mean, and are any retail establishments being penalized for not meeting it?
Rather than a strict mandate, it seems the deadline was a suggestion to get America’s payment technology in line with that of Europe and much of the world. The deadline was not decreed by law and thus didn’t bring any real means of enforcement or direct penalties. Retail establishments aren’t being formally penalized for not meeting the deadline. However, they will be held financially responsible if a fraudulent transaction takes place and the retail location is using the less advanced technology, i.e., mag-stripe point-of-sale technology when presented with a bank-issued EMV credit card. Until October 1, 2015 the financial burden automatically fell to the issuing bank and card brand, so this new liability for certain fraud is the real penalty.
Security: Why are so many credit card chip readers installed but not activated?
Dick Mitchell: There are a number of reasons why Chip readers are not yet activated:
• Upgrading to EMV terminals is costly and time-consuming. Many businesses may have the equipment in place, but until there’s another major data breach, many have the attitude of, “It won’t happen to me,” and so have not made the final push and cost to activate the technology.
• There is also still some confusion on the part of consumers. Even though many consumers have Chip cards at this point, they can still swipe those cards at payment terminals as they’ve traditionally done. The process of inserting Chip cards in payment machines takes a bit longer than simply swiping, which can be both confusing and frustrating for consumers. So, since consumers are not clamoring for Chip readers and are comfortable with swiping as normal, retailers have not felt the push to activate the new machines.
• In addition to the new hardware, the merchant must also allow new software into its back office systems to enable the terminal to accept EMV, and the software has trailed the hardware in terms of readiness. Additionally, the terminal and merchant must also undergo a certification process with each of the card networks. There is a backlog of retailers queuing up for this certification process, and thus many machines cannot yet be activated until that process is complete.
Security: Is the pace of the EMV transition going more slowly than planned, or do you think this lag was anticipated?
Dick Mitchell: Unfortunately, it’s not surprising that so many businesses failed to make the upgrade to EMV technology by October 1, 2015. In a survey of C-level executives and IT decision makers that Randstad Technologies conducted last July, 42 percent of respondents said they either had not taken any steps toward the transition or were unaware of any progress made. This was a significant number of retailers who weren’t prepared for the shift just three months out from the deadline, suggesting a lack of awareness from businesses about the reason for the shift and its importance. And since there still isn’t an outcry from consumers to upgrade to the more secure technology, the transition will continue to lag, at least until the next blockbuster fraud occurs!
Security: Are consumers’ credit cards still safe if the chip reader is not being used? What, if any, are the security risks?
Dick Mitchell: Until Chip readers are activated, consumers will have the same level of risk they did prior to the deadline. Unfortunately, though, even if Chip readers are activated, credit cards are still not as secure as they could be. The encryption in the Chip protects consumer information better than the exposed mag stripe, but the advantage ends there. Most banks are issuing Chip and Signature cards rather than the more secure Chip and PIN cards. While Chip and Signature cards also include a microchip, users are asked only for a signature upon presentation rather than a PIN. Signatures are fairly easy for thieves to forge. But with Chip and PIN cards, an individual sets a PIN that only they know, making in-person transactions much more difficult for fraudsters to breach. And the new Chip cards don’t account for card-not-present fraud. As we saw in Europe when they transitioned to EMV technology, there will very probably be an increase in fraud for online payments.
Security: When do credit card readers at ATMS and gas stations have to convert? Should we expect the same delays with those?
Dick Mitchell: ATM readers have until October 2016 to make the shift, while gas pumps have an additional year until October 2017. There is one exception: MasterCard included ATM readers in their October 2015 liability shift. This reprieve is because these systems will take significantly more effort and money to upgrade than their point-of-sale counterparts in retail locations. Some estimates say that gas pumps could cost as much as $10,000 each to upgrade/replace. Because of the costs, I think we will see some of the same lag that we’ve seen on the retail side: Vendors could believe that a breach could never happen to them, and thus the costs in potential fraud savings won’t outweigh the costs to upgrade equipment.