Why Merchants Still Aren’t Accepting EMV (And Why EMV is Still Problematic)
We spent a lot of time talking about the October 2015 EMV liability shift, even long before it even happened. We did our best to encourage merchants to educate themselves and then make the switch over. And we’re still talking about it.
To us, there’s no question that adopting EMV is the right thing. It’s an essential tool to help prevent credit card fraud, particularly cloned or counterfeit credit cards.
Visa discovered that among merchants who have implemented chip cards, fraud has decreased. Looking at the rates of 25 merchants who had the highest rates of fraud in Q4 of 2014, five of them that implemented EMV saw fraud rates drop by a whopping 18.3% at the end of 2015. That’s the good news.
The bad news is that not implementing EMV correlates with higher fraud. Five companies from the list that chose not to implement EMV experienced higher fraud rates — to the tune of 11.4%. That’s a significant rise.
It’s not EMV itself that’s causing the increase. Shady customers are merely exploiting a perceived weakness in the system before it’s eliminated altogether. Fraud rates will continue to drop overall as more merchants make the switch over, as they have in other countries that have adopted the EMV standard.
But now is as good as time as any to talk about the future of EMV, why you should switch, and how to get EMV if you don’t have it already. (Plus, what’s holding EMV adoption back?)
Table of Contents
Tracking the Progress of EMV
October 1, 2015 might have seemed like a rather finite deadline — “accept EMV or else!” — but it was really more the beginning of an era. The only thing that really changed was that suddenly merchants were liable for costs incurred by processing fraudulent cards (note that EMV doesn’t affect card-not-present transactions or lost/stolen cards). Now the U.S. is in a state of transition, catching up to other nations around the world (particularly those in Europe) where chip cards have long been the norm, and where credit card fraud (at least from card-present transactions) has declined.
A survey in January by The Strawhecker Group found that EMV adoption was at 37%. The same survey estimates that we’ll have 50% saturation by June 2016, but we won’t see 90% adoption until 2017, more than a year after the initial deadline, and it could be several years before we see complete adoption.
But making it possible for merchants to accept EMV is only part of the battle. Not everyone has an EMV chip card right now. A survey by CreditCards.com found that 70% of consumers had been issued chip cards as of April 2016 (admittedly, that survey was based on responses from 932 credit cardholders, with no margin of error given). Visa claims that it’s now issued 265 million chip cards, making the U.S. a leader in circulation by overall volume, but that’s still only a portion of cards in circulation, and it will take time before standard magstripe cards are phased out entirely.
Large merchants are more likely to have begun the EMV transition than small businesses, in part because they have greater resources to devote (but even some of the largest retailers have only partially transitioned over to EMV). But what contributes to a company’s decision to implement EMV, and what’s slowing down the process?
What’s Holding EMV Back?
In some cases, the reason why stores still aren’t accepting chip cards is because business owners just don’t know about EMV or what it entails. Credit card processors have been working to educate merchants and get them ready for the liability shift, but that’s only one part of a big picture. Several other factors contribute to the difficulty in switching to EMV across the entire country, including:
“That Couldn’t Happen to Me” Mentality
Even if merchants do know about EMV, they may see the possible consequences as a small risk, especially compared to an issue such as a hacked POS. Compounding that problem is the buzz surrounding the EMV shift, which may appear to be something akin to Y2K for merchant. (In fact, the TSG survey found that media coverage may have had a negative effect on merchant opinions about EMV.) However, this could be a very costly assumption for merchants left footing the bill after a fraudulent card transaction.
Cost to Upgrade
Then, there’s the cost (and perceived cost) of implementing EMV. Estimates before the liability shift put the cost of EMV at $1,000 to implement, which was much higher than the $450 reported by merchants in the TSG survey. That number scared away small businesses, especially those who only process a small number of credit or debit transactions.
Not only that, but terminals do have a relatively long lifespan as far as technology is concerned (something along the lines of 7 years), and businesses that recently bought terminals that were not EMV-capable may not be willing to upgrade just quite yet.
To be sure, “future-proof” terminals (the term often used to describe EMV-capable devices) are more expensive than your standard magstripe terminals. Most terminals with EMV come with NFC equipped as well, so that merchants can accept contactless payments (Apple Pay, Android Pay, Samsung Pay). But like their predecessors, they will last several years and with the addition of NFC, are already equipped for potential changes in the payments industry.
For some merchants, there may be other costs associated with the switch to EMV, such as staff training, or implementing a new POS system… which brings us to the next point:
The Terminals are Ready, but the Software Isn’t
Compounding that problem is the fact that many merchants have EMV-capable terminals….that haven’t been activated yet. This is because coding EMV into POS systems and other software is much more complicated than the previous magstripe technology. And after the code is written, it still needs to be certified, which can also be a time-consuming process.
Terminals and software require level 1 or level 2 certification. The certification process (handled by EMVco) includes security tests as well as compatibility tests (because each card brand uses slightly different standards).
If you are a small merchant with a relatively simple setup, all you need to worry about is that your hardware or software is EMV certified. You yourself won’t need to get EMV certification in most situations.
If you have a large, custom setup, you’re looking at a possible level 3 certification, which may require you, as the business owner, to be more hands on in the process. Level 3 is a complete, end-to-end process that tests every conceivable transaction type, which could amount to several hundred tests run before you get the approval.
Software developers, terminal manufacturers, and anyone else involved in the payments space needs to get certification before they can deploy their products to merchants. And did we mention there’s a backlog of certification requests? Best estimates right now for the time it takes to obtain certification are 3 to 6 months…. But it could be longer.
So many merchants who want to accept EMV, who have invested in the terminals, are now just waiting for their POS system to get the necessary upgrades, which they can’t do until they’re certified. In the meantime, merchants are left footing the bill for any potential fraud.
Slower Checkout Times
A common complaint by many consumers who are now using their chip cards is the time it takes to dip their card versus swiping it. Transactions take several seconds longer than they do to just swipe (or use a contactless payment app such as Apple Pay), which can hold up lines and frustrate customers. There’s also the issue of having to leave your card inserted while the transaction is approved, which leads to a possibility of forgetting your card in the reader. For many businesses and consumers, that’s a headache they just don’t want.
Visa and Mastercard are working on this issue. Visa announced that it’s working on a solution called QuickPay, which could reduce transaction times to 2 seconds or less. It plans on making this available to everyone (including other card associations). It’s not a piece of technology, just some software, which will make it easy (and inexpensive) to roll out. Mastercard has its M/Chip Fast equivalent, which it says is “designed for select environments where fast transaction times, in addition to security, are at a premium,” according to the official press release.
Finally, there’s a learning curve that comes with implementing EMV. Consumers need to learn how to work their new chip cards, and so do cashiers. It can often fall on the cashiers to demonstrate for customers how EMV works, which can once again hold up a line. This is likely why many businesses chose not to implement EMV during the 2015 holiday season, and instead are just now getting on board with the technology. They’d rather let someone else handle the consumer education and didn’t want to lose potential sales by making customers wait or forcing them to adopt a new technology they don’t know how to use.
A Solution that Doesn’t Go Far Enough?
Finally, one concern is that many credit card issuers are opting to use chip-and-signature cards, rather than chip and PIN. While any sort of chip card is an improvement over magstripe technology, chip-and-PIN transactions are much more secure than chip-and-signature cards, because signatures can be forged and are rarely checked.
However, they are also more expensive, and more difficult to work with. PINs must be assigned before the card is issued, and consumers have to visit a bank branch to reset them. Not only that, but not all EMV terminals are equipped for entering PINs, but they do support signature capture, either on the terminal or on the receipt.
In fact, on May 11, news broke that Wal-Mart has filed a lawsuit against Visa for its choice to implement chip-and-signature cards instead of chip-and-pin cards. In part, Wal-Mart claims that PIN-based transactions would be more effective to reduce fraud (a fact documented elsewhere), and also that Visa charges more for those signature-based transactions.
Is There an Alternative to EMV? Well… Maybe.
EMV is clearly not without its issues, for both merchants and consumers. While merchants have no choice but to either adopt EMV or swallow the greater risk and potentially devastating costs associated with credit card fraud, consumers have one way to opt out: mobile wallets.
For tech-savvy, security-minded consumers, this seems like the obvious solution. It is fairly easy to add a card to a mobile wallet such as Apple Pay, Android Pay, or Samsung Pay. These tap-to-pay apps use tokenization to process transactions, meaning that instead of transmitting your card number the way swiped transactions do, they generate a one-time use card number (the token). Once the token is used, it can’t be re-used, so even if a terminal or POS were compromised, your card would still be safe. While you can use tokenization with EMV, EMV typically relies on encryption, which functions differently.
Tap-to-pay is currently faster than EMV (though with Visa’s Quick Pay, they may end up on more equal footing). No dipping is required so there’s no chance of forgetting a card (or, you know, phone). And Samsung Pay uses magnetic secure transmission, or MST, which allows it to emulate a magstripe transaction, so it works with basic terminals that are only set up for magstripes, as well as those with NFC.
The question remains, will NFC payments become preferred over EMV? Only time will tell. Contactless payments and mobile wallets are seeing increased use, but their overall market shares are still quite small. However, their potential userbase is huge, given how many smartphone owners are out there. Apple, Samsung, and Android’s respective apps are available to a huge customer base, and with PayPal poised to start implementing NFC payments in its own app, that customer base is only going to grow. The trick will be convincing people to switch — and of course getting merchants equipped to take mobile payments.
The Fastest Path to EMV, if You Don’t Have It
If you’ve already made the switch to accepting EMV, give yourself a pat on the back. If you haven’t yet, I have two very wise words for you, courtesy of Douglas Adams: Don’t panic.
Depending on the nature of your business, the risk of landing yourself on the hook for credit card fraud could be slim. Just bear in mind that implementing EMV could be a one-time expense that is far less costly than a fraudulent credit card transaction. It’s akin to an insurance policy: you may not have to have it, but if something ever happens, you’re going to be very glad you do.
If you have no choice but to wait to upgrade your system to an EMV-compliant solution, you can mitigate your risk by checking IDs for any magstripe or keyed transactions and getting the customer’s signature.
So how do you go about accepting EMV if you don’t already? There are a few options, depending on your situation.
Merchant Account Holders
The easiest way is to contact your merchant account provider and ask about implementing EMV, if you haven’t already. They’ll tell you what hardware and software you need and how much it will cost.
If your payment processor doesn’t have any sort of EMV solution yet, it’s time to look elsewhere. And even if they do, we encourage you to take this opportunity to shop around a bit, especially if you are thus far unhappy with your merchant account. Get some quotes from other merchant service providers (have you checked out our top-rated processors?) and see whether you can lower your processing rates as well as implementing EMV.
If you have EMV terminals but your current POS isn’t compatible, check out our favorite EMV-ready POS systems here and don’t forget to check out our reviews! Bear in mind that a semi-integrated solution might be cheaper and faster than a fully integrated one.
You might want to check whether your potential new terminal is equipped with NFC as well. Most “future-proof” terminals that are being offered have this feature, but some of the entry-level EMV terminals don’t. They’re more affordable, but you could inadvertently drive away customers who prefer tap-to-pay transactions over EMV, and end up paying more to upgrade a terminal again down the line. If your primary customer base is young and tech-savvy, you’re better off shelling out the extra cash up front to get NFC as well as EMV.
If you also need a mobile-ready EMV solution, you should ask your provider if their mPOS app comes with an EMV reader. If it doesn’t, it’s time to look at some other options (unless your processor is covering the risk until it can deploy its EMV reader).
Mobile (mPOS) Users
With the certification backlog, mPOS providers — including Square, PayPal Here, Intuit, and Spark Pay, have had more trouble rolling out their solutions, more so than others. The good news is, the big names have managed to get their readers out to consumers.
Square offers an EMV reader for $29, and an EMV/NFC-equipped reader for $50. These are chip-and-signature readers.
PayPal Here, on the other hand, has an EMV/NFC reader with PIN pad, for $150. Note that it also accepts chip-and-signature transactions, too.
Intuit GoPayment‘s EMV reader is available to pre-order for $30 (again, chip-and-signature only). Spark Pay doesn’t yet have an EMV-enabled mobile reader, but it does offer EMV credit card terminals for iPad setups.
The path to EMV is nowhere near its end, and we’re sure to encounter a few more bumps in the road before we get there. Chip cards are by no means perfect, and nor are they designed to eliminate all kinds of fraud. But there’s no question that merchants need to find a way to implement EMV for their businesses, and sooner rather than later. It’s important for you to educate yourself, and then find a solution that meets your needs.
Got questions about EMV merchants? Need help choosing a service? We are always here to help. Just reach out — we are always happy to hear from you!