The much-publicized October 1st deadline has come and gone for switching to Europay, Mastercard and Visa (EMV) chip-enabled credit card processing in the United States. However, not all consumers have received their new chip cards, and many retailers have not switched over to systems that can support them.
The delay can be due to many factors. Here are a few of them:
- Even if the hardware is in place, it's more complicated to integrate it with the back-end software. Larger retailers, especially those with multiple brands, may have a patchwork of different systems in place in their hundreds or thousands of stores. It's not just a matter of pushing a button and doing an automated deployment. In some cases, it's a major development project that will be doing on for a while, even given the two-year advance notice. For this reason, you may see chip readers in a store, but they may not be enabled; you'll still need to swipe your card.
- The new EMV process requires a lot of training -- both for store employees and for consumers. At every point of sale, the staff has to make sure the customer knows where to insert the card; not to take it out until the transaction has been processed; to remember to remove the card before leaving the register; and to be patient throughout the whole thing, as U.S. customers have gotten used to a much faster experience. This learning curve takes time and a lot of support.
- If you're going to do it at all, you might as well make it count. Many retailers are using this opportunity to perform more than a card reader upgrade; they're switching to whole new point-of-sale (POS) systems at the same time, upgrading their networks, and performing any other "cleanup" that they'd been putting off. In a major project like this, it's always a question of whether to rip off the bandage in stages or all at once (and some dependencies make it impossible to spread out the deployment anyway). The disruption to stores and the project costs are high either way, but retailers don't want to interfere with their bottom line any longer than necessary.
- It may not make business sense. Remember, this move is about a liability shift from the card issuers and banks to the merchants. The chip cards are intended to protect against fraud when someone is actually using the card to pay in person, so if they're using a fake, the merchant will be liable for the chargeback. But if the chargeback amount is generally small (say, the $5 or $10 at a fast food restaurant), the total loss may be less than the cost of rolling out EMV. Ultimately, the business may decide just to take that tradeoff.
Either way, the new card security measures are only a partial solution to the widespread problem of fraud. For all "card not present" transactions -- such as all e-commerce -- having the chip doesn't help, since there's no reader to validate it. And even when the physical card is used with a PIN, there can and will be ways around it; a team of French forensic researchers published a paper describing a clever "chip-in-the-middle" attack they uncovered.
In other words, the switch to EMV is yet another example of what security professionals experience all the time: it's more complicated and takes longer than you think, it's driven by business risk tolerance, and it doesn't solve as much as you'd hoped. But it's still progress.
About the Author
Wendy Nather is research director of the Retail Cyber Intelligence Sharing Center (R-CISC), promoting collaboration and information exchange to strengthen cybersecurity programs in the retail and commercial services sectors. For details, email info@r-cisc.org.
