Tags: , , , ,

October EMV Deadline Creates Headache for Millions of U.S. Retailers


Hana Dickman

EMV, also called “chip and pin,” is the newest standard for payment cards. New cards being produced under EMV specifications contain a computer chip to store card data on a built-in circuit instead of the magnetic strip that we are all used to seeing on the back of our credit cards.

The EMV chip allows for greater protection against fraud and counterfeiting, and affords merchants greater insurance against card data breaches by encrypting the information the moment it hits their retail systems. EMV stands for EuroPay, MasterCard, and Visa, the 3 companies who created the standard.

Prior to the new EMV standards, cards with magnetic strips were vulnerable to both counterfeiting and “skimming,” a process by which account numbers are copied from the card’s magnetic strip as it’s swiped. Chip and pin cards all but eliminate this vulnerability by storing the card data on the encrypted chip embedded in the card. Instead of swiping a card with a magnetic strip, customers now “dip” their card into EMV-compliant payment terminals, where the data is read by a secure device.

Catch that last sentence?

That secure device, that EMV-compliant payment terminal, puts a huge burden on the part of the retailer. Merchants who weren’t previously compliant with EMV standards are now forced to update their POS and financial systems — a huge, costly undertaking, including hardware and software costs — in order to avoid massive liabilities for non-compliance.

The Cost of Not Complying with EMV

Basically, in the event of a breach or any fraudulent compromise of customer payment data in a non-EMV environment, the retailer is on the hook for 100% of the compromised transactions. Conversely, in an EMV-compliant environment, aside from the likelihood of such a breach being far more unlikely, any compromised data would be fully encrypted and not much use to hackers (for now, anyway). Additionally, retailers who are fully EMV-compliant are insured through their payment processors and wouldn’t be liable for compromised card data.

The U.S. Problem

Oddly enough, EMV/chip and pin is already the standard in almost every developed country in the world except the United States. Why? The short answer is that in the recent past, retailers in other countries were supported by networks more vulnerable to risk than those in the U.S.  EMV standards provided much-needed security to compensate for their network vulnerabilities. But now we live in the age of mega-breaches and hacks where seemingly no one is safe, and EMV is a requirement, not a convenient option for added security.

The individual card companies (American Express, MasterCard, Visa, etc.), along with EMVCo (the governing body for EMV compliance and support) have set October of this year as the “migration date” (read: deadline) for retailers and merchants to be fully EMV-compliant. For any non-EMV-compliant retailer (read: just about everyone), this requires a lengthy and costly process called re-certification.

The EMV Certification Backlog

Re-certification is required whenever a major change to credit or debit processing is deemed necessary by a payment processor (or the merchant requests a change in processing behavior). Under normal circumstances, it takes several months to just get a certification appointment with your processor. Once you have an appointment, the actual certification process can take even longer.

Now, with the October EMV deadline looming, every holdout retailer in the U.S. is scrambling for appointments, and frankly, it’s just never going to happen. The processors can’t handle the volume of certification requests (because so many merchants in the U.S. waited until the last minute), and now those appointments will be made months — if not years — later than the EMV deadline, putting retailers in a very vulnerable spot in terms of liability.

The Director of Retail IT for a global luxury clothing brand recently told me, “my company requested our EMV recert a year and a half ago and only got our appointment in May of this year. We’re in the middle of the recertification process now and hanging on to hope that we’ll be compliant before the deadline.”

The result? EMVCo will either see the backlog of certification requests and move the deadline out, or thousands of retailers will be late with certification and risk major liability due to non-compliance. Neither is an ideal solution.