EMV Liability Shift Still Leaves Missing Pieces

With the expiration of the Oct. 1 deadline for requiring merchants, payment processors and banks to support EMV cards, a number of pieces remain missing.


It's perhaps the weirdest war of words ever.

Driven by a shift in liability for fraudulent transactions, banks and retail firms have taken to lobbing critical press releases at each other, charging that the other side has not done enough to protect consumer data. At its heart, the debate boils down to whether retailers' forced move to chipped credit cards is enough to protect customers' data or whether additional measures need to be rolled out as well.

Retailers, which have rushed the rollout of point-of-sale infrastructure to accept chip cards, argue that banks should require PINs to secure transactions, a proposition that requires financial institutions to roll out expensive infrastructure and pay for costly support.

"Retailers have invested billions to implement new chip-enabled card readers in stores nationwide," Brian Dodge, executive vice president of the Retail Industry Leaders Association (RILA), said in a statement. "Now, retailers are asking banks and credit unions to meet that commitment by issuing new chip cards with PINs."

Banks have fired back, stating that retailers need to secure their payment infrastructure to protect consumer payment data from hard-to-stop cyber-criminals.

"Millions of Americans have had their most sensitive information compromised in retailer data breaches, so it's understandable that consumers are concerned that retailers aren't doing more to prevent future hacking incidents," Doug Johnson, the American Bankers Association's senior vice president of payments and cyber-security policy, said in a recent release. "... Retailers need to join with banks and payment networks to combat fraud and focus on the future by updating their payment security systems and proactively working to address emerging threats head-on."

Welcome to the post-liability-shift world.

Retailers, payment processors and card issuers rushed to meet an Oct. 1 deadline to implement the Europay-Mastercard-Visa (EMV) standard for payment security, also known as chip-and-PIN security. Most, however, have missed the deadline. The standard requires credit-card issuers to replace mag-stripe credit and debit cards with smart cards capable of encrypting transaction data and requires retailers to upgrade their payment-card readers, resulting in increased costs to the businesses.

With Oct. 1 in the rearview mirror, the least-compliant participant in the transaction chain will be responsible for any fraud. The liability shift means that issuers will be held financially responsible for fraudulent transactions, if they have not issued new chip cards to consumers, while the merchants' payment-processing partners will be held liable if a mag-stripe transaction results in fraud, and those fines could be passed onto the retailers.

The penalties could be high. Still, retailers have replaced less than a quarter of the 12 million payment terminals, according to financial-market services firm CreditCards.com. Only 40 percent are expected to be upgraded by the end of the year. In addition, fewer than half of consumers have received a chip card to replace an existing mag-stripe credit or debit card, Matt Schulz, senior analyst for the firm, told eWEEK.

"The giant retailers are the most likely to have this up and running," he said. "When you get to the mom-and-pop stores, many of them do not even know this is happening."

While the complexity of the issue may be to blame for the lack of adoption, some retailers are undoubtedly taking a wait-and-see attitude, because the technology has some practical issues as well. Some consumers and retailers, for example, have complained that processing a transaction via chip cards takes more time, Schulz said.

"I've heard from consumers that I've talked to that it takes longer, and people think that it is a little bit inconvenient to take extra time," he said.

It boils down to pitting the potential losses due to fraud against the losses due to customer confusion or impatience with the new technology, Richard Peters, director of corporate consultancy Berkeley Research Group, told eWEEK.

"It seems as if there were a lot of misses in the Oct. 1 deadline," he said. "It was announced years ahead of time that this was coming, but here we are with the majority of retailers still not changed over."

Even when the technology is 100 percent deployed, transactions still will not be totally secure, says Peters. Retailers have a point that chip cards without a PIN are only half of a solution. The chip in the payment card can protect the data on the card, but relying on a signature is a less secure way to authorize the transaction, he said.

"The future part of this, a big piece of that is the PIN," Peters said. "With the PIN, you have something you know along with something that you have, and that makes it more secure."

The fully implemented technology is not foolproof, either. Recent reports that criminals had circumvented chip-and-PIN in 2011 join prior reports of security vulnerabilities to call into question whether EMV can protect consumers.

Moreover, the technology is a solution to only a specific piece of the fraud equation—counterfeit-card fraud. In the United Kingdom, for example, chip-and-PIN has resulted in a drop in counterfeit fraud from $259 million in 2008 to $73 million in 2014, according to Financial Fraud Action UK.

Online fraud, however, is not solved by chip-and-PIN technology. The same report found that card-not-present fraud initially declined after 2008, but had recovered to the same level by 2014.

"Online fraud is the low-hanging fruit that counterfeiting used to be, so criminals are switching to that tactic," CreditCards.com's Schulz said. "There are a lot of calls in the industry for approaches necessary to address online fraud."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...