When I first looked into the credit card security breach at Target and later at Neiman Marcus, the solution seemed easy. If you want to protect yourself from having the mag stripe information on your card stolen, then use a card with an EMV chip.
If your business wants at least some protection, then get a point-of-sale (POS) terminal that will accept cards with EMV chips.
Better yet, do both.
As is the case with many seemingly simple problems, it turns out that this isn’t a problem that’s easy to solve. You may not be able to get a credit card with an EMV chip, and if you do find one, you may not be able to find a place near your home or office where you can use it. Worse, if you want to protect your customers and yourself by accepting these more secure cards, you might not be able to.
But what’s even worse is that the banks and other card issuers may not know whether their own organization has a provision for providing secure credit cards or for providing the POS terminals and software, as well as the processing networks necessary to work with EMV chip credit cards. The only certainty is that there are several banks that simply don’t offer them, and don’t plan to unless they’re forced to do so.
I did a quick survey of banks in the U.S. that provide the enhanced security of EMV chips. I found a mixed bag of offerings and a lot of confusion. For example, I was assured by a Bank of America spokesperson that this global bank only provides EMV-equipped cards to major corporations. But a check of the bank’s Website reveals that, in fact, the bank does offer such cards to consumers.
Likewise, I was told by a branch manager at PNC Bank, which serves the eastern United States, that such cards are offered to consumers and small businesses, but a check with the corporate headquarters shows that they are not offered at all.
Fortunately, some banks will let you search for cards with the EMV chip on their Websites. For banks that have what are called Tap Technology chips, you may also search for those. Tap Technology is similar to an EMV card but works by tapping the card on the reader, which then gets the information wirelessly. This method is less secure than EMV, but it does prevent card cloning.
The best source for figuring this out was a Website called Nerd Wallet, which did a study. Other major banks, including Chase and CitiBank, offer at least some such cards, but generally they’re aimed at travelers.
So what’s standing in the way of the general availability of more secure credit cards for U.S. businesses and consumers? In a word, it’s inertia. There’s a significant “chicken and egg” process going on where the banks don’t want to offer secure cards because merchants don’t accept them. Merchants won’t accept EMV cards because customers can’t get the cards.
Preventing Credit Card Data Theft Is Harder Than It Should Be
“In other places, it wasn’t left up to the market to decide,” explains Randy Vanderhoof, director of the EMV Migration Forum. Vanderhoof told eWEEK that in the U.S. the decision on secure credit cards is left up to the market to decide. “It’s difficult to get the market to agree on anything,” he said.
Vanderhoof said that while card issuers want to find ways to reduce fraud and cut their current losses, “the issuers don’t have ultimate decision making to force the merchants to swap out their acceptance infrastructure.” He noted that frequently retailers want to negotiate a better set of terms for adopting the new technology.
Researchers at the Aite Group have studied the pace of adoption in the U.S., and what they’ve found isn’t encouraging. According to Aite Group Research Director Julie Conroy, the process of EMV card adoption is progressing slowly, and what progress there is was slowed even more when a group of retailers sued the Federal Reserve challenging their debit card processing rules.
Federal Judge Richard Leon found that the Fed had overstepped its bounds and rejected the so-called Durbin Amendment that controlled debit card processing. This in turn meant changes in how debit cards are processed, and that in turn slowed down EMV chip introduction on those cards. That in turn slowed down all EMV chip conversions.
“They want to do credit and debit at the same time,” Conroy explained. Conroy found that a process that was already rocky was getting even more so. Conroy’s study was actually only one that had found that U.S. businesses are being negatively impacted by the delays in a change to more secure credit cards. An earlier study found that credit card use outside of the U.S. was already becoming difficult. Fortunately, the Aite Group has some recommendations for how businesses can move forward.
At least there is some movement. A few major banks, such as Chase, are working to provide businesses with terminals that can read any secure credit card as well as the old mag stripe cards. But this process will take awhile.
Levi Gundert, Cisco’s expert on secure POS terminals, told eWEEK that merchants need to secure their payment systems in the meantime. “I don’t see EMV becoming a reality for at least another three to four years in the U.S.,” he said. “EMV is the long-term solution (though it’s not perfect either), but in the short term investing in hardware encryption at the point of sale would be a very effective countermeasure if magnetic stripe payment cards continue to be the U.S. standard.”
In the meantime, that chicken and egg problem remains. While it’s easy to point fingers, the reality is that only the card issuers can realistically take the next step by broadly issuing cards with EMV chips. The banks have the ability. They’re already issuing these cards to some customers now. As a business, your best bet is to find a bank that wants your business enough to help you stay secure by offering you this proven technology.