More secure transactions are in the cards
Payments industry poised to roll out more secure credit card technology
Friday, May 16, 2014 6:00 AM
When Kelly Sharp’s credit card came up for renewal, her card issuer sent her a new card with an embedded smart chip.
She and other Greater Des Moines residents would be hard-pressed, however, to find a local retailer able to accept the more fraud-resistant payment card technology.
Sharp, who is a retailer herself, isn’t yet seeing an immediate demand to switch to the new card technology. “I’ve not had anyone come in with an EMV card yet,” said Sharp, who owns Heart of Iowa Market Place in Valley Junction. “When they become more common, we will change over.”
But change is in the air.
The Europay MasterCard Visa (EMV) smart card standard, also known as chip and PIN, uses a microprocessor chip that’s embedded in the card instead of a magnetic strip to store cardholder data. Rather than swiping the card quickly, as cardholders are so accustomed to doing, they insert the chip and PIN card into the reader and leave it there until the transaction is completed. Having a built-in microprocessor in the card enables better authentication measures to prevent counterfeits, provides for added cardholder verification methods and allows for more options in card authorization.
The United States has lagged behind the rest of the world in adopting this technology, although experts say last winter’s massive data breach of Target Corp. customers should end that inertia.
Iowans – along with consumers nationwide – can expect to see a “wave of implementation” of EMV-enabled credit cards by financial institutions over the next two years, said Brandon Kuehl, a product development architect for The Members Group.
Until recently, just a handful of U.S higher-end credit card companies have issued EMV cards to customers, keying in on frequent international travelers who were more likely to benefit from using the cards overseas, where they’re widely used.
Following the massive data breach in late 2013 that compromised card data of 40 million of their company’s customers, Target officials in February pledged to roll out the technology in all of its U.S. stores by January 2015. In Canada, where the retailer has used EMV readers since 2008, Target has experienced a 72 percent decrease in credit card fraud.
Ironically, the retailer had planned to implement the technology in 2003 but was stymied by lack of support by the payment card and banking industries.
“Once Target came out and said they’re going (to implement) EMV, it has really blown up,” Kuehl said. He noted that in the past few months, many financial institutions that had been on the fence “have really jumped in full speed ahead” to implement the technology. “I think the data breaches have really done (EMV) a favor,” he said.
The Members Group, a Clive-based payment card services company, began working with credit unions and community banks to implement EMV technology in 2010. One of its clients, United Nations Federal Credit Union, was the first financial institution to roll out an EMV debit card in the United States, Kuehl said. The company is now working with a number of other financial institutions to implement the technology.
Kuehl said he doesn’t know of any Iowa financial institutions that have issued EMV cards yet, but his company has a few clients going through the process now that should have cards out within about the next three months.
The road map to better security
A key date for the EMV rollout is October 2015, when a rule change known as the “liability shift” goes into effect. Both MasterCard Inc. and Visa Inc. have established EMV implementation “road maps” that set an October 2015 deadline that applies to both retailers and financial institutions. After that point, whenever there are instances of card fraud, whichever party that has the lesser technology will bear the liability for the loss. It means a merchant still may process transactions using the old magnetic stripe system, but that retailer will be liable for any fraudulent transactions if the customer uses a chip card. Conversely, if a merchant has installed a new terminal but the financial institution hasn’t issued an EMV card to the customer, the financial institution would be liable.
“The key point of a liability shift is not actually to shift liability around the market,” a MasterCard official said in a February interview with The Wall Street Journal. “It’s to create coordination in the market, so you have issuers and merchants investing in the migration at the same time. This way, we’re not shifting fraud around within the system; we’re driving fraud out of the system.”
Credit cards will be the first wave of implementation, followed later by debit cards by late 2015, Kuehl said. For the next two to three years, cards will have both magnetic stripes and chips as the industry transitions between the two technologies, he said.
Johnston-based SHAZAM Inc., which operates one of the nation’s 18 debit card and automated teller machine networks, is working toward the rollout of EMV debit cards. In April, the company announced it had reached an agreement with Visa Inc. that helps pave the way for the transition to chip and PIN transactions for debit cards.
Terry Dooley, the company’s chief information officer, said the SHAZAM network’s license agreement with Visa ensures that issuers will be able to maintain choice and interoperability for card issuers for Visa- and SHAZAM-branded cards and transactions. Dooley said he expects that all 18 of the U.S. debit networks will reach similar agreements with Visa, as well as with MasterCard Inc., within the next six months.
“The industry was really in a stalemate regarding agreements or a standard,” Dooley said. With the agreements, financial institutions will be able to begin planning for the rollout of EMV debit cards, he said. SHAZAM is part of a 10-member Debit Network Alliance formed in December 2013 that’s working toward common governance standards as EMV cards are rolled out in the United States.
Cost no longer a roadblock
The higher cost to financial institutions of issuing EMV cards – about two and a half times that of magnetic strip cards – has been a major reason many have held back, Kuehl said.
“Early on, there was a lot of pushback,” he said. “What we’re seeing now is that the cost is a foregone conclusion, and (financial institutions) are saying, ‘If we’ve got to spend the money, let’s go all out and do it right.’ ”
Based on a survey The Members Group conducted earlier this year, a majority of the 43 financial institutions surveyed indicated they plan to implement a chip and signature version of EMV, which the firm considers the best practice for community financial institution issuers. Only six of the issuers surveyed plan to issue dual-interface cards, which would allow EMV cardholders to use tap-and-go terminals. Although these terminals are widely used in Europe, in the U.S., they are generally found only in major metropolitan areas.
The Members Group in February partnered with global payments technology firm First Data Corp. to develop a streamlined process for financial institutions to switch over to EMV card payments.
As far as cost, “I would venture to say most projects are less than six figures,” Kuehl said. Additionally, there are soft costs involved in staff training as well as software and network upgrade costs. “I think the soft costs are the real surprise, as well as the effort needed to educate consumers,” he said.
Retailers also face significant costs to replace the familiar swipe terminals with the new EMV readers, which can cost several hundred dollars each. Target will invest an estimated $100 million to roll out EMV at its U.S. stores.
In Iowa, Ankeny-based convenience store chain Casey’s General Stores Inc. already has invested in the chip readers and is now working on getting the software in place, said Bill Walljasper, the company’s chief financial officer. Casey’s operates nearly 1,800 corporate stores in 14 Midwestern states.
“Anybody that has multiple retail locations, it can be a very costly capital expenditure,” Waljasper said, although he declined to provide specifics for his company. He said Casey’s hasn’t set a firm date to roll over to the new system, but it is “well ahead of the curve” in terms of the October 2015 deadline.
Will increased card security equate to a positive return on investment for convenience stores and other retailers? It’s hard to say, Walljasper said.
“But from the perspective of having a customer come to your facility and be comfortable in using a credit or debit card, I think there is a lot of value in that,” he said.
Over in Valley Junction, Sharp said she had not heard about the October 2015 liability shift, but said it makes sense to her.
“If that’s the case, I would think that retailers would want to go with that technology,” she said. “If a card is fraudulent, (the cost is) on me anyway. We need to do whatever we can as retailers to protect these cards. If that means going to a better reader with more technological savvy, I’m OK with that.”
Better fraud protection, but not a panacea
U.S. consumers hold one-quarter of the world’s credit cards, but incur half of all global credit card fraud. Countries that have implemented the Europay MasterCard Visa standard have reported significant decreases in card fraud. In the United Kingdom, for instance, losses by retailers have decreased 67 percent in the past decade due to EMV, and fraud from lost or stolen cards is at its lowest level in two decades, according to the Smart Card Alliance, a not-for-profit association promoting widespread adoption of smart card technology in the United States. Similarly, Canada, which rolled out EMV cards nationally in 2008, has seen losses from card fraud decrease by 73 percent in the past four years.
However, experts caution that EMV card adoption is not a panacea. Experience in European countries has shown that as card security increases, there is a migration toward other types of fraud, particularly cases of “card not present” fraud for online transactions.
“That’s the weakness of EMV; it doesn’t protect you from fraud if someone has your card number,” said Brandon Kuehl, a product development architect with The Members Group. Kuehl noted that Visa Inc. and MasterCard Inc. have established a working group to move forward with a technology known as tokenization. Tokenization is a method for protecting card data by substituting a card’s 16-digit primary account number with a unique, randomly generated sequence of numbers or alphanumeric characters. The random sequence acts as a substitute for the actual account number while the data resides inside a retailer’s system.
“Where the U.S. was a late follower on EMV, I think it will be a leader with tokenization,” Kuehl said.