By FDI Creative Services on 02/16/2016
Category: Krebs on Security

The Great EMV Fake-Out: No Chip For You!

Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe). But comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers.

Visa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV (“Europay, Mastercard and Visa”) payment standard.

Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.

Why are so many chip-capable checkout terminals already installed that have not been enabled to actually accept chip cards? Allen Weinberg, co-founder of Menlo Park, Calif. based management consulting firm Glenbrook Partners, examined this very question in a recent column that pointed to several factors holding retailers back from enabling dip-the-chip.

WHAT LIABILITY SHIFT?

New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.

Despite the increased risk of eating the entire loss from counterfeit card use in their stores, many merchants are taking a wait-and-see approach on enabling chip card transactions. Weinberg said some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.

“They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store,” Weinberg wrote.

Weinberg adds that for many larger merchants, switching on the chip readers also can be a big and expensive project. Part of the problem, he says, is that many integrated point of sale systems — particularly the electronic cash register software for these systems — were just not ready in time for the Oct. 2015 liability shift.

“Even if the software was ahead of the game, they faced long certification queues at many acquirers,” Weinberg wrote. “I believe this is going to be a problem for a while.”

Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.

“My dry cleaner isn’t worried about someone using counterfeit cards at his cash register,” Weinberg said, noting that many businesses meanwhile discount the chances that hackers will siphon customer cards by sneaking malicious software onto point-of-sale devices — a problem that has lead to one breach after another at brand name retailers, restaurants and hotels over the past several  years.

AN INVISIBLE HAND

The United States is the last of the G20 nations to move to more secure chip-based cards. As late as the United States is on EMV implementation globally, the process of merchants shifting to all-EMV transactions is still going to take several more years. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.

Terry Crowley, CEO of TranSend, a company that makes software to help merchants and their equipment work with the EMV standard, said software code for card-accepting devices has historically been simple — so much so that it could be written on the back of a business card.

“But now with EMV, that same software wraps around the walls of a room three times…hundreds of thousands of lines of code,” Crowley said. “Historically, software was developed by terminal manufacturers and some-few contract programmers who kept up with the old-school operating systems, software development kits and so on for each terminal manufacturer. It was so easy that merchants and processors installed specialized tweaks that created countless variants in the marketplace.”

Now with the EMV liability shift deadline come and gone, Crowley says, suddenly there is a fire drill to replace all of this once-easy software and its countless variants. Compounding the problem, Crowley says, is that EMV code is hard to write and harder to push through the certification birth canal. What’s more, he adds: There are very few EMV software developers who understand the U.S. market.

Crowley predicts that plenty of smaller merchants could soon get hit with a wave of chargebacks from unscrupulous people abusing the liability shift at merchants that still don’t offer the chip dip.

“There’s an invisible hand at work that is about to kick everyone in the pants and accelerate U.S. dipping into EMV slots,” Crowley said. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me –there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”

And the international [banks] are going to be the first ones lay in, Crowley predicts.

“International card issuers are used to all these chargeback codes and minutia that goes around with EMV disputes,” he said. “They know the rules pretty well and have had EMV cards for years. So when this first wave of chargebacks starts hitting next month, things are really going to ramp up for EMV adoption by smaller merchants here in the U.S.  It just takes one chargeback for those [smaller merchants] to get religion on EMV.”

MAD AS HELL?

If you’re curious about chip card swipe adoption in your area, take an informal survey: My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.”

So what’s the takeaway for consumers? Why aren’t consumers mad as hell about being asked to swipe their chip cards, thereby defeating the added security on the card?

For his part, Weinberg said he’s mad as hell, but he says if consumers get mad about anything chip-card related, it’s probably going to be about the 10-15 extra seconds it will take to dip the chip versus swipe the stripe.

“If anything, consumers are getting pissed off at how many more seconds it takes to do chip card transactions,” which require the consumer to keep the card inserted into the card terminal until the transaction comes back as approved, Weinberg said.

“We Americans care more about convenience than we do about security,” he said. “In the end, consumers hold their banks accountable for this stuff, because they’re the ones having to reissue the cards each time there’s another breach.”

Here’s another basic takeaway for any consumers still reading: Use a credit card and kick debit cards to the curb. If a thief makes a charge on your credit card that you didn’t authorize, a simple phone call can fix the problem. If the crooks manage to siphon all cash from your checking account, that’s a bigger problem that could take several days to sort out with the bank (and longer if you count any other businesses you may have just paid with a check).

Related Posts