Card security revolution stalls

More than seven months after the mandated deadline for conversion, most businesses throughout the Las Vegas Valley, and around the country, have not upgraded their point-of-sale credit card readers to process the EMV embedded credit card chip.

Equally slow have been the banks and credit card companies in the issuance of the new EMV embedded credit and debit cards. As of this week, an informal poll has indicated that while most major banks have issued EMV compliant credit cards, the chip-enabled debit cards have been slow to hit the consumer wallets.

A spokesperson for Nevada State Bank said: “Credit cards with chips have all been sent to customers. Debit cards have been sent in waves, as it takes months to process all the accounts and all the cards. All active users should have them by end of year, and non-active users will continue to be issued—expected complete in Q1 2017.”

The “Liability Shift” was to take place on Oct. 1, 2015. After that date, all businesses using the EMV embedded credit and debit cards would not be responsible for the effects of any identity or credit card theft. However, those businesses still using the magnetic strip on the back of the credit or debit cards to complete a transaction would be solely liable for the impact of any account hacking.

Linda Ray, who along with her husband Sherman, own Avery’s Coffee on West Sahara, has been struggling to be in compliance with the liability shift regulations. “I have bought the card reader, and it is installed, but I cannot use it because the EMV software is not compatible,” Ray explained. “However, I have been assured by my processing company that they will take full responsibility if we are hacked and our client’s credit card information is stolen.”

Avery’s, like many other small businesses around Las Vegas, uses a point-of-sale (POS), processing software that is provided by Shopkeep. “Our hardware is ready to take EMV; we are just waiting on our gateway to be able to accept it,” said a customer service representative at ShopKeep. A statement from the Shopkeep website reads “As long as you have ordered an EMV-capable credit card reader from ShopKeep (iCMP or iPP320), we will offer you liability coverage.”

ShopKeep is ranked among the Top 10 POS systems available for small- to medium-sized businesses. A website review of the other leading POS technology companies can lead business owners through a technology maze of companies that interact with each other, some on a proprietary basis and others as a general platform. The combination of POS software system, credit card processing company, and the hardware equipment that is used will determine how and if the EMV transaction can be processed. About half of the POS companies are not able to process EMV transactions at this time while the other half use a combination of proprietary and secondary links to complete the transaction.

In the meantime, while the banks and POS software providers are struggling to get on top of the issues, the National Retail Federation remains opposed to the liability shift ultimatum.

In testimony before Congress last November, the National Retail Federation said: “Don’t blame us for the slow uptake. New point-of-sale terminals for accepting chip cards cost up to $2,000 each, and that’s a bitter pill for small businesses to swallow.”

That’s just one of the concerns.

“The new EMV equipment does not stop breaches,” said David French, NRF senior vice president for government relations. “Indeed, in many cases, it provides no significant benefits either to the business or to the business’ regular customers. It is merely an additional expense small businesses are being told to bear.”

French’s comment is based on the fact that when the U.S. instituted the EMV change, it only adopted half of the technology that makes the transaction safe. In Europe, the EMV chip is used in conjunction with a personal identification number like debit card transactions already require. However, in the U.S., EMV credit card purchases simply require a signature to complete the transaction. Anyone who has signed on an electronic pad knows that nearly any scribble is accepted as a signature.

“While the chips make the cards more difficult to counterfeit, they do nothing to protect lost or stolen cards, while a PIN alone could prevent both types of fraud,” French said.

Earlier this month, Wal-Mart Stores Inc. sued VISA Inc.’s U.S. unit, claiming the card company wants the retailer to continue to offer the less-secure signature method for verifying debit cards in order to route transactions through VISA’s own networks to boost internal profits. VISA reportedly charges Wal-Mart five cents more for signature authentication than PIN transactions.

Wal-Mart stated in its complaint that the chip-and-pin payment protocol at the checkout counter is more secure than the signature authorization. Seventy percent of Wal-Mart’s customers use their debit card to pay for their purchases, and approximately 10 percent of those customers choose to authenticate using the signature method, most likely because it’s easier than remembering and entering a PIN. Wal-Mart wants to eliminate the signature option, but VISA wants to keep that option available.

In addition to the security issues and upgrade costs, business owners are also concerned about the amount of time that it takes to complete a transaction. However, according to processing companies, the actual transaction time is a perception problem.

While the EMV transaction may take an additional two to three seconds than the traditional card swipe transaction, it seems much longer because the card is left in the reader for the entire transaction time. When a card is swiped using the magnetic strip, the customer uses the processing time to put the card back into their wallet and then place the wallet back into their pocket or purse. By the time these actions are completed, so too is the transaction and the signature is requested.

The good news is that a new technology — called Quick Chip for EMV — is about to streamline the transaction process by enabling the customer to insert and remove their EMV chip card from the terminal, typically in two seconds or less, without waiting for the transaction to be finalized. The consumer and the issuer don’t need to do anything because this technology is just an upgrade in the software of EMV-enabled terminals. This upgrade can be done by the merchants and is free.

Don't miss the big stories. Like us on Facebook.
pos-2 — ads_infeed_1
post-4 — ads_infeed_2