As migration anniversary approaches, only a third of retailers accept chip cards

A year past the start of the EMV liability shift, two-thirds still haven't done so

Retailers were supposed to start accepting chip cards last October, but a year past the start of the EMV liability shift, two-thirds still haven't done so.

Only 2 million merchants, representing 33 percent of the industry, are actively accepting chip cards, according to a data released by MasterCard earlier this month. This is up from 1.4 million in June.

The rest are liable for in-person payment fraud. Before last October, merchants were not liable for fraudulent purchases at physical locations, only for "card not present" purchases such as those made on ecommerce sites.

Visa will be releasing its numbers next week. However, a report released this Tuesday by the Strawhecker Group, a payments consulting firm, estimates that 29 percent of all U.S. merchants are now capable of accepting chip cards. An additional 15 percent have the terminals, but haven't been able to activate them yet because of certification delays.

[ ALSO ON CSO: For retailers, confusion reigns after EMV rollout ]

Merchants became liable last October, part of the effort to encourage them to invest in upgrades to their terminals.

The chargebacks added up to $5.8 billion during the first half of this year, according to a recent report by Aite Group, a 25 percent increase from last year.

Those who didn't also faced a secondary burden -- criminals stymied by the new, more secure payment system would focus their efforts on those merchants who hadn't upgraded.

In fact, according to MasterCard, fraud costs fell by 54 percent for merchants who have completed their EMV adoption or are close to it. Those who didn't, saw their counterfeit fraud costs go up 77 percent.

Some grocery stores even joined forces to sue credit card companies and major issuing banks, claiming that certification bottlenecks kept them from upgrading in time for the deadline. According to Aite, these stores have seen chargebacks expenses go up 20-fold.

Despite this, the pace of the EMV transition may actually be slowing down, according to Michael Moeser, director of payments at Javelin Strategy & Research.

That's because those retailers who planned ahead and started migration early are already done, as are the smaller merchants who rely on third-party providers for all their payment technology.

"In our surveys, almost half of small businesses under $10 million have already upgraded to EMV," Moeser said.

In addition, both Visa and American Express ended chargebacks for transactions under $25 this summer. According to Visa, 40 percent of all chargebacks are under $25.

That might inspire some retailers to wait before spending the money to upgrade.

"If most of my transactions are under $25, what's the business case?" Moeser said.

Finally, some merchants have simply been caught by surprise. Despite having several years of advance notice, many thought that it would take longer for the chip cards to get into consumer hands. The liability shift only occurs when a customer uses a chip-card in a traditional terminal.

"Many merchants have been taken aback by the speed at which these cards have been issued," said Moeser. "The issuers have gone very quickly to issuing the cards and capitalizing on the liability shift. I don't think the merchant community was expecting this process to be this quick."

As of July, 88 percent of all MasterCard were chip-enabled. In addition, 90 percent of U.S. consumers "commonly" use chip cards, according to a survey conducted by Braun Research this summer on behalf of MasterCard. That's up from 49 percent in 2015.

Meanwhile, the EMV transition does nothing to reduce online fraud -- in fact, online fraud is going up.

"Criminals use POS malware, memory scrapers and other covert technologies to capture all of the payment data they need from unsuspecting retailers, despite the use of EMV," said Smrithi Konanur, global product manager for HPE Data Security at Hewlett Packard Enterprise. "And then can use the stolen data for card-not-present transactions."

Now another deadline is looming. Next month, MasterCard is shifting the liability for ATM transactions -- Visa and American Express will follow in October 2017.

In July, only 20 percent of U.S. ATMs had been upgraded, with MasterCard estimating that just 35 percent would be ready by the deadline.

Join the CSO newsletter!

Error: Please check your email address.

More about American ExpressCSOHewlett PackardHewlett Packard EnterpriseJavelinVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts