The uptick in EMV adoption appears to have run out of gas.
Visa and MasterCard extended the deadline for gas retailers to upgrade automated fuel dispenser systems to handle fraud-resistant Europay, MasterCard and Visa (EMV) payment cards. Originally set for Oct. 1, 2017, the new deadline gives gas stations an additional three years to beat the EMV liability shift that begins on Oct. 1, 2020.
While U.S. consumers are increasingly likely to have the EMV chip-equipped cards -- and to have used the new cards at retail stores -- fuel merchants, especially those that rely on automated fuel dispensers (AFDs), are still lagging in compliance with the new standards.
"We believe the change in the [AFD] liability shift date was the right thing to do based on extensive discussions with fuel merchants, issuers, acquirers and other stakeholders," Ajay Bhalla , president of enterprise risk and security at New York-based MasterCard, told SearchSecurity by email. "This dialogue identified issues unique to this segment, including significant regulatory and implementation challenges."
Adoption of EMV in the U.S. trailed the rest of the world. But EMVCo, the standards body for EMV, reported that, globally, EMV adoption is up over the past year. From July 2015 to June 2016, 42.4% of global card-present transactions were EMV-compliant, up from 33% from the year before. U.S. transactions were also up, to 7.2% in the most recent period, from only 0.26% the year before.
After the EMV liability shift date, the cost of fraud is assigned to whichever party -- merchant or card issuer -- has the lowest level of EMV adoption. Ordinarily, the fraud risk is assumed by the card issuer, but the liability shift is intended as an economic incentive to prod merchants to upgrade their systems. And gas stations have, so far, been very slow to upgrade.
"Retail petroleum has unique characteristics that other retail markets do not have," Randy Vanderhoof, director of the U.S. Payments Forum, told SearchSecurity. The biggest differences, he said, are payment terminals for fuel pumps are more complicated than for typical retail merchant point-of-sale (POS) terminals, and there are so many of them.
"The payments readers used at a fuel pump are much more complicated to install than an in-store reader. It takes a specially trained and certified technician to install the necessary upgrades at the pumps. There are 1.4 million pumps in the U.S., and far too few technicians," Vanderhoof said.
"The fuel segment has its own unique challenges, which we recognized when we first set the chip activation date for automated fuel dispensers/pumps two years after regular in-store locations," Visa said in a statement announcing the change in EMV liability shift for AFDs.
"We knew that the AFD segment would need more time to upgrade to chip because of the complicated infrastructure and specialized technology required for fuel pumps. For instance, in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete. Furthermore, five years after announcing our liability shift, there are still issues with a sufficient supply of regulatory-compliant EMV hardware and software to enable most upgrades by 2017."
But there are reasons AFDs can be at greater risk for fraud. "They are unattended terminals and, therefore, can generally be subject to the insertion of payment card data skimmers more easily than other attended POS terminals," Avivah Litan, vice president and distinguished analyst at Gartner, told SearchSecurity by email. "Also, the same physical key can typically open many AFDs so that skimmers can be inserted, and gas station staff -- who have the physical key -- can be recruited in organized criminal skimming efforts, as has been the case in the past."
With nearly four years before the EMV liability shift for AFDs, both Visa and MasterCard have, in the meantime, introduced fraud prevention tools to reduce losses. The Visa Transaction Advisor (VTA) has "been particularly successful in driving fraud lower at fuel dispensers," according to Visa.
More than 50,000 fuel stations in the U.S. are currently using VTA, and the service is priced "to encourage wide adoption and to deliver compelling return for the merchant in terms of fraud savings," a Visa spokesperson told SearchSecurity by email. Although the service is offered to individual merchants through payment service providers for Visa transactions only, VISA said it is effective at reducing fraud.
"In its first year, Visa Transaction Advisor helped to reduce fraud by more than half -- a 54% decline in counterfeit fraud rates and a 51% decline in lost and stolen fraud chargeback rates," the Visa spokesperson said.
MasterCard offers its own tool to reduce fraud, called Decision Intelligence. Individuals and merchants get the benefit of the tool, but only if their payment-card-issuing banks purchase the service from MasterCard.
"During initial trials, Decision Intelligence was detecting as much as 40% more fraud, with up to a 50% reduction in false positives as market-leading fraud detection systems," Bhalla said.
"In general, fraud on plastic card transactions is supposed to accrue to the card issuer [or] bank, which is why merchants have not invested all that much in fraud detection on plastic card transactions, unless they get hit with so much -- as gas stations do -- that if they don't prevent much of it, their fines and fees from the credit card banks and brands increase," Litan said.
"Also, with the EMV liability shift, the fraud accrues to the party (merchant or card issuer) with the lowest security relative to EMV -- i.e., if the card issuer has issued a chip card, and if the merchant's terminals can accept EMV cards," Litan added. Because AFD merchants have extra time before the EMV liability shift, "the liability situation hasn't changed."
Find out more about why merchants have been slow to adopt EMV technology
Learn about how researchers discovered security flaws in EMV point-of-sale systems
Read about EMV liability shift deadlines