Spartak - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Chip and PIN migration slow as EMV deadline approaches

A major deadline for EMV card adoption is just one month away. Can chip-and-PIN and chip-and-signature technology improve payment card security and reduce fraud?

Adoption of chip-and-PIN and chip-and-signature technology -- also known as EMV -- remains slow among U.S. retailers despite a major EMV deadline just one month away.

The recent deployment of EMV (Europay, MasterCard Visa) credit cards in the United States marked an important step in the effort to curb payment card fraud. The common magnetic stripe cards still used in U.S. payment cards are decades-old technology and a primary target for cybercriminals. The cardholder's data can be easily copied and re-encoded onto another card with a magnetic stripe. EMV chip-based cards, however, are designed to be more secure because they compose a one-time encrypted code for each transaction. Major retailers, such as Target, have recently upgraded their point-of-sale systems to accept EMV-enabled cards.

Still, adoption of EMV in the U.S. lags far behind other countries. According to EMVCo LLC, a global consortium devoted to EMV development and implementation, the adoption rate of EMV by U.S. businesses at the end of 2014 was just 7.4% -- compared to 83.5% in Europe Zone 1 countries and 59.5% in Canada, Latin America and the Caribbean. In addition, just 0.12% of credit card transactions in the U.S. were EMV chip-based last year, according to EMVCo.

"The U.S. is the last G-20 country on the planet that isn't using EMV cards," said Julie Conroy, fraud analyst at Aite Group LLC, a Boston-based financial services research firm. "Fraudsters have very intensively focused their counterfeit activity on the U.S. market. We saw U.S. counterfeit losses double from $1 billion in 2012 to $2 billion in 2014."

Cardholders with chip technology have to verify their EMV card by entering a PIN or signing their signature. While providing a signature is easier than remembering a four-digit PIN, some security experts argue that chip-and-PIN technology is more secure than chip-and-signature technology. In a recent report by IT staffing firm Randstad Technologies, 66% of IT decision makers believed that chip-and-signature technology isn't secure enough. A required PIN eliminates the possibility of card counterfeiting and the use of lost or stolen cards by thieves.

"Signatures aren't practical, because the merchant doesn't check to verify the user's identity and computers don't check to verify the user's identity," said Adrian Lane, analyst and CTO at Phoenix-based research firm Securosis LLC. "Using a PIN would be more secure."

The U.S. is the last G-20 country on the planet that isn't using EMV cards.
Julie Conroyfraud analyst at Aite Group

Despite concerns, Conroy explains that contrary to popular belief,  one-third of the countries that have migrated to EMV use chip and signature. "As we look at the types of fraud the issuers are absorbing, lost and stolen card fraud -- the only type of fraud that the PIN helps with -- only accounts for 13% of all card fraud," she said. To credit card companies, such as American Express, Discover, MasterCard and Visa, that's a small percentage to risk and using signature verification covers the bulk of the issues. Furthermore, PIN-based fraud isn't the kind of fraud that can be performed on payment card numbers exposed in a large-scale data breach.

In addition to credit card companies, Conroy said, banks are also advocating for signatures rather than PINs, because they believe requiring consumers to remember a PIN will be a hindrance to the purchasing experience. "The banks are not without reason to want to use signatures instead of PINs," Conroy said. "The average consumer has 3.5 cards in their wallet and no issuer wants to be the card that has the more challenging user experience. There was one Canadian bank that, during their migration, botched their PIN reusing process. And this bank saw their transaction volumes significantly drop."

The liability shift deadline

The Oct. 1 EMV deadline marks a liability shift for retailers. From then on, the cost of fraud from non-EMV cards will fall on retailers, rather than the credit card companies themselves. While that liability shift would appear to be a motivating factor for businesses to prepare for the transition to EMV, adoption has continued to drag with just one month to go before the EMV deadline.

However, since fraud liability costs have always fallen upon credit card companies and banks, businesses aren't feeling the pressure or a push from consumers to immediately adopt this new technology. Lane believes it's an issue of education. "Since smaller merchants aren't aware of fraud rates, they have trouble making an educated decision, and moving forward and investing in new terminals," he said.

According to a Randstad Technologies study, a shocking 42% of businesses have not taken steps toward the transition, and 58% believe that missing the deadline will not impact their company.

For the most part, larger retailers, such as Target, Wal-Mart and Whole Foods, will be ready on Oct. 1; consumers will start to see new point-of-sale terminals and a new place to dip, not swipe, his or her card. But midsize and small retailers could take months or even years to add EMV support, especially since there is no consumer demand to make the transition. To help educate businesses, Visa produced a guide, Visa U.S. Merchant EMV Chip Acceptance readiness Guide, to help merchants better understand the steps they will need to take to prepare for the integration of EMV chip cards.

Since it's going to take several years before there is total compliance for EMV, it makes the most sense to start with the more basic technology -- chip and signature. Unlike other countries that converted to EMV chip cards, the U.S. doesn't have the same level of government support to help with the education process for the general public; President Obama last year signed an executive order to add EMV support to all federal government payment card systems and introduced the "BuySecure" initiative to promote chip-and-PIN technology, but the effort appears to have had little effect on EMV adoption thus far.

Hence, the industry is virtually on its own with EMV migration. This makes it more challenging to jump to chip and PIN or even the simpler chip-and-signature technology. However, in a few years, when the U.S. is comfortable with chip-and-signature technology, credit card companies may progress to chip-and-PIN technology. "We have to take it one step at a time," Lane said.

Still, the rollout of EMV-enabled cards by Visa and MasterCard this year, plus the EMV adoption of major brand name trailers, are positive signs for the U.S., Conroy said. "As we progress and we have increasing number of merchants with chip-enabled terminals, the chips will be doing their job very effectively," she said. "It's an education process for all of us."

Next Steps

Find out why the PCI Security Standards Council supports Obama's executive order on EMV

Dig Deeper on Security industry market trends, predictions and forecasts