Information security professionals across the nation had Oct. 1, 2015 circled in red on their calendars. That was...
the date of a major change in credit card compliance regulations. While not a mandatory change, the Payment Card Industry Security Standards Council (PCI SSC) encouraged merchants around the country to adopt the EuroPay MasterCard Visa (EMV) standard for smart chip technology. On Oct. 1, that "encouragement" kicked into high gear with a change in liability for fraudulent credit card transactions.
When the October 2015 deadline passed, the liability for some fraudulent transactions shifted from banks to merchants. From this point forward, if a customer presents a smartcard at the point-of-sale and the merchant does not have equipment capable of reading the smartcard, the merchant is responsible for the cost of the fraudulent transaction.
Are merchants pursuing EMV adoption?
Consumers have undoubtedly noticed EMV technology in use at retailers around the nation. There's no question that adoption increased as the deadline approached and several major retailers, including Target and Walgreens, rolled out the technology at their locations. President Obama also signed an Executive Order mandating the use of EMV technology in credit cards issued to government agencies, as well as the support of EMV technology by all federal agencies accepting credit card payments. Powerful forces are moving the nation toward EMV adoption, which has been widely used in Europe for over a decade.
While consumers might have experienced EMV readers at some merchants, they've also certainly witnessed that many merchants continue to use older equipment lacking chip-reading capabilities. Anecdotal experience says consumers are unlikely to encounter an EMV reader outside of a major retailer and even many major retailers have yet to deploy the new technology.
What's driving this slow adoption? The first factor is the cost of switching to card processing equipment that supports EMV technology. Merchants have significant investments in legacy card reading equipment and are unwilling to invest in the new technology while existing readers have substantial useful life remaining. Merchants are simply doing the math and calculating the expected losses they will incur from the new liability compared to the cost of investing in new card readers and reaching the conclusion that a deferred investment may pay off in the long run.
There's also a chicken-and-egg problem that complicates this risk/benefit calculation. Merchants are often unwilling to invest in EMV technology because relatively few customers actually present EMV cards at the point-of-sale. CreditCards.com conducted a survey a few weeks before the Oct. 1 liability shift and found that only 32% of consumers had even one credit or debit card with an embedded smart chip. If the card involved in a fraudulent transaction does not have a smart chip, the merchant is not liable for the fraud.
What's the EMV adoption outlook?
Expect to see EMV adoption continue, but at a sluggish pace. Banks will continue to issue new cards with chips and, as consumers increasingly possess smart cards, merchants will begin to incur liability for more fraudulent transactions. At the same time, merchants will naturally include the new technology when they deploy new point-of-sale systems throughout their organizations.
Eventually, there will be a tipping point where the costs of replacing legacy equipment will be lower than the expected costs from fraudulent transactions and EMV technology will become more prevalent throughout the nation. It wouldn't be surprising for the PCI SSC to speed this along by eventually including a requirement for EMV technology in a future revision of the PCI DSS. If they follow past practice, PCI SSC will likely announce any forced migration well in advance and allow merchants with existing systems a grace period before they fall out of compliance.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for SearchSecurity and Information Security magazine and the author of several information security books, including the CISSP Prep Guide and Information Security Illuminated.
Learn what to do now that the EMV liability shift date has passed
Is the chip-and-PIN system really more secure?
Check out the five most important parts of PCI DSS 3.0 for merchants