What Price Security?

Retailers are upgrading payment terminals but still await software needed to process chip-based cards.

Last Dec. 19, the retail world was rocked by the revelation that Target had suffered a massive breach resulting in the theft of payment data from 40 million customers who shopped in its U.S. stores from Nov. 27 to mid-December. Three weeks later, the number of affected shoppers was revised upward to between 70 million and 110 million people.

In January, Target estimated that, following the breach disclosure, its same-store sales during the rest of its fiscal 2013 fourth quarter would decline 2 percent to 6 percent.

Retailers like Minneapolis-based Target are expected to comply with data security standards set by the PCI (Payment Card Industry) Security Council. Questions remain whether Target was in compliance with those standards and even whether compliance would have prevented the breach. Target says only that it’s conducting a forensic investigation into the causes of the breach.

Target’s travails represent one more example of the hazards of the current payment card environment for retailers and consumers. This would just be an occasion for more handwringing, except that a big change is brewing: the U.S. rollout of chip-based EMV (Europay, MasterCard and Visa) cards. Used in much of the rest of the world, EMV cards are considered much more secure than the magnetic-stripe cards that they’ll replace.

Would the widespread acceptance of EMV cards have prevented the Target breach? “Absolutely,” asserts Randy Vanderhoof, executive director at Princeton Junction, N.J.-based Smart Card Alliance, a group that promotes the adoption of smart card technology. Even if EMV card data were stolen or part of a breach, “it couldn’t be used to create counterfeit cards and monetized by criminals,” Vanderhoof explains. “The value of data in a breach is reduced as the percentage of EMV transactions increases.”

Steve Methvin, VP, e-commerce/retail technology for Bozzuto’s, a $1.8 billion grocery wholesaler based in Cheshire, Conn., expects that EMV technology “will make security awareness a priority for the retail industry and decrease the current threat of fraudulent plastic cards.”

In the United Kingdom, where EMV chip-and-PIN (personal ID number) cards rolled out in 2004, card-present fraud has dropped 67 percent since then, according to Vanderhoof. In addition to a reduction in counterfeit cards, PINs prevent the use of lost or stolen cards, which represents one-third of card fraud. Vanderhoof expects most banks in the United States, where consumers are accustomed to offering signature proof for credit and many debit card transactions, not to require PINs on their EMV cards.

As EMV cards are unveiled by issuing banks over the next few years, retailers will be installing EMV-compliant payment terminals capable of reading the cards. Visa and MasterCard have effectively mandated this change by stipulating that, as of October 2015, retailers that don’t use an EMV-compliant terminal at checkout will be liable for any fraudulent transaction that takes place with an EMV card. Currently, retailers bear no responsibility for fraud perpetrated with mag-stripe cards if the transaction is properly processed and authorized. That will hold true in the EMV environment as well, if they’re compliant.

Bozzuto’s launched a program last year with its acquirer, Atlanta-based First Data, to convert the payment terminals at all of its retail customers to EMV-compliant devices, a process that was completed last April, says Methvin. Retailers were incentivized to make the transition last year by a Visa offer to waive its annual PCI data-security audit requirement for EMV-compliant merchants. “That’s what we used for our business case,” he notes.

Bozzuto’s retailers installed terminals from Veri-Fone and Hypercom (which merged in 2011), depending on compatibility with their POS systems. The cost of the terminals ranges from $400 to $600 per lane, plus retailers may need to upgrade to more flexible terminal stands, which run from $50 to $75.

According to Vanderhoof, a number of top-tier retailers, including Walmart, ShopRite and Walgreens, have installed EMV-compliant card readers. All told, upwards of 10 percent of retailers have upgraded their terminals, he adds.

Software Snag

However, installing a card-reading payment terminal is only half the story — the other half is upgrading the software needed to process the EMV transactions. Retailers are still waiting for that software to be approved, tested and issued by technology vendors. Meanwhile, most are still using the same software that handles mag-stripe cards.

As Vanderhoof explains it, the software to process EMV credit cards is readily available; what’s holding things up is the software for EMV debit cards. That software needs to be configured to satisfy the requirements of the Durbin amendment, under which debit cards must be able to support two unaffiliated networks to keep costs down. “To date, there’s no industry consensus on how to do that,” notes Vanderhoof.

Meanwhile, retailers are reluctant to perform two separate EMV software upgrades, one for credit now and one for debit once it becomes available. They’d rather have “one software upgrade and one training program put in place to support all payment types, to minimize disruption at retail and the cost of the upgrade,” says Vanderhoof, adding that because of this, only 1 percent of U.S. retailers are even compliant with the credit card portion of EMV today.

Methvin concurs that his retailers are still waiting for the final EMV software adjustments before going live. Meanwhile, “cashiers and customers have not yet been trained” on how to handle the new cards, he says.

On the card side, major banks have thus far issued an estimated 15 million to 17 million EMV cards, mostly to high-value customers or those who travel frequently abroad, notes Vanderhoof, adding that this barely dents the total U.S. population of 1.2 billion credit and debit cards. But he conservatively estimates that about half of those cards will be converted to EMV by October 2015, when fraud liability migrates to the least secure party (bank or merchant). After that, he says, “the race will be on [for banks] not to be the last one standing” without having issued EMV cards.

EMV terminals will be able to read chip cards in two ways: through direct contact (as when cards are inserted into an ATM), or in a contactless fashion, with the cards held within a few inches of the reader. The latter form uses Near Field Communication (NFC), a radio-frequency-based mode that also enables the terminals to take payments from NFC-capable Android smartphones.

However, the majority of the EMV cards coming into the market are contact-only, says Vanderhoof, noting that more dual interface cards (contact and contactless), as well as NFC-enabled mobile wallets, are expected after 2015, in line with a wider base of installed EMV terminals. Methvin points out that some shoppers will be wary of the contactless cards because of security concerns.

Will the advent of chip cards and NFC phone payments help control or even reduce the interchange fees retailers pay for credit and debit transactions? Time will tell, says Vanderhoof. “It’s still a major business issue to be worked out by the merchants, card brands and merchants.”

For his part, Methvin is more skeptical: “Will interchange rates go down? No.”

“EMV technology “will make security awareness a priority for the retail industry and decrease the current threat of fraudulent plastic cards.”
—Steve Methvin, Bozzuto’s Inc.