Did You Meet the EMV Deadline?

NATIONAL REPORT — The first EMV (Europay, MasterCard and Visa) liability shift deadline hits on Oct. 1, and the number of convenience store retailers choosing not to upgrade to EMV-capable point-of-sale (POS) devices in-store is estimated to be significant.

Although not solely focused on c-store retailers, a June Cayan study of 344 small-business owners and managers concluded 52 percent of these retailers would not be EMV compliant by the Oct. 1 deadline, with 37 percent saying they had no plans to accept EMV cards at the POS after the deadline.

Ed Levin, CEO of International Point of Sale, which sells POS systems, reported that most of his c-store clients have yet to make the EMV upgrade at their stores.

“They will only make a change if something stops working,” he said. “[As of] Oct. 1, their Windows XP computers will still be working and their [card] swipers are still working.”

Retailers who have not completed the upgrade are at risk. However, the amount of risk is an important question c-store retailers need to ask themselves. According to the Petroleum Marketers Association of America, fraud in the petroleum industry reached $250 million in 2014.

If many retailers didn’t upgrade to EMV by the Oct. 1 deadline, the risk retailers are taking decreases due to a strength-in-numbers argument, noted Randy Vanderhoof, director of the EMV Migration Forum, an independent body created by the Smart Card Alliance to address issues in the payments space.

“Fraud typically migrates to the least secure party,” he said. “Fraudsters will find merchants that have not made the upgrade. If there are lots of merchants that still did not upgrade to EMV, there are lots of targets for fraudsters to go to and there won’t be any major changes in the chargeback profile. But over time, merchants that are lagging behind will become increasingly higher targets.”

Even though the deadline has passed, it is certainly not too late to upgrade. To determine whether a c-store retailer should upgrade its POS devices to become EMV compliant, review a chargeback profile, recommended Chris Schold, senior alliance manager at Mercury Payment Solutions.

“Take a look at the number of chargebacks you have each year and multiply that by the average amount of each chargeback,” he said. “So if you have five chargebacks related to fraudulent cards each year and each chargeback averages $30, the retailer will be responsible for $150 per year.”

Vanderhoof stressed, however, that retailers may not be aware of the amount of chargebacks they had in the past. Because they formerly had no financial responsibility for these fraudulent incidents, issuing banks didn’t bother to alert them about it.

“Retailers need to be aware they have been shielded [in the past] from these incidents because the issuer was responsible, leading them to possibly have a false sense of security,” he said. “After Oct. 1, issuing banks have the authority to chargeback any and all fraudulent transactions that are reported to them. So although fraudulent card activity may not actually rise that much, merchants might see a dramatic increase in chargebacks.”

NOBODY IS OUT OF THE WOODS

Even c-store retailers who did make EMV upgrades prior to the Oct. 1 liability shift deadline have discovered there are two phases to becoming EMV compliant at the POS. Phase one is installation of EMV-capable POS hardware, which for many was quite achievable by the Oct. 1 deadline. Phase two, software upgrades, has proven much more elusive.

Flash Foods Inc., a chain of 171 convenience stores in Georgia and Florida, was set to have its EMV-capable POS pinpads in place by the liability shift date, Chief Information Officer Jenny Bullard told CSNews Online. However, “software updates from our POS provider and our credit card processor are still in the process of being developed and then must be certified by card networks,” she said.

“This seems to be the case for many solution providers and processers in the industry so [we are] concerned that the lineup for certification will be long and will delay many providers being able to push the updates down to us, the retailers,” Bullard continued. “And once we have these updates, we have to implement them in our locations. So, meeting that compliance date of October 2015 for inside EMV is still very elusive at this point.”

For more on EMV and the deadlines still to come, check out the October issue of Convenience Store News.