EMV: What Now?

null null

The first EMV (Europay, MasterCard and Visa) liability shift deadline passed on Oct. 1. Hopefully, the sky has not fallen for convenience store retailers who chose not to upgrade their in-store point-of-sale (POS) devices.

The number of c-store retailers choosing not to upgrade to EMV-capable POS devices is estimated to be significant. Although not solely focused on c-store retailers, a June Cayan study of 344 small-business owners and managers concluded that 52 percent of these retailers would not be EMV compliant by the Oct. 1 deadline, with 37 percent saying they had no plans to accept EMV cards at the POS after the deadline.

Ed Levin, CEO of International Point of Sale, which sells POS systems, says most of his c-store clients have yet to make the EMV upgrade at their stores. “They will only make a change if something stops working,” he said. “[As of] Oct. 1, their Windows XP computers will still be working and their [card] swipers are still working.”

Levin did acknowledge software updates will be issued in the future, though, whereby the retailer will have to have an EMV-compliant terminal to accept credit and debit cards at the terminal.

Despite the significant costs to upgrade to EMV-ready devices, retailers who have not completed the upgrade are certainly at risk. Once a cybersecurity attack happens, it could be too late. If large enough in scale, it could have the power to cripple a business financially.

The amount of risk is an important question c-store retailers need to ask themselves. According to the Petroleum Marketers Association of America, fraud in the petroleum industry reached $250 million in 2014.

If many retailers didn’t upgrade to EMV by the Oct. 1 deadline, the risk retailers are taking decreases due to a strength-in-numbers argument, said Randy Vanderhoof, director of the EMV Migration Forum, an independent body created by the Smart Card Alliance to address issues in the payments space.

“Fraud typically migrates to the least secure party,” he said. “Fraudsters will find merchants that have not made the upgrade. If there are lots of merchants that still did not upgrade to EMV, there are lots of targets for fraudsters to go to and there won’t be any major changes in the chargeback profile. But over time, merchants that are lagging behind will become increasingly higher targets.”

Even though the deadline has passed, it is certainly not too late to upgrade. Regarding costs, Chris Schold, senior alliance manager at Mercury Payment Solutions, said the company’s software upgrade typically costs $250 per year, plus the cost of the hardware. “One popular [hardware solution] we are integrating at Mercury is the VeriFone VX805, which costs about $300 [per terminal],” he said.

“C-stores can affordably migrate to EMV at the counter,” added James Hervey, director of petroleum product management for VeriFone Inc. “Costs vary considerably and are influenced by a number of variables, some of which include the number of sites, the number of in-store lanes, and — if they want to simultaneously update their fuel dispensers — the size of their petroleum forecourt.”

If EMV upgrade costs prove too cost-prohibitive, c-store retailers can look to see if any outside help is available. For example, CITGO Petroleum Corp. implemented an initiative that helps its retailers and marketers upgrade to EMV at the POS. The fuel company is underwriting a portion of the POS upgrades and provides incentives to those under its brand to convert to EMV-compatible POS devices.

Retailer participation in this program since it was first announced at a marketer meeting in January has been excellent, Kara Gunderson, CITGO’s POS manager, told Convenience Store News.

“CITGO’s POS Upgrade Incentive Program is still active and we are receiving several orders each day,” she said shortly before the EMV liability shift date. “We fully expect that the majority of the CITGO marketers will take advantage of this great program.”

TO UPGRADE OR NOT UPGRADE?

To truly determine whether a c-store retailer should upgrade its POS devices to become EMV compliant, review a chargeback profile, Schold recommended.

“Take a look at the number of chargebacks you have each year and multiply that by the average amount of each chargeback,” he said. “So if you have five chargebacks related to fraudulent cards each year and each chargeback averages $30, the retailer will be responsible for $150 per year.”

Vanderhoof stressed, however, that retailers may not be aware of the amount of chargebacks they had in the past. Because they formerly had no financial responsibility for these fraudulent incidents, issuing banks didn’t bother to alert them about it.

“Retailers need to be aware they have been shielded [in the past] from these incidents because the issuer was responsible, leading them to possibly have a false sense of security,” he said. “After Oct. 1, issuing banks have the authority to chargeback any and all fraudulent transactions that are reported to them. So although fraudulent card activity may not actually rise that much, merchants might see a dramatic increase in chargebacks.”

Schold relayed that only the retailer should make the decision regarding whether its POS devices are worth upgrading. And c-store retailers have a tough decision on their hands because most for-sale items have small sticker prices, compared to merchants such as Best Buy or Target that have $1,000-plus electronics items for sale.

Vanderhoof offers a similar view. “Stores that sell low-value products are what fraudsters are typically going to look for,” he said. “Retailers that sell items that can be easily sold on the black market like electronics and jewelry will be at a high risk for fraud.”

When trying to determine which products in the c-store are most likely to be purchased via fraud, look at any item criminals can resell quickly and easily, said Lori Stafford-Thomas, director of public relations at Vantiv Inc. Gift cards are a prime example.

NOBODY IS OUT OF THE WOODS

Retailers who did make EMV upgrades prior to the Oct. 1 liability shift deadline can take solace in the fact that credit and debit card purveyors will continue to handle the responsibility for fraudulent in-store transactions, assuming all their ducks are in a row within time.

C-store retailers have discovered there are two phases to becoming EMV compliant at the POS. Phase one is installation of EMV-capable POS hardware, which for many was quite achievable by the Oct. 1 deadline. Phase two, software upgrades, has proven much more elusive.

Flash Foods Inc., a chain of 171 convenience stores in Georgia and Florida, was set to have its EMV-capable POS pinpads in place by the liability shift date, Chief Information Officer Jenny Bullard told CSNews. However, “software updates from our POS provider and our credit card processor are still in the process of being developed and then must be certified by card networks,” she reported as this issue went to press just prior to Oct. 1.

“This seems to be the case for many solution providers and processers in the industry so I’m concerned that the lineup for certification will be long and will delay many providers being able to push the updates down to us, the retailers,” Bullard continued. “And once we have these updates, we have to implement them in our locations. So, meeting that compliance date of October 2015 for inside EMV is still very elusive at this point.”

Even once the hardware and software updates are in place, c-store retailers now sporting shiny new EMV-capable devices should in no way think they are fully protected from cyberattacks. Although EMV — combined with tokenization, which uses otherwise useless “tokens” in place of a customer’s real personal information when a transaction is being processed — is certainly a step in the right direction, cybercriminals are becoming more and more sophisticated.

“EMV only combats counterfeit card fraud,” said VeriFone’s Hervey. “It’s not a security ‘catchall’ and does nothing to prevent the types of network data breaches that have become all too familiar in the headlines. We strongly recommend that merchants take a multi-layered approach to data security that — beyond EMV — includes end-to-end encryption of payment data along with secure commerce architecture.”

EMV at the ATM

Although the EMV POS liability shift deadline has passed, chatter about the overall topic is unlikely to subside any time soon. For convenience store operators who own ATMs, the next EMV liability shift deadline is coming Oct. 1, 2016.

This date is when ATMs must be EMV enabled or c-store retailers could be on the hook financially for fraudulent activity, in the same manner as at the POS now.

Cardtronics Inc. Chief Marketing Officer Tom Pierce stressed that only the owner of the ATM is responsible for the EMV upgrade.

“Any ATM owner leaning toward not upgrading to EMV may want to reconsider that choice,” he said. “As of the MasterCard and Visa deadlines, with the first being October 2016, liability for fraudulent counterfeit card transactions will shift from the issuers of EMV-enabled cards to the party that has not made the investment in EMV equipment. From a risk assessment point-of-view, when liability will essentially be assigned to the party that hasn’t upgraded to EMV, ATM owners will want to avoid being the weak link in the transaction security chain.”

Upgrading ATMs to EMV is simply too important, agreed Paul Saxon, president of Brandon, Fla.-based Electronic Transaction Corp., a provider of ATM equipment, processing and services.

“EMV will make a major difference in fraud that is happening,” Saxon said. “Fraudsters are all focusing on the United States right now because we are the most vulnerable country there is. They can reproduce a magnetic stripe card pretty easily and empty out a person’s bank account. You cannot do the same thing if the card has a smart chip on it.”

All new ATMs that Electronic Transaction sells can be purchased along with a $130 EMV upgrade kit, an option most c-store operators choose due to its low cost, said Saxon. For c-store operators already with newer ATMs, usually defined as 10 years old or newer, the company sells upgrade kits for $289.

Upgrade kits for ATMs older than 10 years typically run about $900 and must be handled by a technician, meaning the total price tag could be in the $1,100 range. Therefore, c-store operators with older ATMs may want to opt to buy a new ATM instead, with “excellent models” running in the $1,900 to $2,300 range, according to Saxon.

Of the approximate 300,000 ATMs located in retail locations nationwide, about half will need to be replaced by Oct. 1, 2016, he concluded.

Related Topics

X
This ad will auto-close in 10 seconds