EMV: What Now?
The first EMV (Europay, MasterCard and Visa) liability shift deadline passed on Oct. 1. Hopefully, the sky has not fallen for convenience store retailers who chose not to upgrade their in-store point-of-sale (POS) devices.
The number of c-store retailers choosing not to upgrade to EMV-capable POS devices is estimated to be significant. Although not solely focused on c-store retailers, a June Cayan study of 344 small-business owners and managers concluded that 52 percent of these retailers would not be EMV compliant by the Oct. 1 deadline, with 37 percent saying they had no plans to accept EMV cards at the POS after the deadline.
Ed Levin, CEO of International Point of Sale, which sells POS systems, says most of his c-store clients have yet to make the EMV upgrade at their stores. “They will only make a change if something stops working,” he said. “[As of] Oct. 1, their Windows XP computers will still be working and their [card] swipers are still working.”
Levin did acknowledge software updates will be issued in the future, though, whereby the retailer will have to have an EMV-compliant terminal to accept credit and debit cards at the terminal.
Despite the significant costs to upgrade to EMV-ready devices, retailers who have not completed the upgrade are certainly at risk. Once a cybersecurity attack happens, it could be too late. If large enough in scale, it could have the power to cripple a business financially.
The amount of risk is an important question c-store retailers need to ask themselves. According to the Petroleum Marketers Association of America, fraud in the petroleum industry reached $250 million in 2014.
If many retailers didn’t upgrade to EMV by the Oct. 1 deadline, the risk retailers are taking decreases due to a strength-in-numbers argument, said Randy Vanderhoof, director of the EMV Migration Forum, an independent body created by the Smart Card Alliance to address issues in the payments space.
“Fraud typically migrates to the least secure party,” he said. “Fraudsters will find merchants that have not made the upgrade. If there are lots of merchants that still did not upgrade to EMV, there are lots of targets for fraudsters to go to and there won’t be any major changes in the chargeback profile. But over time, merchants that are lagging behind will become increasingly higher targets.”
Even though the deadline has passed, it is certainly not too late to upgrade. Regarding costs, Chris Schold, senior alliance manager at Mercury Payment Solutions, said the company’s software upgrade typically costs $250 per year, plus the cost of the hardware. “One popular [hardware solution] we are integrating at Mercury is the VeriFone VX805, which costs about $300 [per terminal],” he said.
“C-stores can affordably migrate to EMV at the counter,” added James Hervey, director of petroleum product management for VeriFone Inc. “Costs vary considerably and are influenced by a number of variables, some of which include the number of sites, the number of in-store lanes, and — if they want to simultaneously update their fuel dispensers — the size of their petroleum forecourt.”
If EMV upgrade costs prove too cost-prohibitive, c-store retailers can look to see if any outside help is available. For example, CITGO Petroleum Corp. implemented an initiative that helps its retailers and marketers upgrade to EMV at the POS. The fuel company is underwriting a portion of the POS upgrades and provides incentives to those under its brand to convert to EMV-compatible POS devices.
Retailer participation in this program since it was first announced at a marketer meeting in January has been excellent, Kara Gunderson, CITGO’s POS manager, told Convenience Store News.
“CITGO’s POS Upgrade Incentive Program is still active and we are receiving several orders each day,” she said shortly before the EMV liability shift date. “We fully expect that the majority of the CITGO marketers will take advantage of this great program.”
TO UPGRADE OR NOT UPGRADE?
To truly determine whether a c-store retailer should upgrade its POS devices to become EMV compliant, review a chargeback profile, Schold recommended.
“Take a look at the number of chargebacks you have each year and multiply that by the average amount of each chargeback,” he said. “So if you have five chargebacks related to fraudulent cards each year and each chargeback averages $30, the retailer will be responsible for $150 per year.”
Vanderhoof stressed, however, that retailers may not be aware of the amount of chargebacks they had in the past. Because they formerly had no financial responsibility for these fraudulent incidents, issuing banks didn’t bother to alert them about it.
“Retailers need to be aware they have been shielded [in the past] from these incidents because the issuer was responsible, leading them to possibly have a false sense of security,” he said. “After Oct. 1, issuing banks have the authority to chargeback any and all fraudulent transactions that are reported to them. So although fraudulent card activity may not actually rise that much, merchants might see a dramatic increase in chargebacks.”
Schold relayed that only the retailer should make the decision regarding whether its POS devices are worth upgrading. And c-store retailers have a tough decision on their hands because most for-sale items have small sticker prices, compared to merchants such as Best Buy or Target that have $1,000-plus electronics items for sale.
Vanderhoof offers a similar view. “Stores that sell low-value products are what fraudsters are typically going to look for,” he said. “Retailers that sell items that can be easily sold on the black market like electronics and jewelry will be at a high risk for fraud.”
When trying to determine which products in the c-store are most likely to be purchased via fraud, look at any item criminals can resell quickly and easily, said Lori Stafford-Thomas, director of public relations at Vantiv Inc. Gift cards are a prime example.
NOBODY IS OUT OF THE WOODS
Retailers who did make EMV upgrades prior to the Oct. 1 liability shift deadline can take solace in the fact that credit and debit card purveyors will continue to handle the responsibility for fraudulent in-store transactions, assuming all their ducks are in a row within time.
C-store retailers have discovered there are two phases to becoming EMV compliant at the POS. Phase one is installation of EMV-capable POS hardware, which for many was quite achievable by the Oct. 1 deadline. Phase two, software upgrades, has proven much more elusive.
Flash Foods Inc., a chain of 171 convenience stores in Georgia and Florida, was set to have its EMV-capable POS pinpads in place by the liability shift date, Chief Information Officer Jenny Bullard told CSNews. However, “software updates from our POS provider and our credit card processor are still in the process of being developed and then must be certified by card networks,” she reported as this issue went to press just prior to Oct. 1.
“This seems to be the case for many solution providers and processers in the industry so I’m concerned that the lineup for certification will be long and will delay many providers being able to push the updates down to us, the retailers,” Bullard continued. “And once we have these updates, we have to implement them in our locations. So, meeting that compliance date of October 2015 for inside EMV is still very elusive at this point.”
Even once the hardware and software updates are in place, c-store retailers now sporting shiny new EMV-capable devices should in no way think they are fully protected from cyberattacks. Although EMV — combined with tokenization, which uses otherwise useless “tokens” in place of a customer’s real personal information when a transaction is being processed — is certainly a step in the right direction, cybercriminals are becoming more and more sophisticated.
“EMV only combats counterfeit card fraud,” said VeriFone’s Hervey. “It’s not a security ‘catchall’ and does nothing to prevent the types of network data breaches that have become all too familiar in the headlines. We strongly recommend that merchants take a multi-layered approach to data security that — beyond EMV — includes end-to-end encryption of payment data along with secure commerce architecture.”