What to Do If You're in EMV Compliance Limbo

NATIONAL REPORT — It’s been pushed back multiple times, but the deadline for retailers to be EMV compliant at the pump is set for October 2020, and it doesn’t look like it will be pushed back again.

“The Merchant Advisory Group reached out to Visa and Mastercard directly to ask for a delay and they were told ‘no,’” Linda Toth, director of standards at technology nonprofit organization Conexxus, told Convenience Store News.

On Oct. 1, the liability for fraudulent transactions will shift from the credit card companies to the retailers. There are two types of fraud: counterfeit, and lost and stolen. The credit card companies have been accepting liability for the counterfeit, which is 90 percent of the fraud out there now, Toth explained. If a retailer is EMV compliant, they will not be responsible for that counterfeit fraud or lost and stolen. However, if they are not compliant, they will be liable for it come October.

“We reached out to the card brands to try and understand the potential fraud, and three out of the major four gave us data for 2018 and 2019,” Toth said. “In 2018, the fraud was $299 million annually just for automated fuel dispensers. We are looking at a 23 percent year-over-year increase in fraud at the pump. That means by 2020, it will be $451 million annually and if a retailer is not compliant, they will share a piece of that.”

In order to become EMV compliant at the pump, retailers need to install an EMV-capable dispenser or a retrofit kit, install software on their EPS and point-of-sale, and this all needs to be done by government-certified technicians before everything can be tested and turned on.

Many retailers in the midst of the process are finding themselves waiting in line for their software and hardware combinations to be certified, and then waiting in line for a technician to install.

“There is a queue that is building up to go through the certification process, so there is a segment of retailers that have done all they need to do by working with manufacturers, buying the proper components and receiving software from vendors, but are now waiting on their processor to test their particular configuration. And that is different for nearly every retailer,” explained Randy Vanderhoof, director of the U.S. Payments Forum.

In a recent survey done by Conexxus, the top challenge cited by respondents was lack of available software (52 percent). This means it’s either not available or not yet certified, according to Toth. There are many equipment and software combinations that are not yet certified.

“By October 2020, I suspect there still won’t be solutions ready for some combinations, and even once a retailer has the certification, they still need to install a beta site, test it to make sure everything is working, plan to roll out, and send technicians to install the software,” she said.

So, what can a retailer who is on hold do to meet the Oct. 1 deadline?

There are some recommendations and best practices from experts on how retailers can try and speed up the queue for Level 3 testing and certification. This includes preliminary testing and obtaining approvals before installing hardware, so once the software comes for the upgraded hardware, they will have already gone through Level 3, Vanderhoof explained.

Some payment brands also have offered self-testing options because everyone is trying to streamline things as much as possible to help retailers get through this, he noted.

“Ultimately, it depends on the individual retailer’s setup and system, and how much work they have done in advance before getting to the end of the timeline in October, where any fraud that occurs gets charged back to the retailer,” he said.

In the recent Conexxus survey, retailers who are not 100 percent compliant were asked if they are going to deploy new solutions, and 17 percent said they were undecided, while another small percentage said no. The reasons cited were either the cost, or the risk not justifying the expense.

“The biggest message I have for merchants on the fence is that the risk is real, and as more and more stations become compliant, the bigger piece of that fraud pool you will be responsible for, and that cost will become huge — and may be more than the operating profit,” Toth pointed out. “It’s something retailers really need to take a look at now."