Why EMV Shift Is Too Little, Too Late
Are your members safer today than they were yesterday? The reason why I’m asking that question is that today is the day Visa and Mastercard shift liability for unauthorized Point of Sale transactions involving debit and credit cards from card issuers who use EMV chip cards to merchants who don’t have terminals that can process these chip based transactions.
This shift is arriving with more of a whimper than a bang. Estimates vary widely, but in March the Payments Security Task Force, a consortium of eight financial institutions, representing approximately 50 percent of the total U.S. payment card volume, estimated that 63 percent of their credit and debit cards will contain EMV chips by the end of this year, expanding to 98 percent by the end of 2017. Merchant terminal conversion is estimated to be as low as 50%.
To me the EMV conversion process contains an important lesson: if this country wants a truly robust system to guard against data theft we need more government involvement, not less.
First, the good news. All consumers will ultimately benefit from a world in which the magnetic strip becomes a Smithsonian exhibit. America desperately needed this push. Despite being in use for more than two decades the U.S. has stubbornly resisted the adoption of chip based technology. This technology makes point of sale transactions much safer by making it much more difficult to steal card information. In Europe EMV brought about a sharp decline in POS theft.
Then there is the convenience factor. We live in an integrated world and the continued use of the magnetic strip really isn’t all that different from continuing to use floppy discs while everyone else is downloading programs from the cloud. Talk to anyone who has traveled overseas. if you don’t have a chip based card everything from paying for tolls to getting on a subway is a hassle. The great American credit card is as antiquated as a black and white T.V. It’s not a coincidence that the United Nations FCU has been a leading advocate of the liability switch.
So why am I so underwhelmed by the liability shift? Most importantly, it is too little too late. EMV chips are already old technology. There are even reports that hackers have figured out how to break into them.
Second, what we are witnessing is another split between the behemoths and small lenders. Given the expense of EMV cards-I’ve seen estimates that a chip based card is five times more expensive than a magnetic strip-it makes perfect sense for a credit union to look at its fraud numbers and conclude that the value of the liability shift is outweighed by the cost of conversion. Similarly, it makes perfect sense for the small business merchant with the corner store to decide to risk higher fraud costs than upgrade his payment terminal. My assumption is that what we have this morning is a patchwork of consumer protection depending on where a consumer does her banking, her shopping and how often she uses plastic.
Then there is the continuing finger-pointing. Merchants say that security is best achieved when chip technology is coupled with a requirement that the consumer enter a PIN number, In contrast the early numbers suggest that chip and signature has been the more commonly adopted approach. These type of tangents ultimately benefit no one.
One of my favorite economic\security metaphors is of a lighthouse. On the one hand all ships benefit from its existence; on the other hand since there is no way to provide light only to ships that contribute to its maintenance it’s always going to be in the economic best interest of some ship owners not to contribute. To me the EMV adoption process has suffered from the same dilemma. It shows, why, when it comes to developing a robust data protection system, government has to take the lead and impose baseline mandates.