Please do not leave this page until complete. This can take a few moments.
A large data breach in December 2013 shook banks and retailers out of their sense of complacency that fraud couldn't happen in their business. In mid-December of that year, Target Corp. acknowledged criminals had stolen customer data from 40 million debit and credit cards from Nov. 27 through Dec. 15. The following January, Target added 70 million customers affected by the breach.
The hit to Target was palpable: while other stores saw strong sales the last weekend before Christmas, transactions at Target fell 3% to 4% over the prior year, and the company said sales were meaningfully weaker after the breach became public. Costs associated with the breach topped $200 million, according to a Consumer Bankers Association and Credit Union National Association report.
In a broader sense, that breach, combined with other highly publicized incidents at Home Depot and elsewhere, brought microchip cards to the fore in the United States, which is the last major world economy to adopt the card technology. EMV cards, for Europay, MasterCard and Visa, became popular in Europe more than a decade ago. They aim to banish fraud in cards used at terminals. Instead of using magnetic stripes, whose numbers are used repeatedly and are seen as a weak point in the estimated $8.6 billion in card fraud costs annually, the chips generate a one-time code that is good only for each specific transaction. The first part of the switch to EMV is scheduled for October.
“The United States is probably one of the last major countries on the face of the Earth to implement EMV technology,” says Steve Whitney, executive vice president of risk management, deposit operations and information technology at Norway Savings Bank. “It's striking about how far behind we are when you look at Africa, not to mention Canada.”
He adds that while the switch to EMV cards is fraud-driven, it also is being prompted by companies wanting to keep a good reputation. The Target breach was a startling wakeup call.
According to the PULSE 2014 Debit Issuer Study, 84% of financial institutions reissued all of the exposed cards in response to the Target breach compared to 29% that would typically do so for all exposed cards in other prior breaches. Additionally, 86% of financial institutions said they planned to start issuing EMV cards in the next two years, up significantly from the 50% in 2012, before the Target breach. PULSE noted that 14% of all debit cards were exposed to data breaches in 2013 compared to 5% in 2012, indicating such criminal activity is on the rise.
While Europe saw a dramatic drop in fraud after it initiated its EMV system, criminals are always on the lookout for a chink in the armor. Some are targeting countries still using magnetic stripes both in machines and in “contactless” settings like the Internet, where card numbers are input via keyboards. “It's always an arms race with fraud,” says Nick Holland, analyst and head of payments at Javelin Strategy & Research's Cambridge, Mass., office. “It's cost-prohibitive to replicate these EMV cards. With the random number generation, anything dynamic is much better than a magnetic stripe.”
Despite the fraud issues, the switch to EMV is not mandatory, and is being driven by industry, namely MasterCard and Visa. The twist, however, is that as of Oct. 1, 2015, merchants without terminals that can read EMV cards risk taking on the responsibility of fraud losses, which banks previously held. Banks and credit card issuers are supposed to have EMV chips in their cards by the same date, but the transition will likely take several years, Whitney and other bankers say. The EMV guidelines call for banks to have their ATMs able to read EMV cards by Oct. 1, 2016. Unattended gas pumps have until Oct. 1, 2017, to add EMV readers.
The delay in implementing the cards and changing ATMs, cash machines and point-of-sale terminals is the sheer magnitude of the effort — some 1.2 billion credit cards and 8 million point-of-sale terminals alone are involved, according to Javelin Strategy & Research. Also, the payback in cost versus fraud risk remains a question in EMV adoption, especially for smaller merchants, notes Whitney. He estimates the average cost to implement EMV readers in each ATM is $3,000, with a similar cost for EMV readers at merchant point-of-sale terminals. Also, the average cost to issue an EMV debit or credit card is $3.50, more than three times the $1 for a conventional plastic card.
Norway Savings issues only debit cards, working with an outside party for credit cards. It plans a rollout over the next three years of the new EMV cards, starting with cards up for renewal and cards for customers who travel frequently. The bank will have to replace 30,000 debit cards. While the U.S. EMV cards and readers likely will have both the magnetic stripe and EMV chip for up to a decade, some businesses in Europe and Canada only can read EMV cards.
One reason banks aren't hurrying to make the change: they already are carrying the fraud burden, so they're not as sensitive to it as merchants might be, Whitney says. He suggests that because the more fraud-prone magnetic stripes will be around for many years, that consumers check their statements carefully.
“The cost of shifting is significant,” he says. “The business case in the liability shift isn't compelling [in itself]. The reputational risk component, for example Target, may drive the whole thing.”
While Whitney expects most banks to adopt EMV, he says some merchants may not even know about the impending October deadline. At a recent talk before the Maine Bankers Association, Whitney, along with about 32 other banking colleagues in the room, admitted they are worried customers will blame banks if they don't know about the switch in fraud liability and haven't readied their computer systems.
“Merchants will blame us when the fraud comes back to them,” says Tammy Plummer, senior vice president and chief information officer at The First N.A. Like Norway Savings, The First plans a staggered rollout of EMV cards starting in the fall.
Craig Garofalo, senior vice president and chief operating officer at Kennebec Savings Bank, says his bank already has its ATMs converted, and plans to reissue cards as they expire. “I'm not feeling a ton of pressure with the October deadline. We already have the liability,” he adds.
And while market researchers estimate that 59% of retail locations are expected to comply with EMV by the end of 2015 and 86% of financial institutions will issue EMV debit cards in the next two years, Garofalo says he'd be shocked if more than 25% of the mom-and-pop shops make the transition by October, though larger chains like Sam's Club will be ready.
Another downside is that transaction costs are higher with the new cards, says Zach Nichols, a management trainee at Kennebec Savings Bank who has been focusing on EMV. “It's about 1.5 cents more. It doesn't sound like anything until you see that it's hundreds of thousands of transactions.”
One upside for banks: they can reconsider whether they continue their relationship with MasterCard or Visa, since the credit cards will have to be reissued in any case. “We're reviewing all of our current Visa branding,” says Plummer of The First. “There are incentives from the card companies, so it's a good time to look at your brand.” Whitney, whose bank has ties to MasterCard, says he is making the same assessment.
Another concern is customers. The new EMV cards aren't swiped through a merchant's terminal or into an ATM. They are inserted into a reader for several seconds during the transaction. That has led to worries of consumers walking away from transactions without taking their cards. One banker at the Maine Bankers Association meeting said Canada experienced a 10% to 12% “leave-behind” rate of the new cards. Still others worry that the extra seconds for the transaction will discourage impatient consumers.
The long-term trend, several bankers noted, is toward contactless systems using smart phones instead of credit cards, like Apple Pay, with the same use of the one-time transaction number. The EMV chips do include the capability for contactless use, Whitney says, though his bank and others, he suspects, won't initially use that feature, which is known as near field communications.
Read more
Comments