Customer-present fraud, or card fraud that takes place at the point of sale when the customer is present, is continuing to migrate to non-EMV countries such as the U.S., which still relies on magnetic stripe cards. Debate continues as to when U.S. issuers will finally switch wholesale to EMV “smart” cards, or those that utilize a digital chip-and-PIN, in order to protect against such fraud. In the meantime, we need to address the question of whether the U.S. retail market is actually ready for EMV.
Countries around the world have deployed various tactics to reduce customer-present and customer-not-present fraud, some with more success than others. Traditionally, fraudsters look to exploit the “weakest link,” i.e., countries or channels with less secure technology. Since most regions in the world have now adopted the safer EMV “smart card” technology, that leaves the U.S. exposed. Statistics on card fraud in the U.S. vary from source to source, largely due to the fact that fraud losses are often underreported, undetected or misclassified and can be difficult to quantify. Most statistics, however, do suggest that customer-present fraud is rising. The sheer size of the U.S. market makes this a significant problem for the country’s card payment industry.
The United Kingdom (UK) faced a similar problem at the turn of the century. Customer-present fraud was rising at such an alarming rate that experts warned it would become uneconomic to accept card payments in as little as five years. The UK was the first country that turned to EMV to combat rising fraud rates and many other countries have since followed.
The migration to chip-and-PIN would represent a significant change for the U.S. and many retailers are nervous about its arrival. Retailers in other regions shared many of these concerns when they were faced with the prospect of rolling out chip-and-PIN solutions. However, in many ways, the U.S. is in a better position than these earlier adopters because the technical standards behind EMV are now well understood and expertise in this area is plentiful. Chip-and-PIN solutions have also become cheaper, more powerful and more feature-rich. So, forewarned is forearmed, but what about the cost?
Without doubt, one of the most significant impacts on U.S. retailers will be the cost and technical complexity of implementing and running an EMV solution. The actual cost of implementing such solutions can be significant as it will include software upgrades, purchase of PIN pads and cost of accreditation. Large retailers, for example, are likely to be looking at costs in excess of $1 million.
Some larger U.S. retailers have already begun to invest in EMV technology at the point of sale. The card-present liability shifts that come into force in October 2015 will spur others to follow suit because fraud liability will then lie with the party that does not support chip-and-PIN. So, if a consumer presents a chip-and-PIN card to a magnetic-stripe-only point-of-sale unit, the liability will lie with the retailer and the processor. Equally, if a magnetic stripe card is presented at an EMV terminal, the liability will lie with the card issuer. The fact that a handful of larger American banks have already started to issue small quantities of EMV cards should help to motivate retailers to make the move.
Retailers running their own in-house payment system will need to ensure that they are skilled in both EMV and their chosen vendor’s software. Large retailers often choose to run their own systems as it gives them greater control over their point-of-sale processes and general customer experience. The ability to architect their own infrastructure also enables them to ensure the fastest possible transaction speeds – a key feature for multi-lane supermarkets in particular. Finally, it allows the retailer to integrate its payment solutions more closely with other retail systems.
These retailers will need to think carefully about which licensed software they select. They will need to ask if it has been proven in a chip-and-PIN environment; the transaction speed at point of sale; which PIN pads the solution supports and whether these are acceptable; if the solution is PA DSS (Payment Application Data Security Standard) approved; whether end-to-end encryption and tokenization are supported; how the PIN pad logistics will be managed and who will manage software upgrades and key management.
Hosted Solution Option
There are numerous benefits to running an in-house payment solution and many retailers will continue with this approach. For others, however, the cost of running their own system may become excessive with the introduction of EMV. When chip-and-PIN was introduced to the UK in 2003, the biggest retailers were the first to adopt. They were able to absorb the additional project, PIN pad and accreditation costs. However, after 2005, mid-size retailers began looking to implement chip-and-PIN. At that time, many UK retailers managed their own payment systems, but when they investigated the cost of continuing to operate this way with EMV, the number of retailers turning to hosted solutions increased and a similar trend can be expected in the U.S.
Some retailers may opt to move to a merchant processor with expertise in chip-and-PIN. There are two models available – a hosted solution, or a shared solution. A hosted solution is where a processor runs a retailer’s payment system on their behalf. It allows a retailer to retain many of the benefits of running their own in-house solution. The solution can still be tailored to the needs of the retailer and, in addition, they gain access to the processor’s EMV skills and experience. As the processor will be running systems for several retailers, they will have standard processes and procedures in their data centres. This means a reduction in the cost and effort associated with PCI DSS (Payment Card Industry Data Security Standard) accreditation.
A lot of smaller retailers, however, just want to accept payments in the simplest and cheapest possible way. In this instance, opting for a shared merchant processor service may be the best option as it is an economical standard solution that is already accredited. Integration is straight-forward and a retailer can be “live” in as little as a day or two. Much of the PCI DSS accreditation falls under the processor’s remit and, if end-to-end encryption and tokenization are used, the scope of PCI DSS for the retailer can be very greatly reduced. The processor will supply PIN pads which are compatible with their solution, removing a major logistics headache for the retailer.
Clearly these retailers will need to consider several factors: which PIN pads are supported by the merchant processor (bearing in mind that only a small number may be available); the transaction speed at the point of sale and how long it takes to process the payment for authorization; how the processor performs in terms of system uptime and availability; what service level agreements are the processors prepared to offer; what management information is available and whether or not it is sufficient for the retailer’s needs.
U.S. migration to chip-and-PIN does seems imminent. Visa has already announced plans to accelerate the migration to EMV and the impending liability shift will also help to encourage mass adoption. The U.S. payment industry must be prepared to make the necessary investment in this more secure technology to help combat customer-present fraud. My advice to U.S. retailers is to start preparing and start preparing soon!
Mr. Rozek is director of UK-based Polar Moment, a leading provider of business and technical consultancy to the payment industry. He can be reached at email@example.com.
Stay connected to Expert Perspectives, Research and Intelligence — subscribe to BAI Banking Strategies now!