Chips off the bold block: America’s EMV compliance challenges

As the United States continues on its EMV compliance journey, the most recent major benchmark was the ATM liability shift for MasterCard. With fraud taking an even larger toll on financial institutions, EMV compliance becomes more critical than ever. Nor does this equal the last hurdle: Visa’s deadline is Oct. 1, 2017.

As skimming continues to run rampant, organizations responsible for ATM networks must take critical steps to gain EMV compliance: This is paramount to protect themselves and consumers. Yet ATM providers have their own unique challenge, and many stand at dramatically different stages of preparedness.

Sifting through the shift: Liability lessons learned

Many merchants responded to last year’s liability shift at the point of sale with a “wait and see” attitude. This tendency to stand by until others have tested the waters might seem pragmatic. But merchants who waited too long got hit with unprecedented chargebacks that hurt consumer trust and their own bottom lines. This should serve as a cautionary tale to any financial institution or third-party provider that adopted a similar attitude with the most recent ATM deadline.

That noted, not all retailers missed the deadline for liability shift at the point of sale by choice.  Some simply were unrealistic about the length of time the certification process would take. Even if an organization’s staff has high motivation to achieve ATM EMV compliance, management must build additional time into their project plans to account for factors beyond their control.

To the point: Becoming EMV ready takes a significant amount of coordination and work between several parties, from hardware vendors to software vendors and even among various internal departments and teams. Certification represents one of the greatest challenges in this process. For example, if the processor is booked solid for a month, that significantly impacts the ability to meet any deadline.

With these factors in mind, it’s important to remember the benefits of proactive planning and clear communications. By outlining distinct goals and detailed plans with all parties involved at the onset, it is much more likely that certification will go smoothly and meet the required deadline. It may even be worthwhile to ask third parties for assistance; many companies offer consulting services with personnel experienced in EMV compliance both here and abroad. This can amount to a small price to pay for peace of mind.

ATM + EMV = 3C (critical compliance challenges)

As noted above, the U.S. continues to experience a substantial skimming problem. According to a recent FICO Card Alert Service study, ATM attacks increased 546 percent between 2014 and 2015. Criminals are finding increasingly sophisticated ways to commit fraud at the ATM, and lack of EMV compliance is one of more common vulnerabilities that fraudsters exploit.

What’s more, some factors meant to assist consumers in their search for chip-enabled ATMs can actually exacerbate the problem. Networks such as MasterCard and Visa have locators that indicate whether an ATM offered by a financial institution or third party is chip-enabled.  Criminals also have access to these features and use them to identify soft targets.

Consequently, as more organizations complete their EMV migration, criminals shift their focus to non-EMV compliant machines, leaving those ATMs and their customers more vulnerable than ever.

Because ATMs are self-service machines, EMV transactions can initially prove more problematic as EMV changes to the ATM interface can confuse users. As seen from the point-of-sale liability shift, EMV often perplexes consumers when it’s their turn to check out. Do they swipe the card? Or dip it? Trying to figure this out on the fly creates frustration for them—and those behind them in line as well.

While POS devices in stores have someone there to guide a customer with the transaction, ATMs lack that luxury. ATM users must independently determine which machines are EMV-enabled and which are not—and whether to swipe or dip—each time they approach. Even with the best signage or visual aids, consumers must still independently decipher what the machine is prompting them to do.

The chips fall where they may: Where are we now?

Financial institutions and other parties that operate ATM networks find themselves at a wide range of stages in their preparedness for EMV compatibility. Most larger organizations are well into their migration; in fact, a good many have already completed it. Many used a phased approach, focusing first on geographic areas notorious for this type of fraud: New York, Orlando and California, among others. From there, they worked with the remainder of their ATM fleets.

Smaller organizations without the resources of the large national players generally aren’t as far along, which makes them preferred targets for criminal activity. The longer these institutions wait to become EMV compliant, the costlier their delay will likely become. And because we have never dealt with this issue in the past, it’s hard to predict the full financial ramifications of non-compliance.

As we look back at MasterCard’s October 2016 deadline, and the POS deadline a year before, , and ahead to October 2017, it is encouraging to see just how much we’ve learned from last year’s point-of-sale liability shift. Knowledge of the real consequences that stem from the failure to become EMV compliant amounted to a wake-up call. Many organizations committed to the planning and resources that were necessary to meet the MasterCard deadline. 

Now that October’s MasterCard ATM liability shift has passed, the industry must prepare for the Visa shift. And: Don’t forget fuel pumps Though each stage is time consuming and requires considerable resources, the increased security offered by EMV will minimize both consumers’ and financial institutions’ exposure the devastation of out-of-control fraud. It’s the ounce of convention that far outweighs the pound of cure—and the pounding—unprepared institutions stand to take.   

Harold Pruitt is the solutions architect for Paragon Application Services, based in the Dallas/Ft. Worth area.