Article

EMV countdown: What can we learn from merchant migration?

ISOs and IADs will face many of the issues that now confront merchants looking down the barrel at EMV liability shifts in three months.

July 17, 2015

By Allen Friedman, Director of Payment Solutions, Ingenico Group North America

In the U.S., the EMV liability shift occurs in October, and experts expect that 600–800 million EMV cards will be issued to consumers by the end of the year. This transition has been in the works for years — but based on Ingenico's hands-on work with merchants, we believe many simply won't be ready.

The liability shift is not the same as a regulation. Merchants don't have to comply; there are no fines for noncompliance. The impact, however, may ultimately be worse than a fine: Merchants who don’t upgrade their terminals to be EMV capable assume liability for financial losses from fraudulent cards. This includes not just the value of any merchandise acquired by fraudulent means, but potentially compensation for credit monitoring and other damages incurred by consumers whose card data is stolen or misused.

The U.S. is the last developed country in the world to move from the magnetic stripe card standard to EMV. It is also the largest and most complex market so far to make the switch, and we are finding that many merchants — especially medium-size merchants — are not fully aware of what they need to do to get ready.

Ingenico is on the front lines working with merchants on EMV preparedness every day. We've been through the EMV transition in more than a dozen countries (most recently Canada), so we know the ropes. Here are some of our observations and advice for how to best prepare for the EMV transition over the next few months:

If tier one merchants aren't already well down the path of implementing EMV, they are already behind

This is because their vendors, suppliers and processors are going to get busier and busier as October approaches, and it will be difficult to book testing and certification times. Merchants shouldn't underestimate the amount of testing they will have to do throughout their payment ecosystem, and second rounds of testing are often necessary. You don’t want to be doing this at the last minute.

Apple Pay has exacerbated testing and certification wait times, as merchants and processors scramble to work that payment mechanism into their current mix. Android Pay might soon add even more demand.

Those who don't transition to EMV are likely to be targeted by hackers

Crooks talk to each other — we've seen this in other countries. They know which merchants still use magstripe, and we've seen hacks quickly migrate to those targets. In fact, when countries implement EMV, there is a well-documented migration of credit card data theft toward countries (such as the U.S.) that still use magstripe technology.

It's wisest to designate a dedicated team or individual whose sole responsibility is EMV

Otherwise, merchants tend to lose focus.  This is a complex transition, with a lot of moving parts. Someone needs to lead the charge, and this person needs to have executive-level backing in order to minimize red tape and get things done. 

Merchants should lean on processors for guidance

Processors should play a key role in helping merchants through this process. If you aren't comfortable with your processor's ability to help you migrate to EMV, find another one. Your processor should bring a lot of expertise to the table. There is a difference between merely supporting EMV and having the ability to help merchants through the process.

As long as you're upgrading for EMV, equip for NFC, too

In every country where EMV is rolled out, NFC quickly follows as merchants seek to speed up checkout times. All Ingenico Group terminals ship with both EMV and NFC features — make sure yours have both.

Don't forget encryption and tokenization

While EMV cards have been proven to be more secure and difficult to counterfeit, don't take chances — when you upgrade your payments processing systems, consider implementing point-to-point encryption and tokenization. In an era when credit card data breaches have become frighteningly common, a belt-and-suspenders approach to security will never be out of style.

Who's prepared?

Overall, we believe that most large merchants will be prepared for the October shift, because they have the most to lose. The 80/20 rule applies here — 20 percent of the nation's merchants process 80 percent of credit and debit card transactions. Of the very largest merchants, we estimate that the vast majority will complete their EMV conversions in time for the October liability shift, and the rest will likely be ready by the end of the year. 

Surprisingly, we're finding that small merchants tend to be the next best prepared. That’s because small merchants typically buy or lease point-of-sale devices and software from resellers and acquirers, both of whom are well prepared for EMV, and provide merchants with easy-to-use, prepackaged solutions from OEMs.

Medium-size merchants are the least prepared, in our experience. These merchants often rely on third-party systems integrators that, on the whole, are not as knowledgeable about EMV. We think that this class of merchant will represent the long tail of this issue. Based on our field work, we predict that most of these merchants will not be prepared for EMV until well into 2016. 

Mobile POS systems can play a key role in EMV preparedness. Some merchants are choosing to implement EMV-capable mPOS solutions to meet the short-term liability shift deadline, because they tend to be easier and faster to roll out. Merchants ultimately should be planning for an integrated omnichannel solution that's equipped for EMV, NFC and whatever's next. Because one thing we can count on in the payments business is constant change.

photo istock