February 16, 2016

Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe). But comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers.

chiptransVisa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV (“Europay, Mastercard and Visa”) payment standard.

Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.

Why are so many chip-capable checkout terminals already installed that have not been enabled to actually accept chip cards? Allen Weinberg, co-founder of Menlo Park, Calif. based management consulting firm Glenbrook Partners, examined this very question in a recent column that pointed to several factors holding retailers back from enabling dip-the-chip.

WHAT LIABILITY SHIFT?

New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.

Despite the increased risk of eating the entire loss from counterfeit card use in their stores, many merchants are taking a wait-and-see approach on enabling chip card transactions. Weinberg said some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.

“They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store,” Weinberg wrote.

Weinberg adds that for many larger merchants, switching on the chip readers also can be a big and expensive project. Part of the problem, he says, is that many integrated point of sale systems — particularly the electronic cash register software for these systems — were just not ready in time for the Oct. 2015 liability shift.

“Even if the software was ahead of the game, they faced long certification queues at many acquirers,” Weinberg wrote. “I believe this is going to be a problem for a while.”

Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.

“My dry cleaner isn’t worried about someone using counterfeit cards at his cash register,” Weinberg said, noting that many businesses meanwhile discount the chances that hackers will siphon customer cards by sneaking malicious software onto point-of-sale devices — a problem that has lead to one breach after another at brand name retailers, restaurants and hotels over the past several  years.

AN INVISIBLE HAND

The United States is the last of the G20 nations to move to more secure chip-based cards. As late as the United States is on EMV implementation globally, the process of merchants shifting to all-EMV transactions is still going to take several more years. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.

Terry Crowley, CEO of TranSend, a company that makes software to help merchants and their equipment work with the EMV standard, said software code for card-accepting devices has historically been simple — so much so that it could be written on the back of a business card.

“But now with EMV, that same software wraps around the walls of a room three times…hundreds of thousands of lines of code,” Crowley said. “Historically, software was developed by terminal manufacturers and some-few contract programmers who kept up with the old-school operating systems, software development kits and so on for each terminal manufacturer. It was so easy that merchants and processors installed specialized tweaks that created countless variants in the marketplace.”

Now with the EMV liability shift deadline come and gone, Crowley says, suddenly there is a fire drill to replace all of this once-easy software and its countless variants. Compounding the problem, Crowley says, is that EMV code is hard to write and harder to push through the certification birth canal. What’s more, he adds: There are very few EMV software developers who understand the U.S. market.

Crowley predicts that plenty of smaller merchants could soon get hit with a wave of chargebacks from unscrupulous people abusing the liability shift at merchants that still don’t offer the chip dip.

“There’s an invisible hand at work that is about to kick everyone in the pants and accelerate U.S. dipping into EMV slots,” Crowley said. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me –there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”

And the international [banks] are going to be the first ones lay in, Crowley predicts.

“International card issuers are used to all these chargeback codes and minutia that goes around with EMV disputes,” he said. “They know the rules pretty well and have had EMV cards for years. So when this first wave of chargebacks starts hitting next month, things are really going to ramp up for EMV adoption by smaller merchants here in the U.S.  It just takes one chargeback for those [smaller merchants] to get religion on EMV.”

MAD AS HELL?

If you’re curious about chip card swipe adoption in your area, take an informal survey: My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.”

So what’s the takeaway for consumers? Why aren’t consumers mad as hell about being asked to swipe their chip cards, thereby defeating the added security on the card?

For his part, Weinberg said he’s mad as hell, but he says if consumers get mad about anything chip-card related, it’s probably going to be about the 10-15 extra seconds it will take to dip the chip versus swipe the stripe.

“If anything, consumers are getting pissed off at how many more seconds it takes to do chip card transactions,” which require the consumer to keep the card inserted into the card terminal until the transaction comes back as approved, Weinberg said.

“We Americans care more about convenience than we do about security,” he said. “In the end, consumers hold their banks accountable for this stuff, because they’re the ones having to reissue the cards each time there’s another breach.”

Here’s another basic takeaway for any consumers still reading: Use a credit card and kick debit cards to the curb. If a thief makes a charge on your credit card that you didn’t authorize, a simple phone call can fix the problem. If the crooks manage to siphon all cash from your checking account, that’s a bigger problem that could take several days to sort out with the bank (and longer if you count any other businesses you may have just paid with a check).


248 thoughts on “The Great EMV Fake-Out: No Chip For You!

  1. MIle

    Timeless — Both EMV and magstripe contain the cardholder data in the clear. So even if you dip first, unless the terminal is using P2PE encryption, the bad guys already have your data and can still use it online!

    1. SudoShinji

      Why would you be using EMV without p2pe pass through? I’ve had p2pe on my terminals for a long time but we are still waiting on our merchant to approve EMV and provide forms to our hardware vendor for implementation.

    2. piet

      The whole point of EMV is that the chip holds a processor, and thus can perform cryptographic functions. Such as digitally signing transactions using public key encryption, which means that the private key never leaves the chip. The EMV standard has many failings, but the use of a chip is precisely to prevent replay attacks. Is EMV always succesful? Hell no, the researchers at Cambridge University keep finding exploits. But you shouldn’t write off EMV as a joke based on misinformation. Given the alternative, that’s just irresponsible.

  2. Shane Harwell

    EMV is pretty much a joke. As Mile posted above, unless the terminal is using Point to Point Encryption that has been validated by the PCI-DSS process, the cardholder data remains in the clear, so fraudsters can still use your data for purchases on line.

    1. Khurt Williams

      Doesn’t PCI mandate the use of encryption for information in transit? The scenario you describes is only try transaction that don’t meet PCI compliance requirements. So … not a failure of technology but a failure to follow the process.

      1. Kagey

        PCI-DSS does not YET mandate that credit card data “on the wire” be encrypted, only data at rest. It is still OK for data to flow through computer memory un-encrypted – that is how Target and Home Depot got hacked. PCI-DSS does not yet mandate tokenization and/or P2P Encryption but that is the safest way to prevent a hacker from running off with credit card data at retailers with a large footprint.

  3. Joseph

    The switch to dip and wait and wait and wait and wait and wait and wait and…

    has caused me to stop using my credit card entirely. I now use Apple Pay the majority of the time. So much more convenient.

    I suspect this is a substantial cause behind the large increase in Apple Pay usage in the last quarter of 2015. Worth noting.

    1. Will

      The time I’ve had to wait to use the chip reader has been far shorter than the time I’ve waited in line for cashiers who are instructed to pressure each customer to sign up for a “loyalty” card, and getting them to tell every detail their life story in order to get a 50 cent coupon. Lots of them do. I’ve lost the best years of my life waiting in line behind that.

  4. Dave Hylands

    Being Canadian, I’ve been using chip cards for years. Most of the newer cards have some type of RFID chip built in and for transactions less than $100 you can just tap the card. No swipe, no dip. Faster than a swipe even.

    I’m guessing that the RFID stuff is even less secure than the swipe (I carry all of my RFID cards in an RFID shielded enclosure).

    1. David Bobb

      Right. The ‘tap to pay’ feature is an opt-in feature that can be enabled on your card via your bank provider in Canada. The catch is that the daily amount you can charge is limited, and I imagine there’s no consumer recourse for fraudulent charges. It allows for more secure purchases (chip and pin) as well as more convenience for small purchases. For myself, I review my bank statement regularly via online banking so I can detect fraudulent transactions, of which I have observed none within the couple of years I have been using the RFID/tap and pay feature.

  5. Dan

    Every time I use my chip-enabled card at Walgreens it takes about 3 – 4 seconds and then it tells me to pull it out. But at Target, Home Depot, and others it’s more like 10+ seconds. Why is Walgreens so fast? What are they doing differently, wrong or right?

    1. Steve

      Differences in response time are usually related to the store’s network connection to the national clearing systems, Bob. Cheapskate stores do it by dial-up technology, better stores have a fast connection permanently open.

      1. Kagey

        Steve – you are blatantly wrong in your response about why some credit card terminals are quicker and others are slower – It is not because those retailers are pushing transactions over dial-up. Almost all major retailers are using secure internet connections to process credit card authorizations (T-1, DSL, etc). Even if a phone line is being used, it is still plenty fast enough – the actual out and back of an auth over dial-up can be done in 1 to 3 seconds. The main reason credit card terminals can take longer with EMV transactions has a lot to do with the software that is running on the PC that communicates with the credit card terminal. It also depends on which major credit card terminal manufacturer we are talking about – there are (3) currently: Verifone, Ingenico and Hypercom-Equinox. All three companies have there pluses and minuses. Having personally worked with devices from all three manufacturers, I can tell you that the secure portion of the software that deals with EMV transactions is extremely complex. All parties are still trying to figure out how to make everything work smoothly.

        1. Chris

          I agree with Steve. The issue with dial-up connections being slower has very little to do with bit-rate. It has to do with the fact that the modem has to dial-in and open and close every connection, which ends up being very time consuming, as opposed to always-open broadband connections that only need to push through packets.

          Luckily in Australia it is very rarely an issue, as “dipping the chip” has been the norm for the last 6-7 years, and now RFID/NFC use has skyrocketed, being the defacto standard for the past 2-3 years. Broadband connections are everywhere, and swiping is almost as non-existent as paying with a cheque, at least in metropolitan areas.

  6. Fiat

    Ok the merchant is held 100% responsible if they DO NOT upgrade their systems to support the EMV cards so waiting is a BAD IDEA. I am assuming the merchants want to eliminate the processor throwing all blame on them if something happens. This is a FORCED action through law and reg.

    1. Kagey

      There is no law requiring retailers to switch to terminals that can EMV cards – only a mandate from the card companies that says the retailer eats the charge if a customer contests the charge for any transaction done on a non-EMV-enabled terminal with an EMV card.

      1. Mike

        If the tempted customer, the fraudster, denies the purchase or swipe isn’t considered a federal issue due to the credit card?

        Most retailers have captured the consumer on a video systems as well as capturing the regulation e receipt with signature.

        It is true that as of Oct 1, 2015 the banks and card issuers have washed their hands and shifted the liability or collection to the retailer/merchant; but, that consumer/customer is potentially making a big mistake….

  7. John

    The issue of extra time at checkout when using using EMV cards is compounded by all of the interactive user prompts during the transaction.

    Take Target for example: They require the card to be inserted and remain there until the transaction is complete, asking if you want extra cash – requiring a user response before moving to the next screen, where the option to split the transaction… presumably between tender types or other cards is offered – and remains on the screen until dismissed, finally the user is prompted to remove their card and an audio alert sounds if they don’t. This inevitably slows the line down because the cashiers are required to engage the customer in conversation, distracting them from the terminal screen prompts. Because of all this back and forth, Target has always been somewhat slow , even before EMV adoption. EMV does add a bit of extra time to an already slow transaction.

    Walgreen’s is even worse due to their multiple options similar to Target, but they go further by their attempt to data-mine every cent you spend under the guise of their reward program, requesting you enter your phone number to identify yourself – even in a cash transaction. Waiting in a line of 3 or 4 customers is often painful as each customer gerally has to be ‘guided’ by the cashier to speed the process along and again, this without factoring in EMV.

    So retailers complaints about EMV cards slowing the transactions are laughably ironic at best..

  8. sunman42

    My local Safeway (in a DC suburb inMaryland) has no EMV-capable POS hardware. Instead, their response to the shift in liability for fraudulent purchases is to have the customer swipe the strip in the old, same way, and if the charge is greater than $50, the customer has to present the card to the checker so he/she can enter the last four digits of the card number.

    I so wish they supported Apple Pay: no PII transferred to the merchant or anyone else, just hashed versions of an authorization code from the issuing bank.

  9. BJ47

    As noted above, original post ignores ApplePay. It seems to be (not) being deployed as slowly as EMV, but it bypasses the long wait and merchant-collected PII. Users find apple (TouchID) more secure than either big merchants or FBI.
    Also not addressed – many merchants count on CCTV surveillance of POS to deny and prosecute fraudulent chargebacks. It’s both more ubiquitous and supported by police. They think they’ll never have to buy EMV nor ApplePay.

  10. Mark bros

    There is a website top rated website that brian spoke about it, chip software for emv that clone t2 on emv and u will able to cashout on pos with any pin and on atm with original pin, this software is spreading specialy in usa, website is http://www.chipsoemv.com and people are running to buy it, guess emv chip stuff will go down soon as possible there must have more security for credit card transaction

  11. David Fraiser

    Well *this* American thinks security is well worth an extra 15-30 seconds.

    Wanna know what merchant has the new scanners installed, but taped them off and put a sign “please swipe”?

    The United States Postal Service.

    I probably shouldn’t have been shocked, yet I was.

Comments are closed.