The state of chip and PIN migration in retail

Nov. 25, 2014
Despite some progress, much work remains ahead of the October 2015 'liability shift' deadline

According to a recent survey conducted by the polling firm Gallup, fears over hackers stealing credit card information from retailers topped every other category of crime worries in the U.S. In fact, nearly 70 percent of Americans reported that they frequently or occasionally worry about having their credit card information stolen from stores by cyber criminals, which far outpaced the number of respondents who said they feared their home being burglarized or having their car stolen or broken into. Given the number and scale of the breaches that have been reported this year alone, including Home Depot, Kmart and Staples just to name a few, it’s easy to see why consumers’ fears about having their credit or debit card information stolen are running rampant.

Nearly everyone agrees that one of the best ways to avoid having customer data stolen from point-of-sale transactions is to migrate away from magnetic stripe readers to chip-and-PIN terminals, which would, in effect, create two-factor authentication for purchases that is more secure than the traditional swipe and sign method. However, making the switch to chip and PIN in the U.S. is much easier said than done with both the retail and banking industries having to make significant investments on their end to support the migration. Retailers, if they haven’t done so already, will have to replace payment terminals within their stores and banks will have to issue these more secure, but also more costly payment cards to their customers that contain embedded microchips.

“The numbers are pretty staggering. There are some 15 million (payment terminals) that have to be replaced and that’s not inconsequential. On the bank side, just the deployment of the cards is expensive, so you’ve got a lot of expense,” said Dick Mitchell, solutions director at Randstad Technologies, which has installed more than 160,000 POS devices across more than 30,000 locations in the U.S. “There are about 800 million or so debit and credit cards in the U.S. and I’ve read estimates that the cost of replacing a traditional card with a chip card is anywhere from $7 or $8 up to $16, $18 or even $20. That gets really, really expensive when you are talking about 800 million of those. The same thing goes for the readers… so there’s a huge expense related to this.”

The clock is already ticking in a sense for retailers, however, because as of October 2015, U.S. stores will have to switch to a new payment system that requires them to have EMV (EuroPay, MasterCard and Visa)-compatible POS terminals in what is known as the “liability shift.” Retailers that fail to adopt the new payment system by that deadline will assume responsibility for all fraudulent credit card transactions.

“The fact is as of October 2015, EMV, the credit card consortium, has said that the entity with the lesser technology is going to be liable for fraud if it’s committed with a credit card,” explained Mitchell. “So, if someone were skimming numbers off of a magnetic stripe card and if something were to happen and information was stolen, then there is what they call the liability shift. If a retailer has the ability to accept a chip card and a magnetic card is presented to them, because the bank hasn’t supplied their customer with a chip card then the bank is going to be liable, but if the retailer is presented with a chip card and the don’t have the chip reader, then the retailer is going to be liable.”

As a result, Mitchell said that his company has seen more and more retailers start to make the switch to chip and PIN, but there is much work left to be done. Of the 20 million retail locations that must convert to chip and PIN by the deadline, only 1.5 million will have that capability by the end of this year and of that 1.5 million, only 10 percent will have chip and PIN technology enabled during the holiday shopping season.

“What you see (among stores that have deployed chip and PIN) is it’s either a result of some breach that’s taken place, as is the case with Target and Home Depot, or because companies are taking a leadership role like Wal-Mart and Sam’s Club in terms of deploying these devices, but overall there hasn’t been a tremendous number of (chip and PIN) devices deployed,” said Mitchell.  

For some retailers, Mitchell said the cost of making the necessary infrastructure upgrades may be more than what they would expect to incur in fraud liability and will therefor delay making the switch. On the other hand, Mitchell also said that there are also not that many chip cards in the U.S. market yet, which could explain why some stores have not enabled the reader technology they have on hand.  

“Part of it is expense and part of it is demand,” Mitchell said of the relatively small number of retailers that have implemented chip and PIN ahead of the holiday shopping season. “Obviously, if they can defer expenses into 2015 that’s probably preferable, but is the demand there? Are there enough cards to warrant that (implementation)?”

For example, Mitchell said his company recently helped a convenience store chain on the East Coast install payment terminals capable of reading both chip and PIN and contactless payment transactions, but they have yet to turn them on because there is not enough demand from consumers.  

Not everyone believes migrating to chip and PIN will be the silver bullet that some people are hoping for when it comes to reducing retail data breaches.

“I actually believe it is going to create more of a problem,” said Michael Bruemmer, vice president, Experian Data Breach Resolution group. “If you look back at healthcare when we first started getting into the shift from paper records to electronic records just that shift in technology created a lot of handoffs of data that opened up loss of data and data breaches. The same thing is going to happen here when you go from magstripe to chip and PIN.”

Additionally, because the liability shift date has been announced for some time, Bruemmer said that criminals have been planning and practicing ways to beat the safeguards chip and PIN are expected to provide.   

“Even though it is the new shiny object, (criminals) have been working on it for a while,” Bruemmer added.