Retailers have chip card readers -- why aren't they using them?
What are you supposed to do when you pull out plastic to buy something at a store these days? You've probably noticed that plenty of stores have terminals that obviously have a slot for inserting a chip-enabled credit card, but when you try to do that, an anxious store clerk yells something like, "Nope, we don't take chips yet. Please swipe."
Back in October, a much-ballyhooed deadline marked the great switch from old-fashioned magnetic stripe cards to newer EMV chip credit cards. Well, that was the plan anyway. Despite some slow, steady progress, most of us are still swiping our stripes instead of dipping our chips several times each week.
The dipping delay
Initially, the bottleneck was thought to be caused by the large investment stores had to make in new point of sale terminals, which run about $500 for each checkout line.
But anyone who's done any shopping in the past few weeks might be left with the impression hardware isn't the problem: Chip readers seem to be everywhere, but the switch hasn't been flicked yet.
The impression is accurate. According to the industry group EMV Migration Forum, there are roughly 5 million EMV-ready terminals at U.S. stores right now, but only 1 million have started accepting chips. In other words, when you see a chip reader, odds are 4 out of 5 that you won't be able to use it.
What's the holdup? While it might seem obvious to blame stores for not enabling the devices, some merchants are blaming the banking industry, and a lawsuit filed last week in a California federal court claims that the banking industry collaborated to hand the bill for fraud to store owners.
Back in October, new network rules went into effect that essentially require merchants who haven't upgraded to EMV terminals to cover the cost of fraudulent transactions. (Prior to the shift, financial institutions generally covered the cost of fraud.)
Last week, two small Florida stores filed a lawsuit seeking class action status, saying their bill for fraudulent transactions has increased perhaps 20-fold since the October deadline and the EMV delay -- playing out in smaller stores across the country -- is costing them big money. The lawsuit names payment networks like Visa and Mastercard, along with large payment processing firms. Both Visa and Mastercard said they were reviewing the claims in the lawsuit.
Not just a hardware issue
It turns out that getting new hardware into stores was just the first step in the conversion process, and in many cases, the easier step. New software comes next, and that's been causing holdups, experts said.
"Just because you see an EMV slot on a terminal, doesn't mean it works," said Michael Moeser, director of payments at Javelin Strategy and Research. "Getting the terminal to accept EMV cards is a two-part process. First, the merchant either needs to load newly developed software or integrate new software from a third party into its back office systems to allow the terminal to accept EMV. Second, then the new terminals and the merchant need to undergo a certification process with each of the card networks, typically done in combination with its merchant acquiring bank. The certification queue is currently very long as you can imagine that there are a number of merchants seeking to roll out EMV at the same time."
While that delay is annoying to shoppers -- "what do I do, swipe or insert?" -- some merchants say it's killing business. According to the merchant lawsuit, Milam's Market and Grove Liquors in Florida faced 88 chargebacks for fraudulent transactions totaling $9,200 from MasterCard and Visa since the Oct. 1 liability shift, plus $5 chargeback fees for each item. During the same span last year, the firms faced only four chargebacks, the lawsuit said.
The stores say they purchased EMV hardware long ago, and are simply waiting for their terminals to be certified. The lawsuit says the stores have been told the queue for certification is so long they have no idea when it might come.
"Tellingly, nothing Milam's Market could have done -- short of making the business-crippling decision to stop accepting Visa cards -- could have prevented this outcome," the lawsuit says. "Class members such as the plaintiffs here, could not timely comply with the standard, no matter what they did, because the Defendants refused to, or were unable to, 'certify' the new equipment by the deadline -- or, indeed, the 'certification' process would take years after the ... Liability Shift was imposed."
The debit sticking point
Shifting the way America uses plastic was bound to encounter snafus, but Randy Vanderhoof, EMV Migration Chairman, said the American payment market faced particular challenges because of the way debit cards are processed. Federal law designed to promote competition in debit card processing requires that merchants have a choice of networks for processing payments, but that made writing software for EMV debit cards much more complex.
"We have a regulatory environment which requires that every card issued has to support at least two unrelated payment networks for processing," he said. "So software and certification testing on debit was more complicated and later to arrive."
Since the specifications for EMV debit card processing came late in the game, some in the payment industry decided to delay their conversion work. Otherwise, stores and processors would have found themselves supporting EMV for credit cards, but magnetic stripes for debit cards, potentially frustrating consumers and causing two hardware and software conversions.
"That is not an ideal consumer experience," Vanderhoof said. "You could have the same customer using debit in one transaction (and swiping) and then credit in another (and inserting a chip card). You can start to appreciate it is not a simple thing."
The merchant lawsuit makes this point too, quoting Terry Crowley, CEO of TranSend, which makes EMV software. He says that writing code to make the terminals work has become infinitely more complex in recent years. According to the lawsuit:
"Crowley said that while software code for card-accepting devices was historically simple enough to be written on the back of a business card. 'Now with EMV, that same software wraps around the walls of a room three times ... hundreds of thousands of lines of code.' With the Liability Shift deadline having passed, Crowley says, suddenly there is a 'fire drill' to replace all of this simple software, compounded by the facts that the EMV code is hard to write, harder to certify and that few EMV software developers understand the U.S. market."
Mobile in the mix
Complicating matters more, the switch to chip cards is hardly the only change happening in the way consumers pay for things at checkout. Stores are trying to be ready to accept mobile payments, like Apple Pay or Samsung Pay, also.
"A number of merchants have decided to rollout other payments technologies at the same time of an EMV rollout which creates a more complex -- time consuming -- deployment," Moeser said.
Vanderhoof is optimistic that the problem is temporary, and the payment industry will work through the backlog in fairly short order. The EMV Migration Forum believes 50 percent of terminals will be enabled by the end of this year, and 90 percent by the end of 2017.
But for now, many merchants are blaming the banking industry -- and the Florida store lawsuit accuses banks of knowingly conspiring to hand them the bill for fraud.
"What defendants knew, but Milam's Market, Grove Liquors and the rest of the Class did not and could not know, was that purchasing new (point of sale) equipment and training their staff was not going to be enough," the lawsuit says. "Requiring working EMV hardware and software by the Oct. 1 deadline were conditions, it would turn out, which were impossible for the Class members to meet and which the Networks, the Issuing Banks and (industry) knew were impossible to meet."
Consumers generally aren't held liable for unauthorized charges, but that doesn't mean you shouldn't monitor your financial accounts regularly for fraud. You can also monitor your credit if you have reason to believe your personal information was compromised alongside your payment information. A sudden drop in credit scores can be a sign identity theft is occurring. (You can keep an eye on your credit by viewing your two free credit scores each month on Credit.com.)