High-profile breaches of customer data at major retailers like Target and Home Depot over the past couple of years mean that in 2015, you’re more likely to find something new in your wallet: a credit or debit card with a computer chip embedded in it.
That microprocessor is the key to a system intended to provide increased security for customers, merchants, banks and credit card companies against fraud from counterfeited cards. The technology is called EMV (it gets its name from credit card companies Europay, MasterCard and Visa). It has been the standard for payment plastic in Europe and Asia for years, and it’s becoming prevalent in Canada and Latin America. According to EMVCo LLC, which oversees the development of worldwide EMV card standards, there are almost 2.4 billion EMV cards in circulation worldwide, and almost 37 million EMV-capable card terminals.
But in the U.S., issuance of EMV cards — also called chip cards or smart cards — has been minimal by comparison. Up until the past couple of years, most of the chip cards issued here were corporate cards or for customers who travel overseas. By the end of 2013, only about 10 million chip cards were issued in the U.S., out of about 1.2 billion total cards in American circulation. And while almost every store and restaurant can take magnetic-stripe cards, there were only about 2 million EMV-capable terminals that can communicate with the new cards.
That will change dramatically this year.
Throughout 2015, banks from huge multinationals to small community institutions are ramping up their efforts to get new chip cards into the hands of their customers. Most are replacing old magnetic-stripe cards as they expire with new chip cards (which will still have a magnetic stripe for older card readers). The EMV Migration Forum, which is steering U.S. adoption of the new technology, estimates that by the end of this year, the number of chip cards issued in the U.S. will grow to about 600 million, or about half of the cards in circulation.
It’s also an important year for merchants who accept credit and debit cards. From retail giants to fast-food places to mom-and-pop merchants, businesses face a looming October deadline (set by the major card companies) for what the payment industry calls a liability shift for counterfeit card transactions. That means that unless a merchant has installed and activated card readers capable of processing a chip-card transaction, the merchant — instead of the bank — shoulders the financial loss on any sales made on a counterfeited chip card on a magnetic-stripe-only reader.
That’s because the computer chip not only stores the customer’s payment information, but it also generates a special one-time-only code for each transaction, making it almost useless to try to counterfeit the chip. By contrast, the magnetic stripe on the back of the card can still be easily counterfeited, and older card readers can’t tell if the card is authentic or a fake.
The EMV Migration Forum anticipates that by the end of this year, the number of EMV chip-enabled terminals in the U.S. will reach about 7 million.
Jim Ford, president of Fresno-based Central Valley Community Bank, described the EMV process as an encrypted “handshake” of recognition between the chip embedded in the card and the merchant’s card reader, and then between the card reader and the credit-card payment processor. “It’s a good and important step for banks and processors to get done on behalf of consumers,” Ford said.
Adoption in the Valley
In the central San Joaquin Valley, shoppers are spotting new EMV chip-card readers popping up at places like Target — the national chain that felt the sting of a huge data breach during the 2013 holiday season — and Walmart. Those stores and others are adopting the technology not only in the card readers at their cash registers but also in the branded credit cards they issue.
Save Mart, the Modesto-based supermarket chain, also is putting EMV readers at the checkout lanes in its stores in the Valley. In 2011, thieves tampered with magnetic-stripe card readers at 24 of the company’s Lucky Stores in the Bay Area, skimming payment information from the cards of at least 500 customers who used the stores’ self-checkout lanes. In the weeks after that breach, Save Mart inspected or replaced more than 2,500 card readers at all 233 of the chain’s Save Mart, Food Maxx, Maxx Value Foods and S-Mart Foods stores in Northern California and Nevada.
At the Fig Garden Village shopping center in northwest Fresno, many of the small independent merchants or franchise owners don’t yet have EMV-capable readers, and some are only now learning about the financial liability they could feel if they don’t upgrade their card readers.
At olive-oil and specialty cooking store We Olive, franchise owner Zona Rogers said the store just put in a new computer system, but it does not include a chip-card reader. Smaller businesses like hers are faced with weighing the cost of a new card reader — which can cost several hundred dollars or more apiece — against their risk of loss from unwittingly accepting a counterfeit card. “I can’t make that decision until we know the cost,” Rogers said.
Rogers added that she and her husband have been victims of thieves who managed to skim their information from the magentic stripe on one of their banking cards, so she understands the risk. “It’s scary. Who carries cash anymore?” she said. “We’re going to have to get up to speed with this.”
Several other Fig Garden independent merchants like wine store Bella Vino Cellar and Orloff Jewelers are also yet to adopt EMV technology. Jeweler James Orloff said the new chip technology “is definitely on our agenda” and added that he will soon be attending a workshop to learn more about EMV. “It’s not a bad idea, and in the long run it could be a great opportunity.”
Bella Vino owner Tony Mehrtash said his bank sends him plenty of information about new payment systems like Apple’s new ApplePay, where people use their phone to pay at the cash register. But he said he’s heard nary a word from the bank about EMV chip cards and doesn’t have an EMV card terminal. He was surprised to learn about the liability shift if he doesn’t convert his card machine. “It sounds like the big banks are covering their own butts and leaving the small businesses behind,” he said. “This is something we will have to look at.”
One Fig Garden merchant who has converted his card terminal is Aporjon Leather & Luggage owner Craig Pokorny, who estimated that about one out of every eight credit card customers at his store uses an EMV chip card. He upgraded his reader just in time for the holiday shopping season.
“First of all, there’s this mandate, with Visa and MasterCard strongly suggesting that we use the new technology, and our liability goes up if fraud has occurred,” he said. “But also, we want to protect our customers as much as we can. We want to do anything we can do to prevent fraud and keep everyone happy.”
Robin Trickel, executive director of product compliance for New Jersey-based card processor Heartland Payment Systems, said the conversion will ultimately benefit both banks and merchants. “We’re going to have less disputes due to stolen cards and stolen card data,” she said in an EMV Migration Forum industry seminar last fall. “We’re all making an investment to reduce the overall value of card data to hackers by moving toward the elimination of the magstripe from the system.”
“Also, you don’t want to be that merchant that’s been left behind without the ability to accept chip cards when others can,” Trickel added. “Upgrading is going to show your customers that you take security seriously and have invested in protecting the overall payment ecosystem.”
In addition to this year’s liability shift for retailers and merchants, another key deadline comes in October 2017, when pay-at-the-pump gas stations will need to either adopt EMV-capable technology or face a similar shift in liability from banks and credit card companies. ATM operators are also being urged to upgrade to EMV capability by 2016 or 2017, depending on their debit-card network.
Slow on the uptake
American banks are playing catch-up to much of the rest of the world when it comes to issuing new EMV chip cards. “Mostly it is because the U.S. payments market is the largest and most complex market in the world,” EMV Migration Forum director Randy Vanderhoof said last fall. The U.S. has more card-issuing institutions, more payment processing companies, more ATM operators and more types of different cards in play, all based on the older mag-stripe technology. “Each type of payment card, such as consumer debit and credit, corporate charge cards, retail charge cards and various traveler and loyalty cards, all support different features and have different practices when it comes to cardholder verification,” Vanderhoof said.
In the Valley, community banks are easing into the transition. Central Valley Community’s Ford said his bank expects to announce its card rollout soon. “We’re vendor-dependent,” he said. “We have a third-party processor because we don’t have a lot of these things in-house.”
Central Valley Community hires an outside company to handle credit-card processing for its merchant banking customers, “and they will be reaching out to our customers who use their equipment to see what upgrades they want to make.” The bank also has a vendor who manufactures and issues its credit and debit cards, and Ford said he anticipates Central Valley Community will do as larger banks have done and replace customers’ cards as they expire.
It’s not cheap. Industry experts peg the cost of issuing a chip-embedded card at $2.20 to $3.50 or more per card, compared to about 50 cents or so for a mag-stripe card. “The cards are more expensive to produce, so banks will bear a slightly higher cost,” Ford said. “And the merchants will bear a higher cost for equipment. … But in time we all hope to recoup those costs through lower card-fraud losses.”
Bank of America, the national bank with the most branches in the Valley, began issuing EMV credit cards about two years ago, increasing the portfolio of cards offering the chip technology. Last fall, it announced that it is adding chips to its debit cards “and we hope to have the majority of cards transferred by the end of this year,” said Betty Riess, a BofA spokeswoman for issues related to consumer credit and debit cards.
If a BofA customer wants to replace his or her old mag-stripe card before it expires with a chip card, Riess said they can request it online or at their bank branch.
Another major bank serving the Valley, Citibank, is issuing all of its new credit cards with chips as well — more than 10 million Citi MasterCard and Visa accounts to date, said Emily Collins, a Citibank spokeswoman. “For the majority of our credit card customers, if they wish to request a chip-enabled card they can make the request online or by calling customer service.” Collins added that Citi expects to begin issuing EMV-enabled debit cards this year.
By the end of 2016, the EMV Migration Forum expects about 900 million chip cards to be issued in the U.S., with about 9.5 million EMV terminals in use by merchants.
Bank of America, Citi and most other credit card issuers’ credit cards will require a signature as a way to verify that the person using the card is the person who owns the card — a system called chip-and-signature. In Europe and elsewhere in the world, however, chip-and-PIN systems are in use, with the encoded chip proving to the card-reading machine that the card is authentic and not counterfeit, and a PIN code proving the identity of the cardholder.
John Kiernan, a senior analyst at CardHub.com, acknowledged that a chip-and-PIN system offers an additional layer of security against lost or stolen cards. “But there’s a reason why the payment establishments are pushing signatures, and that it’s an easier stepping stone for consumers; it’s easier to adapt,” he said. “People are used to signing for their purchases when they use a credit card.”