The retail industry is in a state of payment flux. Mobile wallets and mobile POS have been touted as the next wave of payment, promising to make the shopping experience more compelling and memorable for connected consumers.
But following the recent high-profile data breaches at Target and Neiman Marcus, mobile innovations are taking a figurative back seat to discussions around payment security — specifically how to prevent future breaches.
Many industry executives are speculating that if EMV had been in place, the breaches may not have occurred. Although industry experts offer different opinions on the potential effect of EMV on any type of data breach, most are in agreement that EMV would create a more secure overall retail environment. And with the fraud liability shift set to occur in October 2015, the discussions are heating up.
New predictions from the EMV Migration Forum assert that nationwide EMV chip adoption is poised for exponential growth in the next year. Today, there are between 17 million and 20 million EMV chip cards, and “millions of EMV-capable terminals and ATMs, some of which already accept EMV chip cards,” according to a statement from the Forum.
“In the last few months we have seen a dramatic shift in the interest and understanding of the benefits that EMV chip cards provide, particularly in helping to lessen the impacts of payment data breaches and to prevent counterfeit card fraud,” said Randy Vanderhoof, Director of the EMV Migration Forum. “As a result, the U.S. migration is accelerating and there is a refreshed urgency in resolving issues and moving forward as quickly as possible. I think in the next year we could see a hundred million or more chip cards issued and more than double the number of installed terminals.”
Yet there are a variety of challenges retailers face when embarking on the EMV journey, such as upgrading acceptance equipment including payment terminals and PIN pads; updating POS software that runs on the hardware; and assessing all “the bits and pieces that affect payment,” according to Erik Vlugt, VP of Product Marketing at VeriFone. “They all have to be looked at from an upgrade or certification standpoint.”
EMV: A Waiting Game?
Since there are so many factors to consider, some sources indicate that the EMV transition is a big “wait and see” for retailers.
“I get the feeling everyone is going to wait and see if card companies can actually issue all the cards, see if PINs are going to be required, and most importantly, if the hardware that’s needed is going to be purchased and installed within the next 18 months,” noted Andy Graham, President and Co-Founder of Infinite Peripherals.
While the move to EMV is important, it is not a panacea to end all security troubles, and it can be very costly, which is prompting retailers to rethink security investment plans and overall strategies.
“The cost of making the EMV cards and implementing the equipment are both high,” Graham said. “I think the hesitancy regarding EMV comes from the fact that all these data breaches are back-end hacks into servers; they don’t have as much to do with the POS terminal being tampered with or altered. That’s not where the big loss is coming from.”
Customers “dipping” or “tapping” their smart chip-enabled cards may help improve security at the point of sale, but EMV card data can still be used fraudulently, Vlugt noted. “EMV doesn’t take care of the data that comes from the card through the retailer’s network, so if a retailer gets breached in a meaningful way and data gets stolen, even if it came from an EMV chip card, there is still value to that data.”
Retailers also need to consider consumers who decide to use other forms of payment, such as cash, check or even mag stripe cards, while completing their purchases. In addition, it’s important to note that while EMV can help mitigate fraud for card-present payments, it doesn’t do much to address card-not-present payment, such as online transactions.
“Retailers should be prepared for EMV compliance, but they should also look at protecting data from legacy customers using mag stripe, contactless and mobile payment,” Vlugt said. “Using end-to-end encryption or tokenization can help encrypt all cardholder data so it’s not decrypted until it gets to the processor.”
Beyond conversations around EMV, more retailers also are looking to ensure compliance with PCI Security Standards, according to Holland. “After the very public data breaches took place in 2013, all retailers are focused on their PCI scope management and securing private payment data.”
The Target and Neiman Marcus data breaches caused turmoil for millions of consumers and undoubtedly damaged the image of these retailers for an extended period of time. These events also have sparked a renewed focus on payment and data security, which can easily be considered a “silver lining,” according to Vlugt. “Merchants are looking at end-to-end encryption and want to step up security beyond the minimum compliance. It also has encouraged the entire industry to regroup on EMV.” The National Retail Federation (NRF) and the Retail Industry Leaders Association (RILA) both issued statements urging the industry to take measures necessary to better safeguard consumer data, as reported in a Retail TouchPoints article.
NRF President and CEO Matthew Shay issued a challenge to Congress to focus more on supporting “chip and PIN” technology, enforcing federal cybersecurity law and developing a uniform federal breach notification law. Shay also encouraged banks and card issuers to help move the industry forward. RILA supports some of the same initiatives, and stresses the importance of eliminating the mag stripe card and establishing more comprehensive guidelines for protecting consumer data.
The preceding article is Part 1 of the two-part Payment Update. Part 2 will be published in the April 15 newsletter.