Corridor merchants wait on EMV upgrades

By Chase Castle

A new measure intended to fight payment card fraud went into effect nationwide on Oct. 1, but most Eastern Iowa businesses appear slow to adopt the new technology, due to compatibility issues and an overall lack of urgency.

Starting this month, liability for fraudulent in-store purchases made with MasterCard, Visa and American Express cards shifts to whichever party has not yet adopted the chip-based technology known as EMV. That means the financial institution that issued the card or the merchant that facilitated the transaction may now be responsible for disputed charges, depending on which party was least EMV-compliant.

Prior to the change, consumer losses from a stolen, counterfeit or compromised card generally fell on the issuing bank or payment processor, depending on the card’s terms and conditions.

“That’s the whole point of this,” said Patrick Dix, who heads public relations for the electronic funds transfer service Shazam, headquartered in Johnston. “They’d [credit card companies] like to shift the liability over to merchants, and encourage the merchant to use this technology.”

EMV (short for Europay, MasterCard, Visa) technology improves on standard payment cards’ magnetic stripes by using an integrated circuit card that generates a one-time, unique code for each transaction. The code is then sent to the customer’s bank or lender over a network, which then verifies the code’s authenticity and sends confirmation back to the terminal.

The effort to enhance consumer protections follows multiple breaches of customer credit card information in the U.S. In late 2013, account information was stolen from about 40 million credit and debit card users who had completed transactions at Target stores. The following year, card information from roughly 56 million accounts was stolen from Home Depot customers using malware installed on the company’s point-of-sale systems. In March, Target agreed to pay $10 million to customers affected by the data breach, according to a settlement reached in U.S. District Court.

Those high-profile breaches added urgency to the multiyear plans by major U.S. financial service corporations to adopt EMV technology, beginning with Visa in 2011. That year, the company announced plans to accelerate chip migration and introduced new incentives and penalties for retailers. MasterCard, American Express and Discover announced similar initiatives the following year.

Edgar McGuire, owner of Bootlegin’ Barzini’s specialty liquor in Coralville, said the changes are overdue. Shortly after the shop opened in 2006, he said, some customers would make purchases and later claim to their bank or credit card provider that they were never at the store. He said purchases from those cases added up each month to about $200 – money that going forward, individual businesses are more likely to be held liable for.

“Obviously, being a small business, every penny counts,” Mr. McGuire said. “So I think that they’re going to spread out that liability, and that makes sense. We’ve waited too long.”

Mr. McGuire said he’s already purchased two EMV card readers for about $300 each. Like many of his colleagues, however, he found that few options were available. His business’s point-of-sale system under the software company Intuit was only compatible with one card reader model, he said.

“We’re actually talking about changing POS systems because of that whole reason,” he said.

Last year, both Walmart and Target said all of the companies’ stores would have EMV-compliant payment terminals active by the end of 2014. However, the vast majority of U.S. businesses haven’t made the change.

Hy-Vee, for example, began readying chip-enabled payment terminals in stores years ago, according to company spokesperson Tara Deering-Hansen, but the company’s partnered vendors don’t yet offer the software needed to communicate with the EMV card readers.

“We are pushing our vendor partners to make this happen as quickly as possible,” she said in an email. “But realistically, especially with the holidays quickly approaching, it will now be launched in our stores shortly after the first of the year.”

According to The Strawhecker Group, a consulting firm for the payments industry, only about 27 percent of U.S. merchants were EMV-ready this month. Mr. Dix said that in addition to the deterrent of hardware costs and compatibility issues with existing payment networks, many businesses will need to train employees how to use the new machines.

“And that’s not insignificant,” he said, noting that even customers are likely to need some guidance as they get acclimated to inserting their cards into a reader for the duration of the transaction. “That’s an important thing to point out – that this is going to take a little getting used to for everyone.”

Sanja Hunt, owner of Every Bloomin’ Thing flower shop in Iowa City, welcomed the change. She’s awaiting hardware that’s fully compatible with her business’s credit card processor, Velocity, of Downers Grove, Illinois, and plans to switch immediately when it becomes available.

“I think it’s a great idea, and it should have happened a long time ago,” Ms. Hunt said. “It’s ridiculous how many cards we get that have been compromised.”

Card security issues are so common, she said, that she’s made a habit of telling customers whose cards are declined to contact their bank, “because [fraud] happens with greater frequency than people not paying their bill.”

Internationally, the U.S. accounted for nearly half of the $16.3 billion that banks and merchants lost last year due to fraudulent card transactions, according to The Nilson Report, a research group focused on card and mobile payments. The research group said 49 percent of all card fraud losses in the U.S. resulted from counterfeit cards, which EMV technology targets. It also said U.S. customers represented nearly half of all gross card fraud losses worldwide, even though the U.S. only accounted for about 21 percent of the total card transaction volume.

“Multiple factors contributed to that gap,” Nilson Report Publisher David Robertson said in a news release. “Nothing mattered more than the lack of an EMV-compliant infrastructure.”

The chip-based card system has been used throughout Europe for several years. According to the cybercrime blog Krebs on Security, the U.S. is the last of the G20 nations to adopt the more secure technology.

For many businesses, however, there’s still little incentive to install EMV readers.

Dan Marquardt, owner of Zeppelins Bar & Grill in Cedar Rapids, said his restaurant processes more than $3 million annually in card transactions, but added that disputed purchases are extremely rare.

“We would look at it once it’s established and been running for a while, but it’s just not a high priority for us now,” Mr. Marquardt said.

Mr. Dix said some software providers with affiliates who manufacture card readers are likely pushing merchants to adopt the new technology. For businesses with a low frequency of theft occurrences, though, implementing the new safeguards may not yet be necessary, he said.

“There certainly are folks out there who are using the liability shift date to at least try to begin the conversation about selling something for themselves, and we just don’t believe that’s the right way to do this,” Mr. Dix said. “We’re not saying don’t do it. We’re saying, make the business case for doing it.”