Shoppers love credit cards for quick and easy purchases. Retailers? Not so much. One big problem is fraud: Transactions with bogus plastic can drain significant sums from a merchant’s bottom line.
In a move to address security concerns, the card industry has introduced plastic with embedded chips highly resistant to counterfeiting. Even so, many merchants are delaying the costly investments required to upgrade their point-of-sale (POS) terminals to read the new technology.
“By late 2016, only 44 percent of U.S. merchants of all kinds had installed chip-reading terminals,” says Jared Drieling, Business Intelligence Manager at The Strawhecker Group, an Omaha-based consulting firm specializing in the electronic payments industry (thestrawgroup.com). “And only 29 percent of merchants had activated such terminals to actually accept transactions.”
And retailers specifically? The National Retail Federation reported that 48 percent of its members had upgraded their equipment by the middle of 2016. While the association said that most retailers were expecting to undertake the upgrade by the end of 2016, that rosy forecast was far from assured for a market that remains less than thrilled with the new technology. “Retailers are dragging their feet,” says Fran Howarth, senior analyst for security at Bloor Research, Amsterdam (bloor.edu).
Smaller retailers are especially prone to delay. “Larger merchants have the resources to become compliant with chip cards,” says Paul A. Rianda, an Irvine, Calif.,-based attorney specializing in the bankcard industry (riandalaw.com). “While many smaller ones selling low ticket items may not care as much about the potential chargeback liability.”
So what’s the big deal with the new chip cards? Thieves have become skilled at compromising the traditional “stripe and swipe” credit cards popular in the United States over the past several decades. That’s because the sensitive customer data stored in the magnetic stripe is easily duplicated.
“Crooks have been creating counterfeit cards by copying the magnetic stripe,” says James E. Dion, president of Dionco Inc., a Chicago-based retail consulting firm (www.dionco.com). And the tactic is profitable. “Until the consumer discovers a suspicious transaction on a monthly report, and reports the matter to the bank, the merchant has no way of knowing the card is bad. That’s where the danger lies.”
The new cards, dubbed “chip and signature,” improve matters by storing customer data in a hard-to-duplicate chip instead of a magnetic stripe. New POS terminals read the chip and transmit a one-time-only code to the bank, which approves the transaction and returns an authorization. Because the transmitted data is invalid for any future transaction, criminals gain nothing by stealing it.
That’s a big change from the old stripe and swipe cards, where each transaction involved nothing but a straightforward check against a banks’ negative database. If no stolen number was discovered, the transaction was accepted. In the meantime, crooks could obtain customer data while it was being transmitted to the card processor or while it was stored on the merchant’s computer. Either theft can lead to compromised cards, causing inconvenienced customers to stop shopping at a retailer they no longer trust.
If the new technology sounds like a good way to reduce customer ill will, there’s an even bigger motivation for retailers to upgrade: avoiding liability for fraudulent charges. “With the old stripe and swipe cards, merchants were not responsible if someone used a fraudulent card,” says Dion. The rules have changed. “Now the merchant without certified and tested chip-reading POS terminals is on the hook.” (Retailers’ liability for fraudulent transactions made over the Internet remains unchanged.)
Given the new liability rules, merchants selling high ticket items will be clearly at risk and will have an incentive to upgrade. Others may have second thoughts. “A merchant doing smaller transactions, say $50 or less, and who maybe gets fewer than a dozen bad transactions a year, may be okay without upgrading to chip card capability,” says Dion.
Even so, retailers currently seeing no fraudulent activity need to carefully consider the potential for a dangerous change in the security environment. “Now that the window of opportunity is closing at merchants who have upgraded their hardware and software, criminals must hunt other targets,” cautions Drieling.
Such as? So-called “card not present” transactions made over the Internet, where customers present no physical card, are expected to experience more fraudulent activity. And many smaller and mid-sized merchants who have not upgraded their POS equipment because they previously experienced little fraud may also become targets of crooks who realize they can get away with using counterfeit plastic. By the time the fraudulent transactions are discovered, the cooks are long gone. And the retailer is on the hook for both the lost merchandise and the transaction money.
Of course, it’s difficult or impossible to quantify the potential costs of a change in a retailer’s risk profile. And against that uncertainty, the merchant must weigh what can amount to a significant financial outlay to get new equipment installed. “One terminal might cost you a few hundred dollars,” says Rianda. “But if you have a whole system that needs to be replaced, you might need to spend tens of thousands of dollars.”
To that, add the time required to negotiate with equipment vendors and make sure the new system is working correctly. “Bear in mind that the transition can be complex and time consuming,” says Drieling. Merchants must not only arrange to have the equipment installed, but must also have the hardware certified and then tested.”
Therein lies delay. “There was a big rush early in 2016 to get terminals installed, and things got backed up,” says Drieling. “That in turn led to bottlenecks in the certification and testing process with merchant processors. Medium and large sized merchants have had an especially challenging time because of customer rewards and other programs integrated with their POS equipment.”
Even retailers who got an early start on the transition ran into unexpected issues. “Merchants who saw this change coming a couple of years ago specified chip card upgradeability for purchased or leased credit card terminals,” says Dion. “Even with those terminals, though, the ability to take the new cards requires a pretty significant software installation, and some hardware simply did not have sufficient internal memory.”
There’s still another reason retailers resist the new system. As any shopper knows, the new technology causes delays at checkout. “The POS terminal reads the chip, generates a one-time only security code, and then sends that code to the bank which certifies the card as real or counterfeit,” says Dion. “That can take up to 15 to 20 seconds. That’s a long time compared to the old quick swipe, and it’s a big concern at high volume retailers. The card companies are working on enhancements that will speed up the handshake and the approval process.”
Signature versus PIN
There’s one more reason to resist an upgrade: Another costly investment may be required down the road if the card industry opts to switch to a so-called “chip and PIN” system that requires customers to verify themselves with a numerical code rather than a signature.
Used throughout much of the world, chip and PIN has the great advantage of making it much tougher for a crook to use a lost or stolen credit card. A thief would have to know the secret PIN code, rather than scrawl an all-too-common illegible signature to facilitate a fraudulent transaction. “Why we didn’t go chip and PIN right away is a real head scratcher,” says Dion. “There is only a very slight difference in the hardware. Ultimately the industry will go that direction, because merchants are not trained to be handwriting analysts.”
Not everyone agrees that chip and PIN is sufficiently better to justify the cost. “There are good arguments on both sides of the table,” says Drieling. “Chip and signature may be a better transition because not all merchants have a PIN pad, and getting one means additional cost.” Additionally, customers may resist using PIN cards because of the need to remember numerous PIN numbers for all their cards.
Too, the upgrade cost may keep the industry from shifting to a chip and PIN system. “After experiencing the headaches of the current transition, merchants will not want to revisit the expensive and time consuming terminal refresh process five years down the road,” says Drieling.
Even if the industry were suddenly to shift to all chip and PIN cards, merchants would still be on the hook for any losses incurred for transactions made over POS equipment that has not been upgraded to read chip cards. And there will always likely be some merchants who do not upgrade. “Cards will still need to have mag stripes for use at merchants lacking chip readers,” notes Drieling. In such cases, criminals can still conduct fraudulent transactions with nothing more than a scrawled signature.
Despite all the controversy, arguments about the new technology may be moot a few years hence. Many retailers have already started to invest in the next level of digital transactions: mobile payments. The move is driven by consumer preference: “Customers have become accustomed to using Google wallet and Apple Pay,” says Dion. “Their mobile devices are extensions of their arms.”
Many observers expect mobile payments to become the dominant transaction method over the next five to 10 years. “By that time,” says Drieling, “merchants might well be asking themselves, ‘Do we need a chip terminal at all?’”
In the meantime, though, retailers must continue to grapple with the shift to the latest forms of customer protection and transaction processing. The risk of liability for fraudulent transactions must be balanced against the time and cost required to upgrade equipment and the need to plan for additional improvements down the road.
Even so, the decision to upgrade POS equipment may depend less on these fine points of analysis and more on consumer pressure. “Customers judge merchants partly by their level of technology,” says Dion. “Even though customers are not liable for fraudulent transactions, when they see outdated POS equipment they are likely to ask themselves, ‘Why is this merchant not protecting my personal data?’”