Orange Leaf Frozen Yogurt, a small chain with exotic flavors like gingerbread and kiwi, is facing a tough technology choice: sink thousands of dollars into new credit card-reading machines by next year, or run the risk of fraud by waiting and adopting cheaper mobile-payment services.
By October 2015, Orange Leaf and most of the country’s 6 million small merchants that accept credit cards are supposed to be ready to take cards with an embedded chip for extra security -- or credit-card networks may consider them liable for some fraud in their stores. The new cards require a technology called EMV that helps prevent fraud by assigning a unique code for every transaction.
Another option is to delay EMV and press ahead with plans to take payments via mobile devices, often a more convenient approach that’s less expensive to implement and can even generate revenue for merchants by using smartphone applications to build relationships with customers.
“Using a mobile wallet is a better choice right now,” said Michael Christy, Orange Leaf’s director of information technology. “We can control that, and the technical requirements are minimal. We want to make sure we save our franchisees money.”
Christy’s choice underscores the dilemma facing millions of businesses seeking to avoid the data losses that have plagued Target Corp. and Neiman Marcus Group Ltd. -- while aiming to cut costs and embrace the boom in demand for smartphones that also offer useful payment methods. While big companies like Wal-Mart Stores Inc. can afford the costs of EMV, which can run as much as $1,000 per checkout lane, many smaller businesses are under pressure to convert to the chip cards just as mobile payments start to gain popularity.
“It’s unfortunate,” said Doug Brown, general manager of mobile at payment-technology provider FIS. “Longer-term, it’d be better if we could just skip a generation and just go to mobile payments.”
In five to seven years, more than half of in-store transactions will be made with mobile phones instead of plastic, said Brown, whose Jacksonville, Florida-based company helps more than 14,000 financial companies use payments including EMV and mobile.
Today, many businesses aren’t ready for EMV. According to Javelin Strategy & Research, only about one in five businesses with fewer than 10 employees will be outfitted for the new technology by next year’s deadline, which the credit-card companies refer to as the “liability shift” because retailers will need to assume more responsibility when people make fraudulent transactions in their stores.
To begin accepting EMV, stores have to get new equipment to read the cards’ internal security chips, and a signature or PIN are typically used to complete a sale. The technology is considered more secure because EMV cards create a unique code for each transaction, making them more difficult to hack or counterfeit than striped cards. All EMV cards also have magnetic stripes, so they can work on older store payment terminals. EMV is an acronym for Europay, MasterCard and Visa, the companies that are pushing its adoption.
While mobile-payment systems vary, they often work by storing credit-card data on a remote server and scanning a QR code with a phone.
Orange Leaf, which has 315 stores in the U.S., is rolling out a mobile-payment system for a quarter of the cost of EMV-capable technology, Christy said in an interview. The Oklahoma City-based yogurt chain is simply upgrading its current transaction software so customers can easily use a mobile-phone app from FIS and mobile-payment startup Paydiant Inc.
Orange Leaf’s current payment hardware can last another four to seven years, Christy said. Like many smaller merchants, it may make sense for him to wait to phase in EMV as his older hardware wears out.
Many small businesses don’t see enough fraud to justify upgrading their hardware and moving to the more secure cards, Richard Crone, chief executive officer of payment consultancy Crone Consulting LLC, said in an interview.
“The fraud is tiny, in terms of transactions,” Crone said. “You are talking about a minuscule amount.” Small businesses see fraud in 0.03 percent to 0.05 percent of all in-store transactions, he said; that means that a merchant with $500,000 in annual sales may see less than $250 in fraudulent sales a year. And the liability shift won’t even apply in some situations, such as when a customer’s bank hasn’t yet issued an EMV card.
Companies like FIS and Paydiant also help keep mobile transactions secure by storing and encrypting credit-card information on behalf of their clients. Some mobile-payment systems store financial data on the device itself, which could be more vulnerable to hackers.
Unlike EMV, mobile payments can help merchants boost revenue. Mobile applications give businesses a way to track loyalty-card holders, distribute coupons and publish ads. Mobile apps can also let consumers scan items with their phones and self-checkout from anywhere in the store.
Mobile payments can work in a variety of ways. Orange Leaf’s app will let consumers scan a special QR code with their phone at checkout. Consumers can use a credit card to upload money to be used through the app.
While many retailers are enthusiastic about mobile payments, consumers have been slow to embrace them. Starbucks Corp.’s mobile app now has 10 million users after being introduced nationwide in 2011, and mobile payments now account for more than 14 percent of tender in its company-operated stores in the U.S. and Canada. It takes time to train customers and employees to use a new payment system.
EMV cards require their own learning curve and may also lead to slower transactions since they have to be inserted into in-store terminals throughout the entire checkout process. Still, large stores will probably have to upgrade to EMV technology because they tend to see more fraud.
“They, obviously, have far more to be concerned about, at least in the initial liability-shift discussion,” said Greg Boardman, a senior vice president at Ingenico, one of the world’s biggest EMV-terminal makers. “Having said that, the small merchant doesn’t have the financial resources to absorb a lot of fraud loss.”