Target Breach Spurs Retail Rush to Accept Tougher Credit CardsOlga Kharif and Bianca Vázquez Toness
After last year’s massive security breaches at Target Corp. and Neiman Marcus Group LLC, data-security professionals urged U.S. retailers to upgrade their credit and debit card technology to reduce fraud.
Companies have been slow to embrace the more secure payment systems that have been widely used in Europe and Asia for years, mostly because of the expense and a lack of synchronization among retailers, credit card providers, and banks, Bloomberg Businessweek reports in its April 14 edition.
Many companies are behind schedule in updating their systems to comply with a chip-based smart card standard known as EMV (for Europay-MasterCard-Visa, the companies that first backed the technology). Credit card networks have set an October 2015 deadline for most U.S. merchants to upgrade their payment systems.
EMV is considered more secure because it’s harder to copy account numbers and security codes from chips than from the magnetic strips on most cards used in the U.S. EMV cards create a unique code for each transaction, making them more difficult to hack or counterfeit than striped cards.
Merchant Warehouse, which processes credit and debit card transactions for 80,000 U.S. merchants, projects that only about 60 percent of its clients’ locations will be ready to accept chip-based cards by the deadline. More than half of U.S. merchants will miss the cutoff, said Richard Crone, chief executive officer of payments advisory firm Crone Consulting.
One reason for the delay is the upgrade’s high cost: $500 to $1,000 per payment terminal, according to researcher Javelin Strategy & Research, a division of Greenwich Associates. Retailers are also concerned that the switch will slow checkout times and that it remains unclear how the EMV software will work with debit cards.
“It is not a question of just turning it on,” said Margaret Chabris, a spokeswoman for 7-Eleven Inc. “EMV specifications are still being finalized.”
Some of the biggest laggards are grocery stores and quick-service restaurants, many of which have to change entire payment processes in addition to technology, Crone said. Using a credit card at a drive-in or at a dining table is different when a PIN number has to be entered, he said, though not all EMV transactions require a PIN.
Some big retailers, including Wal-Mart Stores Inc., Kroger Co. and Target, have pushed ahead with the upgrade. Wal-Mart started updating its payment terminals in U.S. stores eight years ago. The company says it has progressed slowly because of a lack of industry support, despite the clear benefits.
“We saw the fact that it was being implemented in the U.K. and many other countries around the globe; we saw the fraud decrease once this solution was implemented,” said Mike Cook, assistant treasurer at Wal-Mart.
All of Wal-Mart’s 4,838 U.S. stores, including Sam’s Clubs, have the chip-based hardware in place. Of those, 1,000 have turned it on. By the end of this year, the company plans to have the new payment terminals running in all U.S. locations.
“We want to activate early if there are any problems or bugs to be worked out,” Cook said.
Kroger expects to be ready by the deadline after working for the past two years to incorporate the new technology, said Keith Dailey, a company spokesman.
“We believe chip-and-PIN is a good solution because it creates several additional layers of security without sacrificing customer convenience,” Dailey said. “That’s not to say this conversion can be accomplished with a simple flip of the switch. This will be a major effort to overhaul the entire payment processing infrastructure, which includes banks, credit card issuers and payment processors in addition to retailers.”
For terminals to provide added security, customers must have chip-enabled cards.
“Part of the reason we haven’t pushed faster is there’re just no cards out there for acceptance,” said Wal-Mart’s Cook.
Today, with about 1 billion cards in use in the U.S., just 20 million chip cards have been issued, according to Smart Card Alliance. Only 20 percent to 30 percent of U.S. cardholders will have the new cards by the deadline, said Nick Holland, an analyst at Javelin.
The new cards can cost as much as $2 each, compared with pennies for the magnetic-stripe models.
“We’ve got 10 million cards in inventory out in the field,” said Mark Putman, a senior vice president for First Data Corp., which offers prepaid card services. “At $2, we are probably looking at a $20 million investment, which I am going to defer for as long as possible.”
While retailers are willing to do their part to improve security, banks and card companies also have a responsibility to update their systems, according to the National Retail Federation. That includes making and issuing chip-enabled cards.
The price for not complying could be high. Credit card companies have said most retailers and banks will be liable for some fraudulent in-store transactions if they don’t have the new system.
Even that potential liability hasn’t been enough to light a fire under many retailers, said Julie Conroy, an analyst at Aite Group.
“Merchants aren’t crazy about this migration to EMV,” she said. “Many of them are fighting it tooth and nail.”