Migrating U.S. payment systems to the Europay MasterCard Visa (EMV) smartcard standard could take significantly longer than envisioned and offer fewer security benefits than what's being touted by proponents of the technology.
In the weeks following the massive data breach at Target, the EMV standard has received considerable attention from stakeholders in the payment industry and from lawmakers.
Cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data. Typically, cardholders need to authenticate themselves with a Personal Identification Number (PIN) when using the card.
Chip-and-PIN credit and debit cards are considered significantly safer than magnetic stripe cards used in the U.S. Though the rest of the world moved to chip-and-PIN long ago, the U.S., for a various reasons, has lagged in adopting the technology.
But the Target breach appears to have convinced many that the time has finally come to cast aside reservations about EMV and move to it wholesale.
Even before the breach, MasterCard and Visa announced that they want merchants and card issuers to be ready for EMV card transactions by October 2015. They have noted that the liability for any fraud that occurs at point-of-sale terminals will shift either to the merchant or the card-issuing bank after that date.
If the retailer's point-of-sale systems are EMV-ready but the card-issuing bank's cards are not EMV-compliant, the cost of any fraudulent transactions associated with those cards would be borne by the bank after October 15, 2015. On the other hand, if the bank is EMV-ready but the merchant's POS does not support the technology, the merchant would bear responsibility for any fraud.
Gas station owners will have an additional two years to migrate automated fuel dispensers to EMV before the liability switch occurs.
Despite continuing reservations about the deadlines, MasterCard and Visa solidified their plans only in the weeks since the Target breach. Senior executives from both card associations publicly confirmed their intention to stick with their EMV implementation roadmaps, citing the Target breach as an example of why the move is needed.
The problem is that moving over the EMV won't be easy, but it will be expensive.
1. Upgrading to EMV will cost billions
One of the biggest obstacles is cost. POS systems capable of reading EMV cards can cost hundreds of dollars apiece. Retailers like Target can expect to pay tens of millions of dollars just swapping out the hardware. In addition, they will also need to spend on software, testing and deployment.
Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS), a trade group representing convenience store and petroleum retailers, expects his industry will have to spend up to $4 billion to swap out an estimated 800,000 POS systems.
Gray estimates that across the U.S., merchants will need to either replace or upgrade an estimated 13 million POS systems to be ready for EMV card transactions. "That is a big expense that we are going to have to pass down to the consumer," Taylor said.
In addition, card-issuing banks will need to spend tens of millions to upgrade their networks and internal systems if they want to be ready for PIN debit and PIN credit transactions.