The new payment technology represents a significant security improvement, but caveats remain. The mandate applies to credit cards but not yet debit cards, and concessions -- namely, the lack of a required PIN -- were given to the U.S. consumer that make EMV payments less secure than in Canada or Europe. The upside is that EMV hardware installed by merchants lay a foundation for even more advanced payment methods in the future.
Most U.S. EMV card readers come with NFC radios for electronic payment systems like Apple Pay and Android Pay, but that radio technology is not part of the EMV specification. However, Apple timed Apple Pay's debut well to take advantage of the reader switchover, and card reader makers put the necessary radio technology in the new terminals they had to make to support the EMV chips. That also gave a boost to the little used Google Wallet, which predated Apple Pay by several years and whose revamped service is now called Android Pay.
Merchants: Switch or suffer the risk
There are three players in the payment card equation:
- The card networks and processors that handle payments
- The banks that issue cards to consumers
- The retailers and merchants who accept cards from consumers
The switchover to EMV required changes across the board: The processors updated their systems to process transactions from EMV cards, the banks issued new chip-enabled cards to all their customers, and the retailers had to upgrade the card readers and point-of-sale systems to accept the chip cards.
The liability is now spread between banks and merchants. If the criminal uses a cloned card at a merchant that has not switched to EMV, then the merchant is completely liable for all costs associated with the fraud. But if the card did not have a chip in the first place, then the bank that issued the card is liable.
"It's a carrot/stick approach" to get all players EMV-compliant, said Deborah Baxley, a principal for the Cards & Payments practice at Capgemini Financial Services. There are plenty of "carrots" to upgrade sooner rather than later -- such as reducing liability and penalties for retailers with a lot of terminals if they have updated the majority of their equipment.
The two exceptions to the EMV rule are gas station pumps and ATMs, which have two more years to upgrade their readers because the technology is much more complex than that of point-of-sale terminals. Private label cards, such as the cards issued by retailers, are not included in this switchover. Debit cards have also been delayed for EMV, as the issuers and card networks had to come up with a different approach. The Dodd Frank Act requires debit cards to be able to work on two independent networks, which is counter to EMV, Baxley said.
Sign up for CIO Asia eNewsletters.