A little over a year ago, the mandate for EMV migration officially went into effect in the United States, kicking off a massive national transition to new payment cards and terminals. At Money20/20, a recent digital banking and payment conference in Las Vegas, experts reflected on the implementation of EMV standards and sized up progress 12 months into the transition. Penetration of EMV is progressing, but substantial confusion looms among merchants, while fraud has shifted into digital, card-not-present commerce.
According to Julie Conroy, research director for Aite Group's retail banking and payment practice, the clearest success in EMV implementation comes on behalf of card issuers. She estimates that the penetration of chip cards among U.S. cardholders stands at around 94% for credit cards and 72% for debit cards.
But Conroy emphasized that chip cards are low-hanging fruit relative to the scale of the aggregate EMV transition. Issuing EMV-compliant chip cards is a straightforward process between card issuers and customers. Marginal cost of switching is low for both parties, and customers face compelling incentives to use the card, chief among them the lower risk of card fraud.
For merchants, however, EMV migration has been fraught with confusion and bottlenecks that sum to a generally slower rate of EMV point-of-sale adoption among retailers. Aite Group noted that since the mandate for EMV rolled out in in October 2015, approximately 30% of merchants have installed EMV-compliant payment terminals. Conroy expects that by the end of 2017, this will double to over 65% of POS terminals. Based on EMV migration experience in other countries, full deployment of EMV terminals in the U.S. isn't expected to emerge for three to four years.
The hold up in merchant implantation stems from two key issues. First, around 20% of merchants simply do not understand the EMV mandate and implications of the associated liability shift, according to Conroy. The second and more prominent reason is a bottleneck in the certification process of merchant EMV software systems. Certification grows more sophisticated relative to the size of the merchant. For small businesses, the less onerous "level 1" certification is rather quick. As the size of retailer scales, certification becomes more complex, requiring security and compatibility testing by EMVco, the specification body responsible for setting standards and ensuring global interoperability.
Further complicating matters for merchants is the steady rise in fraud opportunity posed by card-not-present retail situations, predominantly in ecommerce or mobile transactions. Because chip cards have largely eliminated in-store fraud at the point of sale, criminals have shifted to exploiting weaknesses in online retail. To gauge the scale and financial impact of fraud, research firm Javelin and payment security provider Vesta conducted a survey of 500 retailers with more than $1 million in 2015 annual revenue.
Findings indicate that fraud management consumed 13% to 20% of operational budgets in 2015, depending on the relative scale of each firm's digital sales channel. "Buying online and picking up in-store is the latest fad in circumventing the EMV in the physical environment," according to Al Pascual, research director and head of fraud and security at Javelin. Mobile also presents serious challenges because the faster security and fulfillment characteristics mean authentication parameters are less sophisticated.
The survey found that over half of digital goods retailers expect increased fraud and chargeback management costs in the coming year. Findings also revealed that 49% of charge-back losses is coming from online channels, three times the quantity of in-person chargeback fraud, while 16% is coming from mobile.
To address the growing concern of card-not-present fraud, EMVCo Director of Operations Brian Byrne detailed the impending roll-out of EMV 3DS. These new specifications will bring more robust authentication measures to the online and mobile checkout process. The standard relies on the sharing of data between issuers, banks and merchants to enable "risk-based authentication," depending on the context and available information such as geo-location and type of device to determine the level of extra scrutiny required before authorization. These more advanced security challenges will include one time passcodes and biometric authentication protocols.
Most importantly, enhanced standards include enhanced functionality that enables merchants to integrate the authentication process into their app or browser-based channels. The EMV 3DS 2.0 specifications were just published in October 2016, and new solutions are expected to be implemented in the marketplace in the coming months.