According to new research provided from our friend Tom McCrohan of CLSA America's Research, less than 6 % of overall US merchants were set to meet the EMV deadline of October 1, 2015 for the shift of liability of fraudulent transactions. As of September 15th, only 314,000 merchant locations were ready. At the same time, only 21% of the Visa cards in the US and only 40% of MasterCard cards were now chip enabled at the point of the deadline. The research further found that only 40% of merchants would have terminals by the end of NEXT YEAR - 2016.
My take is this is a collective flipping the middle finger from the industry to Visa and MasterCard. As we have said multiple times, EMV as deployed in the US without a PIN is simply a massive waste of money. (The only benefit is authenticating that the card itself is a good card, not that the user is authorized. There is also no benefit for online or mobile transactions). And it provides a negative return to spend the money to upgrade to EMV compliance for the vast majority of retailers. On average, a -77% return-on-investment over 3 years!
As we highlighted in our research "EMV: Retail's $35Billion 'Money Pit'", the only place where EMV makes sense is Fuel Pumps (which are not mandated to be compliant until 2017) AND those retailers that sell merchandise that can be quickly converted to cash or sell gift cards to those same types of retailers. If you don't have a high fraud rate today, it's because your company doesn't sell merchandise that bad guys turn around and can sell easily for cash to a mass audience. EMV or not doesn't change that dynamic.
Further, as we have noted in the past the data is clear that where EMV is used, the fraud simply moves online. In fact, the latest research predicts online fraud will double within the first year.
If you are not on the front lines of fraudulent transactions, what do you need to do? Protect all your channels and protect yourself from data breach.
Enable end-to-end encryption on all of you channels for credit/debit.
Use a separate network that does not store data in transmission for authentication.
Use tokenization so that you are storing no data of value inside your company.
For online and mobile transactions, make sure you have some sort of challenge to first time uses of the cards on your site.
If you do these things you will protect yourselves from the real risk - a data breach. Then look at EMV on your schedule. Do your own ROI projections and decide for yourself if EMV is something of benefit to you.
This article was originally published by the IHL group on 10/2/15 at the following location.