Insights

The whole point of switching to EMV is to strengthen a retailers’ security—but truth be told, it’s really not very good at that.

In a new report, Forrester Research explained that retailers are more interested in investing in mobile and contactless payments that offer superior security to EMV. The research firm expects “more secure, encrypted and tokenized transactions on digital wallets, mobile-device based near-field communications (NFC) virtual cards, and EMV contactless payments” to provide strong competition to EMV chip cards.

Given those trends, widespread adoption of EMV is not expected until 2020.

Security concerns

In the wake of the 2013 Target breach, retailers began calling for faster EMV migration. Target itself announced last year that it was equipping all of its terminals with EMV technology. But as security reporter Brian Krebs, who broke the story on the Target breach, explained, EMV would not have prevented Target’s customer data from being stolen.

Forrester also raised this point in its report, noting that EMV without tokenization does not encrypt or protect card numbers and expiration dates transmitted during card transactions. “EMV is largely a bolt-on to existing card technologies to support a chip on the card that prevents counterfeiting, but it does nothing to prevent counterfeiting of cards,” the research firm wrote. In other words, criminals can still copy the card data and produce counterfeit magnetic stripe cards that will work at mag-stripe terminals, or online.

Encryption, meanwhile, could have prevented incidents like the Target and Home Depot breaches without EMV. Forrester noted that encryption consists of scrambling a card number by a point-of-sale (POS) terminal before it is sent anywhere on the payment network. Thus the malware used in those breaches—which collected card data as it passed through the systems—wouldn’t have worked; there would have been not data to intercept.

Given the weaknesses in EMV, retailers are looking to other methods of security. James Ward, vice president of credit for Belk Department Stores, told AFP that his department store already uses a solution that keeps the account numbers out of the system. “Our solution is point-to-point encryption from the PIN pad to the gateway,” he said. “From the gateway, they’ll decrypt it and send it off to the issuer, and then they’ll come back with an authorization. The gateway will then tokenize it so there’s no account number that’s ever in our system. If you have that card number in there, somebody’s going to find it. It’s just a matter of time.”

As for EMV, Ward said that Belk will eventually turn the function on, but probably not as of the October deadline. “We’ve got some other priorities to get done first,” he said. “We’re not international—we’re small; mostly in the Southeast. Our fraud is pretty small.”

Impact on the bottom line

A representative of a major retail trade association told AFP that some merchant segments are likely to wait until 2020 to fully implement EMV. “It all depends on the business and risk profile, their transactions and any unique challenges to their POS environment,” she said. “Even those that want to do it now are still facing backlog issues on specs, equipment and certifications. But for those moving ahead now, EMV should be a reality before 2020.”

Gas stations are one group that may not fully migrate to EMV for quite some time, given that the automated fuel dispenser (AFD) liability shift doesn’t take place until 2017. However, their POS systems in-store are still liable after October 2015, so they may ultimately opt to update all of their systems at once.

Moreover, the time a customer spends waiting in line is a huge issue for merchants and could be swaying their approach to EMV, the retail representative explained. “EMV transactions are 30 seconds, compared to five seconds for NFC transactions,” she said.

But the key issue here is trust in the retailer, and finding a security solution that reinforces that trust. A lack of trust clearly has heavy implications for a retailer’s bottom line. According to another recent study, 45 percent of U.S. shoppers do not trust retailers to keep their information safe. Furthermore, 12 percent of consumers said they would stop shopping at a retailer that incurred a breach, and 36 percent said they would shop there less frequently. For those who said they would return to the retailer, 79 percent said they would prefer to use cash instead of credit or debit cards.

Conversely, leaving your business liable for fraud also could seriously hurt you. Thus letting things go until 2020 also does not seem like a good option for many retailers. Even if a merchant makes major investments to accept Apple Pay, the upcoming Samsung Pay and other mobile solutions, it is unlikely that the majority of its customers will immediate begin paying with their phones. So while EMV migration may be a headache for most retailers, it might be worth the effort in the long run.