The chicken, the egg and the chip card
Depending on how you look at it, merchant and card issuer migration to EMV is either: a) a chicken-and-egg conundrum; or b) a Mexican standoff rivaling the cemetery scene in “The Good, The Bad and The Ugly.”
Will small banks mail out chip cards at $5 or more a pop knowing that they’ll be repeating the drill when some non-compliant retailer has a POS compromise? Will they keep doing what they’ve always done and eat the cost of card fraud until merchants get their act together and migrate to EMV en masse?
Will merchants foot the bill for EMV-enabled POS terminals and back-office upgrades, knowing that the vast majority of their transactions will still be mag-stripe until banks get with the program themselves?
“It’s been chicken and egg all along,” said Kelly Davis, EMV practice lead at Heitmeyer Consulting, an Ohio firm that provides technical and business services to small and medium-size FIs.
Davis has been through the EMV drill often in recent years, working with FIs across the Caribbean and Canada on their migrations, so she’s familiar with the “Who goes first?” dilemma.
“[W]e can have the chip cards out there, but as long as merchants are still swiping this card, we can still have the lost or stolen, we can still have the cloning, we can still have the compromises where we’re going to have to reissue another $5 card,” Davis said. “[W]e can start sending chip cards now, but if you’re not dipping at a merchant, it’s just an expensive mag-stripe card at this point.”
The nation’s largest financial and retail institutions seem to have settled the question — big banks and big boxes are mostly set to flip the EMV switch at 11:59:59 p.m. on Sept. 30.
For smaller FIs and merchants — most of which are still months or years away from EMV compliance — what happens after Oct. 1 remains to be seen. It will be educational viewing for the ATM industry, which has the MasterCard liability shift to look forward to in October 2016, exactly one year and one month from today.
“At this point … there’s still a lot of work to be done in the EMV space with regard to card issuance as well as FIs and credit unions getting their ATMs ready,” Davis said in an interview with ATM Marketplace. For the moment, she said, they’re just trying to get into EMV card manufacturers’ funnels, which are currently backed up and overflowing.
Unfortunately though, for many institutions, “fast” won’t translate to “soon.” Davis said that many of the banks and credit unions she works with have the same people managing both card and ATM portfolios, which leaves them short of human resources.
For these FIs, the ATM upgrade process can’t begin until the card issuance process ends. At which point, they’ll experience the same product availability and testing bottlenecks with manufacturers and testing service providers that they’re running into now with EMV card-makers.
“So it’s going to be getting onto that schedule [to get cards],” Davis said. “And then doing that rollout; you start with the branch ATMs, you upgrade those, you go to your remote ATMs and start upgrading those and you schedule however many ATMs can you upgrade in a week until your whole fleet is fully compliant.”
In the meantime, Davis said, fraud will grow exponentially, “because the fraudsters are going to realize which banks have not converted. So they’ll target that cardholder base and they’ll target those ATMs because you’re more likely to use your own bank’s ATM … So that’s the perfect time, you can put a skimmer on and it will read that mag-stripe.” Which, in short order, that bank or credit union’s ATMs will read again on a counterfeit card.
There’s no fast fix for this problem, Davis said. “You will just continue to eat the fraud loss like you do now and hope that you’re not targeted for a compromise because the fraudsters know that your financial institution has not issued chip cards,” she said.
Perhaps the best solution unmigrated providers have at their disposal is to take a careful look at their fraud prevention tools and implementations — something that Heitmeyer has done even with clients that have already prepared for Oct. 1.
“Even with the chip cards, my clients are looking at their neural nets on their fraud software,” said Davis. “Because, even though they’re chip cards, fraudsters could pick up the card, damage the chip so it falls back to mag-stripe, so issuers want to start looking at how many times their chip cards fall back to mag-strip or signature. Especially when it’s notated in the reporting that it was an EMV-capable terminal.”
At that point, the chicken or egg argument will be completely immaterial; the discussion will have moved along to determining whose goose is cooked.