The timing was fortuitous: About a week ago, just in time for some holiday shopping, my bank sent me my first-ever EMV-ready credit card, complete with gold chip displayed prominently on the front. Included in the welcome letter was a sentence informing me that the card was ready for the new generation of payments and already accepted by millions of merchants around the world. Fair enough; however, although I’ve done a fair bit of shopping since, as of yesterday morning, I’d yet to actually use the chip, only the regular magnetic stripe on the back.
Will any retailers be able to use the EMV chip?
On December 15, exactly 10 months before EMV becomes mandatory in the U.S. according to the major card networks’ deadline, Verifone’s CEO was quoted as saying that about 70 percent of “Tier 1” merchants — the largest national chains — currently have EMV terminals, with that number expected to be 90% by late next year. A little over a third of mid-sized retailers and just under a quarter of small businesses also have the technology, according to Verifone’s best guess. I called my bank to make sure that the network was ready for it — that is, whether a chip-based transaction would actually go through if the merchant was ready for it — and was told that yes, it would indeed work.
Encouraged, I set out to do some shopping with a single goal in mind: To find a store that was ready for EMV, and to actually execute a transaction using the chip on my new card. It shouldn’t take too long, right?
My first stop was at a Dairy Queen at the near end of the local shopping center: A big national chain that ought to have the terminals, so with a little luck, my task would be over quickly and I’d get something tasty to eat. I walked up to the counter ready to order, and asked the cashier if they would take my card. Alas, while he knew roughly what it was, and that it was used for security, all they had was a standard swipe reader. No luck.
Undaunted, I went next door to Super Cuts, the nationwide haircut chain, and found another standard magstripe reader; then the same at the adjacent UPS Store. Employees at both stores couldn’t understand why I would want to use a chip if the card had a magnetic stripe on the back as well. Ditto for Rite Aid, Radio Shack, Stater Bros. (a local Southern California grocery store) McDonalds, and apparently Starbucks – the line was nearly out the door in that case, so I didn’t try to order anything, but there was no EMV reader in sight.
Finally, a bit of luck at a mom-and-pop clothing boutique: Right there on the counter was an EMV-enabled card reader, with the arrows around the EMV slot lit up. Excitedly — probably a bit too excitedly for a credit card transaction — I asked the owner if my chip card would work there.
Sadly, it wouldn’t: “No, we just use this for debit cards,” she noted glumly.
“But that’s an EMV slot right there on the bottom,” I said. “Are you sure the chip won’t work?”
“I don’t even know what that is,” she said and shrugged. Similar scenes would be repeated many times at the smaller stores: A pool supply shop, a spa, a jewelry store, a Japanese restaurant, a pizza place, a Hawaiian barbecue, a couple of travel and insurance agencies, and several more. In fact, besides that boutique, only one out of about 20 other small businesses even had an EMV-enabled reader, and the cashier there also didn’t know what it was. The rest not only didn’t have a reader, but only two employees — one of them the foreign-born owner of a European café — were more than vaguely aware of it, much less that it was going to be required in less than a year.
The local Ralphs (the West Coast’s version of Kroger) offered a glimmer of hope, as their terminals all had EMV slots at the bottom; however, they were not turned on yet, so my card didn’t even register. At GameStop, the terminal had an EMV slot and the cashier recognized my card, but told me that only the magstripe reader was active.
At Trader Joe’s and the Sprint store, the machines appeared to have EMV slots that were physically blocked off by a piece of plastic (it wouldn’t come off with a gentle tug), and the employees were not aware of what it was. One employee at the Sprint store kept trying to tell me that the NFC contactless reader at the top of the terminal was where the EMV card was supposed to go (this will be true of certain contactless EMV cards in the future, but the majority of chips in America will be contact-based).
Out of all stores visited, Home Depot was actually the closest to being prepared for EMV. (Photo courtesy of Mike Mozart/JeepersMedia under Creative Commons 2.0)
Finally, it was on to the big boys: Home Depot and Target. If anyone would be ready, it would be them, since each one went through its own mother-of-all-data-breaches in the past year. First up was Home Depot, where I tried to use my card to pay for an extra-long doorstop (since the standard ones always let the doorknob slam into the wall anyway — I will never understand why this is). Here, they had an unblocked EMV slot and the cashier said they were supposed to be turned on in December, so I gave it a try. For the first time, inserting my card made the terminal light up, but unfortunately after several tries it became apparent that this device was not yet active either, so I resignedly swiped my regular credit card.
At Target, a similar story: The machines are in place, but not turned on yet; the manager said that they would not be enabled until an upcoming software update. That was enough — after two hours and over 25 stores, I went home, unable to find a single merchant able to process an EMV transaction and only a handful whose employees knew what it was.
So, what did this teach us?
First, while big retailers are doing better than smaller ones, there is still a long way to go. Based on this unscientific experiment, I would call the percentage that have the devices themselves closer to 50% than 70%, and that’s counting the ones who had terminals installed but the EMV slot blocked off. Still, it’s evident that there’s more awareness here, so they’ve got a shot at being prepared.
It does matter what line of work you’re in. For example, I didn’t see one restaurant of any size with an EMV reader, and that goes for before and after my experiment as well. Grocery stores and traditional mass retailers seemed to be better prepared than most. Do restaurants think they’re not targets because they’re not technically “retailers?” That would be a mistake; look no further than the P.F. Chang’s data breach for evidence. Doctor’s and dentist’s offices were similarly unprotected, down to the last one (unfortunately, this also includes my own dentist). This attitude is dangerous: If you accept credit cards, you’re a target, period.
Small businesses won’t be ready, and it’s not even close. This is not so much because they don’t have the equipment, but because the awareness was almost nonexistent among the ones I talked to. A big retailer has an IT department whose job it is to be on top of these things; the owner of a small business has every job at once, and in terms of keeping the business running day-to-day, many things other than payments systems are higher priorities. I got the feeling that if the terminal wasn’t causing them any problems, there really was not much motivation to invest the time and money to switch. Sadly, a lot of fraud is probably going to move to the small and mid-sized businesses next year, and a wholesale change won’t happen until there are stories in the local papers about the unfortunate ones who get smacked with a huge fraud liability.
Being burned is a big wake-up call. It’s probably no coincidence that Target and Home Depot, the two companies who suffered the most publicized data breaches in history, both had the new terminals in place and were getting ready to go live. It was an expensive lesson, but it appears those incidents made them get serious about security.
Employee and customer training is going to be a big deal. Let’s face it, the act of executing an EMV transaction is not rocket science: You put the card in the slot and wait for it to go through. Most cashiers could probably get up to speed on that part in a few minutes. The important part is understanding the WHY of EMV – how it’s different from a magstripe and why it makes fraud more difficult. Above all, what you don’t want are customers who think the card isn’t working — for example, because you have to leave the card in the slot rather than the current quick in/out process — and a cashier who then tells them to just go ahead and use the magstripe, leaving them vulnerable again. Getting the system going will be simple; ironing out the wrinkles will take some getting used to.
Overall, it was a bit discouraging not to be able to use my brand-new card as it was intended, and the awareness of EMV in the general public seems about zero. But, after all, the deadline isn’t here yet, so what can you expect? Changing a nationwide system that’s been in place for over 30 years isn’t easy. I’ll be keeping an eye on this for the next few months to see just how smoothly things are going on the ground.