Late last year, we published an article titled “Adventures in EMV,” in which the Digital check marketing team attempted to use a newly-issued EMV chip card attempted to use a newly-issued EMV chip card at various local checkout registers. The results were not encouraging: Out of more than 30 stores visited, less than half had terminals with chip readers, and of those that did, all but one (Walmart) had the chip capability turned off. It was virtually impossible to carry out a chip transaction anywhere.

Bartender with no EMV readerPaying for a drink? You’re probably doing so with a swiped transaction, not chip-and-PIN.
(Photo by Flickr user JohnPickenPhoto / Creative Commons 2.0)

Of course, that was a year ago, and in the meantime, the real deadline for retailers to be ready with chip-and-PIN (also known as EMV) had come and gone. So, we decided to repeat the unscientific experiment for 2015. Surely, there would be better luck this time, right?

The answer: Only slightly. While there seemed to be more awareness of EMV technology in general, and most of the big national retailers at least had the correct terminals installed, at least 90% of the locations we visited lacked the capability to perform an actual chip card transaction.

The condensed play-by-play of the experiment can be found at the end of this article, but what really struck us was another, perhaps more problematic trend: Even at retailers where EMV technology was up and running, hardly any of the customers were using it. Instead, they took their chip cards and continued to swipe them as ordinary magstripe cards, usually with no instructions from the cashier to do otherwise – even at places like Target and Home Depot, which had been burned badly in the point-of-sale data breaches of 2013-14.

This takes us into a murky area of the EMV liability shift. The official rules say that in the event of fraud, whoever was the least prepared takes the hit – in other words, if it was a chip card but the merchant didn’t have a chip terminal, it’s the merchant’s problem; if it was a magstripe card but the merchant did have a chip terminal, it’s the card issuer’s problem. And if a chip card is used in a chip terminal, fraud should be nearly impossible.

But what happens if the merchant has a chip terminal and the customer has a chip card, but s/he decides to use it as a regular magstripe card anyway? That’s a little less clear, as the rules seem to have been designed on the premise that every time it’s possible to use a chip card, the customer is going to use it as a chip card. The guidelines provide for swiping an EMV card as a magstripe card in case of a “fallback” transaction – that is, if a chip transaction won’t work for some reason, the liability goes back to the card issuer – but they don’t say much about what happens when it’s a voluntary choice. But old habits die hard, and without some prodding, most customers will probably keep using their cards the same way they always have: By swiping the stripe through the slot.

We sense a fight brewing when the first post-EMV data breach hits the news. Banks are not going to be happy that they’ve spent billions re-issuing cards with chip security, only for people to ignore it. “It’s the cashier’s job to remind the customer!” they’ll argue. Similarly, retailers – who themselves have had to replace tens of millions of point-of-sale terminals – will argue they’ve done their part by being ready to accept EMV and can’t control what the customer does. “This was your idea – YOU make sure your customers are using the cards right!”

Both sides have a point. Ultimately, it will probably only be resolved when people’s behavior has finally shifted in 2-3 years, and most people ARE using chip cards as chip cards. But it is going to take a lot of education on both the merchants’ and the card issuers’ part.

Only twice during our experiment did a cashier actually tell us to use a chip card the correct way instead of swiping it – once at a grocery store in Illinois and once at a Rite Aid in San Diego. The heads-up from our card issuers consisted of a one-time letter enclosed with each of our new cards, with throwaway titles like “Understanding the benefits of your new card.” And the cards were generally issued several months before the stores had their EMV readers activated – plenty of time for most consumers to forget. Bottom line: Just showing up with the technology is not the end of things, and both sides need to put forth more effort to “get the ball across the goal line,” so to speak.

 

Home Depot card readerHome Depot was hit hard by a 2014 data breach, but was on time with chip-and-PIN.
(Photo by Flickr user Mike Mozart/JeepersMedia / Creative Commons 2.0)

As for the results of our readiness experiment: Big nationwide chain retailers (Grocery stores, drug stores, department stores) usually had an EMV-capable POS terminal, but only about one-third to one-half had it turned on yet. Notably, Wal-Mart, Rite-Aid, Home Depot and Target had EMV up and running; Vons (Safeway), Smart & Final, and a few other grocery stores were still in a holding pattern. Smaller merchants were the same as last year: a combined 0-for-20, with perhaps a third even having the equipment at all.

This year we also looked at a third category of “non-traditional” retailers – service businesses like restaurants, hotels and auto repair shops, which don’t tend to consider themselves transaction-oriented businesses, but process credit cards nonetheless. This group was woefully unprepared, none even having EMV-capable equipment, and most frequently swiping cards through magstripe readers built in to a cash register or computer terminal. Even big nationwide chains like Starbucks and Red Robin were no exceptions.

The final conclusion? For fraud prevention – the main reason why the push to EMV happened in the first place – it looks as though the door is going to be shut at the major nationwide retailers fairly soon, but smaller merchants and “off-retail” establishments represent a soft underbelly that will remain vulnerable for years to come.

In particular, establishments like restaurants and hotels – those that don’t tend to think of themselves as “retailers” – seem poised to receive a harsh reminder that as long as you process credit card transactions, you are indeed a retailer, and therefore a target.