Despite splashy headlines, the transition will take several years – and protecting old-style transactions will remain as important as ever
Photo by Cheon Fong Liew under Creative Commons 2.0 license
It’s now been almost a year since the spark that finally got EMV started in the United States – the Target data breach of 2013. There’s been some debate over how to best implement the technology, which uses a simple chip instead of a magnetic stripe to carry out credit and debit transactions, but for better or worse, it will be the standard as soon as next October.
We say “as soon as” for a very important reason: While we’re all supposed to be ready for EMV by October 1, 2015 – the date at which fraud liability shifts to merchants and banks who still aren’t using the technology – the odds of everyone actually making that deadline are low.
The key is that October 2015 represents only a liability shift, not a drop-deadline after which the old system will cease functioning entirely. On October 2, 2015, your magstripe card reader will still work, and you won’t get kicked off the network; you’ll just face financial disincentives for continuing to use it. It’s a strong “nudge” toward upgrading, but not an absolute requirement. Left to their own devices, some people will prepare themselves well in advance – Target, for its part, announced it would have EMV terminals in stores by September, and we’ve already seen some of the new equipment showing up in stores. But if you’re like most of us, you’ve also noticed that no one has been sending you new chip-based cards to replace your old ones, and your wallet is still full of cards with magnetic stripes.
So, what’s going on? The simple answer is that every time there’s a major technology shift like this, not everybody is ready in time. For example, when Microsoft retired Windows XP in April, the old OS’ market share dropped significantly in the months leading up to the deadline – from over 30% to less than 15% – but even after the deadline about 12% of American visitors to 184.108.40.206/digitalcheck-l3 were still using it. Even today, that number is 8%.
The difference with card payments is that right now, the old system is still at close to 100 percent adoption, while the new system stands at virtually zero. There is a very real incentive to switch, but we are playing a much bigger game of catch-up. Nor is the solution as simple as installing new software on a computer: Hardware must be physically replaced in the field, and cards must be re-issued.
What kinds of numbers are we talking about? In the wake of the Target breach, we saw serious strain on the industry’s inventory and manufacturing capacity as banks rushed to re-issue affected cards. Now imagine that we are talking about replacing every credit card and every POS terminal in the United States – an estimated 1.5 billion cards and 10.2 million card readers. There are not a billion blank chip cards or 10 million EMV terminals in the country’s physical inventory right now. And if we started right now, we’d have to replace 4 million cards and almost 30,000 terminals every day in order to get to them all before October 2015. Next summer, there will be backlogs and long wait times as the schedule for compliance compresses even further. In other words, even if there were 100 percent desire to adopt quickly, meeting the deadline would still not be a sure thing.
Now, of course our daily replacement projections may be a little high – especially on the terminal side – because some merchants, particularly large retail chains, have already installed new equipment to be ready in advance of the deadline. The likely pattern is that most large retailers will achieve compliance before the deadline, while smaller operators will be scattered all across the spectrum; some will be ready; some will make the switch just before the deadline; others either won’t know or won’t care enough to change anything. Every chip-based card will continue to have a magnetic stripe for use at terminals that are not EMV-ready, and every EMV-equipped point-of-sale system will have magstripe capabilities as a fallback – and for the foreseeable future, we expect both to get plenty of use.
Photo by Vince M / Flickr
under Creative Commons 2.0 license
So, the magnetic stripe is going to stick around for a while, but the question is for how long, and in what numbers? In light of the practical realities – and if adoption patterns play out in roughly the same proportions as with the XP switch – it would not be surprising if 25 percent of all cards were still of the magstripe variety next October 1, along with 30-40 percent of card readers. (As not all merchants will feel the same urgency as card issuers, we expect the upgrade process to take slightly longer on that side of the fence). Since both parties in a transaction need to be EMV-enabled – e.g., a customer with an EMV card and a merchant with a magstripe reader will result in a magstripe transaction, and vice versa – as many as half of all transactions may continue to use traditional magstripe technology for the near future.
So how long can we expect those magstripe holdouts to stick around? Even if 100 percent conversion by October 2015 would be physically demanding, it could be done comfortably given a further six months to a year. So the real issue becomes: How long after a rollout does it take a country to come around to the idea and get on board?
While many are under the mistaken assumption that EMV adoption in Europe was compelled by regulation, it was actually handled there – and in most other regions – with a simple liability shift, just as it will be in the United States, and with remarkably uniform results. A 2012 study by the Federal Reserve Bank examined the rollout of chip-and-PIN cards in the UK, France, the Netherlands, Canada, and Australia, all of which told a similar story. After starting out high in Year 0, fraud rates for counterfeit and lost/stolen cards saw a significant dip from the baseline in the first year, a similar drop the next, and finally stabilized at a slightly lower rate in the third or fourth year after adoption. This tells us that in any given country, we can expect chip-based cards to take about three years to achieve a complete rollout. In the U.S. that would take us through the end of 2018.
One further deadline awaits beyond the main liability shift: A similar deadline to convert the readers at automated gasoline pumps by October 1, 2017. While this is a niche use that should not affect the main conversion, it is important because it tells us that magnetic stripes will be in legitimate retail use until late 2017, and probably a few years longer. In fact, magstripes are still present on cards in the UK, even though it converted to chip-and-PIN a decade ago; they are just rarely used. And while EMV effectively blocks the use of counterfeit or stolen cards for in-person transactions, much of that activity simply moves to card-not-present transactions (such as online shopping) or cross-border fraud (using counterfeit cards in countries where EMV is not the standard).
The bottom line is that, in the rush to lock the front door, we must be careful not to leave the side door wide open. The switch to chip-based cards will eventually clamp down on certain types of fraud; however, we will still be vulnerable to magstripe fraud during the transition period, which likely means until 4½ years from today. Even if you, as a merchant, are ready for EMV, there will still be magstripe cards to deal with, and if we continue to use the same inadequate security measures as today, we will continue to hear about the same types of data breaches throughout that time period. If you aren’t using point-to-point encryption now, making sure that your new system supports it for magstripe cards is a smart move. In the twilight of the magstripe card, there will come a definite end to certain types of fraud – but being the last to suffer a Target-style data breach is not much better than being the first.