Prior to the October 2015 EMV chip-card liability shift in the U.S., various merchant groups expressed concerns about factors that would keep them from meeting that deadline — some of which remain beyond their control.
One major fear was whether merchants would receive processor specifications in a timely manner, and making all of those specifications work without a hitch through hardware security modules, network software, payment gateways and point-of-sale terminals. They envisioned a series of tests, certifications and recertifications to accept all payment types, with the timeline determined by other parties.
In many ways, that is exactly what has happened, especially in certain retail settings, said Daniel Montellano, vice president of strategic business development for Shift4, a Las Vegas-based payments technology and security provider.
"EMV adoption remains slow," Montellano said. "We noticed more places using it during the holidays, but it remains very slow for those in an integrated environment, where solutions were sent out massively in June of 2015, and that was just too late."
The Merchant Advisory Group sensed trouble in this area in September of 2015, noting in its position paper on EMV that there should be a way for merchants to work within the payments industry to get to a "delta certification point" so that any one party's experiences with implementation could benefit other merchants. Without that sort of process, merchants would have to keep re-certifying when integrating parts of the EMV puzzle.
Near the end of last year, Visa was reporting 1.7 million and Mastercard 2.3 million merchants accepting chip cards, representing roughly 38% of U.S. merchants.
At the start of 2017, things are picking up and EMV deployments continue to rise, but less than 10% of Shift4's clients are accepting chip cards—and the company has been offering EMV integrations for several years, including seven years in Canada. Many have the equipment and are ready, but can't turn on EMV until specifications are working in all parts of the network.
"Because we are ahead of the curve, it has brought more business to us, because many processors don't have the resources to service hundreds of companies," Montellano added. "Some processors have to drop what they can't handle."
It's a problem being discussed in many corners of the payments industry, said Thad Peterson, senior analyst with Boston-based Aite Group.
"The reality is that EMV implementation is very, very complicated, and some processors have not been fully prepared to support their customers even a year out from the liability shift," Peterson said.
The food service and hospitality verticals represent a challenge because they are clearly lagging in EMV implementation, Peterson said.
"The downside risk to not implementing has not been clearly communicated and they become increasingly vulnerable as fraud shifts away from traditional channels," he added. "There needs to be a concerted effort to move food service and hospitality to EMV."
Initially, merchants and processors alike feared that an issue regarding EMV debit transaction routing to satisfy the Durbin Amendment would delay the migration process — and it did to a certain extent. But that problem has been resolved, with progress smoothed further by recent updates such as Visa changing it
Another obstacle that concerned merchants was the agonizing 10 to 12 seconds a card reader holds onto an EMV-chip card, compared to the split-second speed of a card swipe. Visa introduced
"Quick Chip is nice to have… but we know of many companies that will not take EMV because of how slow it is, and that would be sports or events stadiums and airports," Montellano said. "Those businesses can't have slow transactions, or they will lose money."
However, if EMV were a three-ring circus, the debit routing and Quick Chip solutions would be sideshows. Center ring still belongs to the difficulty merchants encounter in obtaining and deploying processor PIN key and encryption coding, researching which key injection facility to turn to, and setting up devices that work with the new specifications.
Consider businesses with multiple locations that encounter problems with integrating the proper processor keys, and you have months of EMV delays on your hands, Montellano said.
"It gets even worse, in the case of multi-unit retailers, if the processor suddenly says they are too small for them to work with and the retailer has to start over," he added. "We have seen this happen."
Ultimately, in relying on hardware partners to expedite their certifications, or encountering the need for extra data hardware, merchants must deal with the mounting costs of both EMV migration and the fraud that comes from being non-compliant.
Mobile wallets offer some reprieve, but the technology is still too thinly adopted by consumers and retailers alike.
Shift4 has tried to provide an answer to that dilemma with its VT4 application for a mobile point of sale system, said Jeremy Fried, systems architect at Shift4.
"We didn't want a 'me too' product just for micro-merchants; we had to build a truly neutral system that would provide all of the services a larger company would need," Fried said.
In that regard, the PGA Tour became a Shift4 client with the VT4 because it would work on golf course beverage carts, the pro shop and cafes at country clubs, and at kiosks selling merchandise or tickets.
Still, mobile is not in a position to overturn EMV's progress.
"EMV is one of those things that, now that it is moving along, it's not going to stop," Montellano said. "There is a chance that something better could come along, and the industry would have to agree that would be the way to go."
Until then, a couple factors could help speed up the EMV migration process, Montellano said.
"Having all of the integrations all ready to go at one time would be a huge help, and that is what we are striving to have done, and we are just about there," he added.
The other factor is simple awareness. "Many companies don't understand what it means if you do not adopt chip technology," Montellano said. "They don't understand the danger of friendly fraud and don't understand that addressing encryption and EMV go hand-in-hand to thwart fraud and breaches."
