Over the next three years, the convenience and fuel retailing industry will pay more than $3.5 billion to further protect consumer payment card data as part of a massive liability shift going into effect later this year. The introduction of EMV—along with updated PCI 3.0 standards and introduction of new technologies such as tokenization and encryption—make for a rapidly evolving payments landscape.
“Card security is becoming a consumer issue,” said Gray Taylor, executive director of Conexxus, the industry’s technology standards organization, during the summit. “It’s been front-page news for too long, and it’s no longer just a technology issue. Consumers are starting to ask about it on their own.”
For many years, Taylor said, data security was not on anyone’s radar—that is, until the Target hack in 2013, which “changed everything.”
Target became an easy case study of how retailers were handling payment improperly, accelerating the calls for better security technology and effectively making EMV what Taylor refers to as “a foregone conclusion.” That’s despite the fact that EMV would not have prevented Target’s breach or many of the more than 20 subsequent breaches of other companies.
And while the retail industry has taken a lot of the blame for many well-publicized breaches over the past few years, the largest threat to data security in the future is likely to be in the health-care sector, where criminals can steal an individual’s all-important personal info.
Card security is also becoming an increasingly significant issue as more consumers relinquish cash for plastic. In 2013, total U.S. spending on credit cards was estimated at $5 trillion, according to Nielsen, of which the convenience channel had a 10% share. Nielsen predicts that cash will account for less than 25% of all retail sales by 2018. Cash sales in this channel will be even less, with an estimated 10% of payments in cash by 2018.
Liability Shift Looms
Several compliance issues are on the horizon for retailers, including PCI 3.0, which went into effect at the start of 2015. Beginning in July, PCI 3.0 compliance requires that retailers protect devices that capture payment-card data from tampering and substitution, and that they implement a methodology for penetration testing based on industry-standard approaches. Also, Taylor said, EMV implementation later this year does not eliminate or replace any of the current PCI compliance requirements.
Speaking of EMV, the topic on a lot of people’s minds is the EMV liability shift that will go into effect in October. According to Taylor (and many industry experts), EMV is “just one small step of a very long journey,” a path largely being dictated by MasterCard and Visa, who continue to exert their swipe-fee stranglehold over the industry.
According to preliminary data, the industry yet again paid more in fees to the credit-card companies than it made in pretax profits. The industry’s pretax profits of $10.4 billion were a full $1 billion less than the cumulative $11.4 billion the industry paid in card fees.
The date that many in the industry are focusing on is October 2015, the deadline retailers face for installation of inside-sales POS systems that are EMV-compliant. It’s worth noting several things about the October deadline: The date was chosen by MasterCard and Visa, and it is not a mandate for retailers. Rather, it marks a liability shift, after which point a retailer who has not installed EMV-capable payment terminals will be held responsible for any loss due to counterfeit cards used at their terminals.
Also, counterfeit card use is not the same as experiencing a “data breach.” The EMV liability shift for retailers is
scheduled to roll out in three phases: October 2015 for inside POS terminals, October 2016 for MasterCard ATMs and October 2017 for outside automatic fuel dispensers (AFDs) and Visa ATMs. As evidence of the growing awareness of card fraud and security breaches, much has been written over the past few months regarding the lack of preparation by both merchants and card issuers in advance of the October deadline. Most
recently, Javelin predicted that less than 25% of credit cards will be EMV-enabled by the end of the year. The percentage of merchants who will have EMV-enabled terminals is likely to hover around that same level.
Dispenser Challenges
“Time is not on our side,” said Taylor of the EMV shift. Because the POS specifications became available only recently, suppliers are already far behind in preparing the necessary equipment, he said. He also emphasized that when it comes to EMV, retailers need to consider the high costs of implementation compared with the actual liability at hand.
Many merchants experience only a small value loss due to counterfeit cards, a liability that could pale in comparison to the cost of implementing full-scale replacement of POS equipment. This is a particular concern with forecourt AFD equipment installation, which will necessitate multiple installation days and potential upgrades of data transmission lines to accommodate the updated systems, plus significant equipment costs.
According to Taylor, it is highly unlikely that fuel retailers will be able to meet the 2017 deadline for forecourt AFDs. While the specifications for in-store POS were only recently made available, there are no such specs for AFDs. He also pointed out that even in Europe, where EMV is standard (thus the name EuroPay MasterCard Visa), no fleet specification has yet been provided, so it’s not likely to ready here anytime soon.
The upgrade process is further complicated by the fact that every AFD/POS combination needs to be certified for each card brand, resulting in about 10,000 different combinations. Also, retailers should expect to encounter capacity issues for production of the required units and availability of qualified installers. There are about 3,500 technicians trained to do the installations, and it’s estimated that even in a best-case scenario, industry install time would take about 36 weeks, with costs of up to $35,000 per pump.
“Retailers need to educate and prepare themselves to best assess and manage their own risk,” Taylor advised attendees. He also pointed out that, because EMV (which combines a chip card with signature verification) does not provide the full protection of a chip card that requires PIN verification, it is likely that a “do-over” may be on the horizon anyway to provide consumers with the most secure payment method.
Other Developments
Taylor also discussed other payment developments that may be a bit further in the future but have the potential to create a more effective, secure payment environment.
First among those is tokenization, which replaces account numbers with random ones. While Taylor expects tokenization to be standard in a post-EMV payments world, he said it also has its cons: It cannot be used for fleet cards or in conjunction with loyalty cards, and it continues to tie retailers to the large credit-card companies for the service. Chargebacks also become more complicated for retailers because the customers are effectively anonymous, making it harder to link prior transactions.
Similar to tokenization, but without several of the drawbacks, is encryption, which replaces account data with encrypted values. Conexxus has already begun developing a standard for tokenization, Taylor said, that would ensure that the payment technology accomplishes several essential goals: It would significantly reduce skimming fraud; it can be used on all card types, including fleet cards; and it would also take stores out of the current scope for PCI. “Tokenization is what’s going to be required by all the card brands post-EMV,” Taylor suggested. “Unfortunately, right now it is being ignored in lieu of the frenzy over EMV as an immediate 'solution.' "
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.