ROSEMONT, Ill. – Over the next three years, the convenience-store and fuel retailing industry will pay more than $3.5 billion to further protect consumer payment card data as part of a massive liability shift going into effect later this year. The introduction of EMV—along with the updated PCI 3.0 standards and introduction of new technologies like tokenization and encryption—make for a rapidly evolving payments landscape.
“Card security is becoming a consumer issue,” said Gray Taylor, executive director of Conexxus, the industry’s technology standards organization, during his Payments Mandate Landscape presentation at the NACS State of the Industry Summit (SOI) in Chicago. “It has been front-page news for too long, and it’s no longer just a technology issue. Consumers are starting to ask about it on their own.”
Card security is also becoming a significant issue as more and more consumers relinquish cash for plastic. According to data from Nielsen, cash will account for less than 25% of retail sales by 2018—even less in the convenience-store channel, with an estimated 10% of payments in cash.
So, what’s next on the horizon? The topic on everyone’s minds is the EMV (Europay, MasterCard and Visa) liability shift that will go into effect this October. But according to Taylor, EMV is just one small step of a very long journey, largely being dictated by MasterCard and Visa as they continue their swipe-fee “stranglehold” over the industry.
On April 15, NACS announced the 2014 industry sales numbers, and again, the industry’s pre-tax profits of $10.4 billion amounted to $1 billion less than what the industry paid in card fees.
“Time is not on our side,” said Taylor of the EMV shift. He also reminded attendees “EMV is not a mandate, but a liability shift.”
Taylor expressed slight optimism that convenience-store retailers would meet the October 2015 deadline to install inside-sales point-of-sale (POS) technology that is EMV compliant, despite delayed release of the necessary specifications; however, Taylor expressed none of that optimism regarding the October 2017 deadline for outside pumps to be EMV compliant.
When it comes to EMV, retailers need to consider the high costs of implementation in concert with the actual liability at hand. After October, retailers who are not EMV compliant will be responsible for any loss due to counterfeit cards used at their terminals. Counterfeit use, however, is not the same as experiencing a “data breach” for merchants. Retailers need to educate and prepare themselves in order to best assess and manage their own risk. This is a particular concern when it comes to forecourt installation, which will necessitate multiple installation days and potential upgrades of data transmission lines to accommodate the updated systems, in addition to significant equipment costs.
Other payment developments that Taylor addressed included tokenization, which replaces account numbers with random values, but it has its cons: it can’t be used for fleet cards and makes chargebacks much more complicated for retailers. Similar to tokenization, encryption replaces account data with encrypted value and, through standards developed by Conexxus, can greatly reduce skimming while also being used for fleet cards.