SEATTLE - The customer databases at Target and Neiman Marcus were ripe targets for hackers because the U.S. is alone in wide use of magnetic-striped payment cards, which are easy to counterfeit. Come October 2015, the U.S. will shift to chip and PIN cards. CyberTruth asked Jeremy Gumbley, CTO of online payments processor CreditCall, to describe what this will means to U.S. consumers - and merchants.
CT: What does Chip and PIN bring to the table in terms of protecting consumers' personal data?
Gumbley: Most PIN pads equipped with EMV (Chip) functionality also have a special feature called P2PE or Point To Point Encryption. This means that cardholder data is securely encrypted at the earliest possible point in the transaction in a special secure environment. This information can then only be decrypted either by certain parties.
CT:What are U.S. retailers currently doing to make the deadline?
Gumbley: Most retailers have a mixed approach.To roll out EMV successfully, retailers and other merchants must upgrade or replace their POS devices. This doesn't just include furnishing EMV-enabled card readers and POS terminals, it also includes integration and complex certification and testing. Because the cost falls on the retailer, budget is a massive consideration. Every retailer is different, so there isn't a one size fits all solution.
CT: What happens once the deadline expires?
Gumbley: Once the liability shift occurs in the U.S. then merchants who haven't upgraded their point-of-sale terminals will bear the risk of any fraudulent transactions. For example, if a consumer tries to pay with an EMV Chip-enabled card and the retailer is not able to process it as an EMV transaction then the retailer is responsible for paying for any fraudulent magnetic-stripe transaction it incurs.
Until October 2015, credit card companies and banks are bearing the high costs of reissuing cards and reimbursing customers for most fraudulent card activity; meanwhile retailers mostly lose out on the profit from the cost of any merchandise purchased with the fraudulent cards. Today, financial institutions take on the high costs of card reissuance and fraud reimbursement
CT: What likely bottlenecks will retailers experience as the deadline approaches?
Gumbley: EMV compliance adds an additional layer of complexity to the payment ecosystem that involves much more formal certification and a set of new skills. The rigorous testing and certification of terminals to become EMV ready is a time consuming and expensive process that organizations must be prepared for. It can take up to sixteen weeks to complete in an EMV mature market, potentially causing a certification bottleneck when many retailers send terminals for testing at the same time in order to meet the deadline.