Tag Archives: EMV

Retailers Sue Mastercard, Visa Over Chip-Reader Rules

Why is nothing ever as simple as it looks?

As you have probably noticed, a LOT of retailers have not migrated to chip card readers for accepting credit cards.  As of last October, the liability for fraudulent transactions for those merchants who have not migrated (like Wendy’s, for example) is now the store’s and not the banks.

Some merchants are not real happy about this and two law firms have filed a lawsuit against the credit card brands claiming anti trust issues.

I have been saying that the merchants are just whining – that they knew this was coming since 2011 and that is true.  Sort of.

The 6 credit card brands (Visa, Mastercard, Discover, Amex, JCB,  and UnionPay) set up an entity called EMVCo to set the standards for chip card technology, software, networking and integration.  While some merchants have had input into the process, for the most part, it has been a black hole.

Then there is an issue of cost.  For small merchants, they often have a standalone credit card terminal. For those businesses, the costs are pretty minimal.  A few hundred dollars and they are likely good to go.  But what about those companies who’s point of sale system (POS) tracks and processes their credit card transactions?  Well that is a different story.  If you bought the software and own the PC it runs on, you likely have to go out and buy a completely new system unless you have been paying annual maintenance fees to the software vendor.  And even then, the vendor might say this is not a free upgrade.  And you still have to configure it.  Finally, it has to be certified (more about that in a minute).

For large companies (like, say, Wendy’s), they might have to buy 10,000-50,000 new terminals or more.  And someone has to configure and install them and train the users and the managers.  That is likely not a small bill.

Next comes certification.  EMVCo requires that your system has to be certified and right now, the few companies that are authorized to certify you are backlogged 6-12 months.  So even if you spend the money, install the hardware, configure the software and train your users, you may still have to wait 6-12 months before you can use it.

So if the stores knew about this in 2011-2012, why did they wait until now to do something.  Well, a few, like Walmart, did not.  For many, it boils down to time and money.  But, there is another wrinkle.

That wrinkle has a name and that name is Dick Durbin.  Yes, the senior Senator from Illinois.  During the economic meltdown of 2008-2010, Durbin championed and something now known as the Durbin Amendment, which became part of Dodd-Frank.  As with many good intentions, the idea was to reduce costs to merchants by limiting debit card fees.  Not credit card fees, just debit card fees paid by merchants.  It also required banks to give merchants choices to process their debit card transactions.

Unfortunately, the chip technology in use was not designed to handle choices and the technical solution did not get sorted out until 2014.  Merchants did not want to move forward to accept chip credit cards (for which the terminals worked) only to have to go back and change everything again when they got the debit card part figured out, so they just waited.   So instead of having 4 years to deploy all this new technology, they had like 18 months.

I still think industry could have handled it better, but I am not particularly surprised that they did not.

And of course, the government, in the form of the Durbin Amendment, didn’t help.

And, as we all know, they are from the government and they are here to help us.    Too bad they didn’t “Just Say No!”.

The liability shift, I think, is a good thing.  Absent that, we would continue to trail the entire civilized world and continue to use mag stripe cards and experience fraud to the tune of $10-$20 billion a year.

Whether this lawsuit goes anywhere or not, the chip card train has left the station.  Probably the credit card brands will settle, the lawyers will make a lot of money and the merchants will be left holding the bag.  But, sooner rather than later, we will have completed the migration.

Kind of like the $6 billion Mastercard/Visa settlement that lets merchants charge an extra fee for credit cards.  That used to be a violation of the merchant agreement.  Well first, the judge has not approved that agreement and won’t for a year or more and second, there are interesting complications that won’t actually allow many merchants to charge more even if they want to – but that is a story for a separate blog post.

Still, I now have a better appreciation for the merchant’s problem – which is good.


Information on EMVCo can be found here.

Information on the liability shift can be found here.

Information on the lawsuit can be found here.

Information on the brand by brand timeline can be found here.

Facebooktwitterredditlinkedinmailby feather

The Changing World Of Transaction Payments

If you either use credit cards or are a merchant that accepts credit cards (I think that covers most of us), your world is changing and changing rapidly.

Sorry, this is going to be long, so you might want to get a cup of coffee and possibly some aspirin before you start reading.

First, if you are a merchant that accepts credit cards, effective Oct 1, 2015, if you do not accept Chip based credit cards (the so called EMV card that has been the standard in Europe for 10 years – we are just a little bit behind), if there is credit card fraud, you, as the merchant, become financially liable for the loss (for gas stations that does not happen until 2017).

This means that as a merchant, you have to change your credit card reader equipment, train your employees and if your credit card process is tied into your point of sale system, likely have to change that as well.  All this is at your cost as a merchant. Here is Visa’s guide for merchants on how to migrate from the old mag stripe credit cards to the new chip based card.

One thing that is still different between the U.S. and Europe is that Europe requires that you enter a PIN with the chip card and we are going to use the old fashioned signature.  PIN is likely much more secure – retail clerks rarely check whether your signature matches the back of the credit card.  Mastercard and Visa opted not to use a PIN because they thought that people might use their cards less if they were harder to use – and that is like a knife to the heart for credit card processors.  They would rather eat the losses, which they pass on to the merchants in the form of fees, who pass them on to you and me in the form of higher prices.

The second change that will affect merchants is the release, in April 2015, of the PCI 3.1 standard.  The main reason for this change is because of all of the SSL bugs that I and others have been writing about for months (including Heartbleed, POODLE, FREAK and Bar Mitzvah, among others).  This likely will require a number of software upgrades as SSL is no longer allowed, only the current version of TLS.

In addition, as of PCI 3.0, released in January, merchants are now required to conduct penetration tests at least annually, which are much more complicated than that the old requirement for doing vulnerability scans (see guidance on conducting penetration tests here) .  Merchants also have to implement intrusion detection and prevention technology.

Now the part that affects consumers – which, of course, also affects merchants if they choose.  Apple released Apple Pay earlier this year.  Some merchants embraced this;  others are totally fighting it – by either turning off the NFC feature on their credit card terminals that are required to make it work or not fixing that part of the terminal if it breaks.  This is so much of a problem that some customers have reported that they have only completed ONE Apple Pay transaction successfully since they registered their cards.

But if that wasn’t confusing enough, customers and merchants will have to deal with other competitors to Apple Pay, including:

Samsung Pay – which only works with the Samsung Galaxy 6

Google Wallet – which has been around for a few years, but has not gained much acceptance.

CurrentC – the big merchants alternative to Apple Pay. This is supported by the retailers and they will give you discounts and freebees if you use this rather than Apple Pay.  This will be hard for Apple to counteract because the merchants are in control of these discounts and freebees.

Stratos – a small high tech startup with their own solution

Here is a guide to these options.

If you are a consumer, you can choose to use one of these alternatives or not.

If you are a merchant, you will need to make a bunch of decisions – running the risk of offending customers and having them go elsewhere.

And, I am sure, there will be more choices before this all settles out.

Facebooktwitterredditlinkedinmailby feather

Retailers Ask Congress To Fix The Cyber Security Problem

The National Retail Federation, in testimony before Congress (see article), said that the government should expand protections for debit card users (Federal protections for debit card users are less than for credit card users), pass a national breach notification law and boost prosecution for cyber crimes.

The harder question is who is responsible for breaches.  Is it the software companies that make buggy software?  Is it the businesses that don’t install patches and take aggressive measures to protection consumer’s information?  Or is it consumers that choose passwords like 123456.

The answer to this is that all of these parties share blame and all of these parties need to take action to fix the problem.  Absent that, the bad guys will likely continue to win.  While consumers are not liable for more than $50 when hackers use their credit cards, those costs show up somewhere.  That somewhere is higher bank fees and prices at stores.

Will changing laws on debit cards stop the Target attack?  Will a national breach notification law protect Sony or it’s employees?  Will more prosecutors or different laws stop the Chinese (if it is them) from attacking Anthem.  Unfortunately, the answer to all of these questions is no.

The only way we are going to make any impact on hacking is if we – businesses, software makers and consumers – start taking the right actions.

The article points out that some retailers, like Target, are swapping out mag stripe credit card readers for chip and pin based readers.  These cards, already in use in many countries but not widely used in the United States, the article says and I agree,  will reduce credit card fraud because they are harder to counterfeit.

Lets examine why those stores are doing that.

Merchants don’t want to get new credit card readers because they have to pay for them and train both employees and customers on how to use them.  This is especially painful for older people who did not grow up in the digital world.

So if this is true, why are businesses starting to replace their credit card readers?

Mastercard and Visa have changed the rules.  Effective October of this year, if credit card fraud takes place and the store does not use chip based credit card readers, the store eats the fraud rather than Mastercard and Visa (this is a slight simplification, but basically accurate).

You draw your own conclusions.

I suggest that people – Software developers, businesses and consumers – will change their ways when it is more painful or expensive to not change rather than to change. Unfortunate but true.

My two cents.



Facebooktwitterredditlinkedinmailby feather