Massive data breaches have led to renewed debate about secure card technology and who should shoulder the costs of consumer fraud.
Driven in part by a deadline set by the card companies, banks and retailers are slowly gearing up to provide American consumers with a more secure option: credit and debit cards embedded with a micro chip that generates a one-time security code to process every payment.
That means the data stored on merchants' servers from those transactions can't be used again, such as by fraudsters to create counterfeit cards.
But banks and stores are still balking, concerned about cost and timing.
"As long as I can remember EMV chips have probably been talked about every year," says Linda Echard, president and CEO of the Independent Community Bankers of America's Bancard division, which helps community banks get credit and debit card services.
European countries began using EMV cards – proprietary chip cards whose standards are set by by Europay, Mastercard, and Visa – about 20 years ago. As fraud in those countries decreased as a result, hackers turned their attention to the United States.
"Now we have an escalating rate of fraud that is creating a business need to address (this) more aggressively than five or 10 years ago," says Randy Vanderhoof, executive director of the Smart Card Alliance, an association that represents companies using smart card technology.
Breaches like the recent ones that hit Target and Neiman Marcus have put the case for chip cards in front of consumers, but industry experts say the switch has been in the works for years.
In 2011, Visa and Mastercard made similar announcements regarding who would be responsible for fraud if the industry doesn't adopt the new cards and terminals by October of 2015. After that date, retailers who haven't upgraded would be responsible for the costs of fraud if their system is hacked. Similarly, banks would be responsible for fraud if customers are still using magnetic stripe cards while retailers have upgraded their systems.
So far there are between 10 and 15 million EMV cards in the U.S., Vanderhoof says, which banks started issuing in the past two years. Community banks have been offering the cards to customers who travel overseas frequently, Echard says.
Some major retailers, including Walmart, already have payment terminals capable of accepting EMV cards. Target is in the process of upgrading terminals. Vanderhoof estimates about 10% of payment systems in stores have been upgraded to accept chip cards, but likely fewer than 1% of them have actually been turned on to accept the cards. Payment terminals require a process of testing and certification before they can be used.
Walmart installed EMV-capable terminals about eight years ago, but only some of them are activated, primarily at stores in markets with a lot of international travelers, says spokesman Randy Hargrove. Small retailers may take more convincing, given the expense to install the new terminals.
"They're not going to want to buy these machines if they're not convinced the banks are going to do the right thing," says Mallory Duncan, senior vice president and general counsel for the National Retail Federation.
Despite the impending deadline, the switch still isn't an easy sell, requiring billions of dollars invested in the new cards and corresponding payment terminals.
The chip-enabled cards cost about $5-$10 more per card to manufacture and issue than the current magnetic stripe cards. And retailers will have to replace payment terminals at an average of about $1,000 per terminal, Duncan estimates. Given there are more than 3 million retailers and many have more than one point-of-sale system, "you're talking billions of dollars if you multiply that out," he says.
Fueling the conflict is the fact that the chip technology is not required, demanding cooperation and compromise between several large industries with sometimes conflicting motives in order to implement.
"There's...no central authority or regulation that requires the U.S. market to do this," Vanderhoof says. "We have to rely on the payment brands, financial institutions, and merchants to all come together and agree this is the best investment for everyone."
Retailers are pushing for the adoption of cards that both have a chip and require a pin to authenticate the transaction.
"We have to have authentication of the card holder," Duncan says. "Chip does nothing about whether or not it's really you presenting that card."
Visa leaves it up to issuing banks to decide whether to issue customers a pin with the new cards or still require a signature, which some consider less secure. While Visa and Mastercard control most transactions that use a signature, a group of at least 10 networks process pin transactions.
"They don't want to use the pin because using the pin potentially subjects them to competition and they don't know what competition will bring," Duncan says.
Others argue that issuing pins to every customer will make an already expensive process that much more costly; if you forget your pin it would require issuing a new card altogether, Vanderhoof says.
And even after chip cards become widely adopted, they still won't prevent fraud, giving banks and retailers another reason to be skeptical of forking over so much money to change the payments process.
"It's expensive to deploy chip and it's not the final answer to fraud," Echard says. "It's the beginning of trying a new strategy that we hope will push a lot of the fraud out of the system."
Despite hesitation from everyone involved though, Duncan admits retailers will get on board if customers start showing up with chip cards. They bought the "knuckle buster" manual card readers when cards started being produced with embossed numbers, and they upgraded to new terminals when cards were produced with magnetic stripes, he gives as examples.
"If (banks) issue the cards with pins and chips," he says, "then merchants will buy the equipment because they want to accept the cards their customers are carrying."