What Went Wrong With EMV? So Much.

Evan Schuman is a guest contributor to the Sift Science blog.

Already deployed in many places around the world—including Canada, Mexico, and much of Europe—EMV payments were supposed to modernize payment card security in the U.S. But guess what? They haven’t. There is still a fine chance that they will eventually be a huge fraud help in the U.S., but looking into the many deployment problems delivers a frighteningly accurate snapshot of U.S. bureaucracy.

Let’s start from the beginning. The largest U.S. card brands—led by Visa, Mastercard, and American Express—told the retail community for years to prepare for EMV. They trumpeted an October 2015 deadline, known in payments circles as the liability shift. It’s called that because that month was when physical retailers would, for the first time, absorb fraud costs if they hadn’t completed the move to EMV.

How has it gone? As of July 2016, some nine months after that liability shift, Visa reported that a stunning 72 percent of merchants nationally still can’t accept EMV payments. Mastercard’s figures from July showed similarly dismal acceptance rates. This raises two questions: Why weren’t more merchants ready by October 2015? And, secondly, why haven’t more merchants made the EMV switch since then?

And then there’s the consequences for e-commerce merchants to consider. As EMV deployments happen (albeit slowly), card-cloning is becoming more difficult to pull off, and fraud is being pushed online.

Mobile distractions

During the years that EMV was being touted, retailers were distracted by the wondrous marketing claims made by mobile payments advocates. Those advocates spun tales of better security (which was true) and of a much easier shopper experience (also true). They also said that there would be huge initial shopper acceptance of mobile payments by U.S. consumers (pants on fire).

Those mobile distractions made many retailers halt their EMV plans, concluding that it would make more sense to move directly to mobile and save themselves the cost/pain of doing one transition and then have to move immediately to another. Don’t forget that Apple Pay—the most anticipated mobile payment—didn’t go live until October 2014. Retailers were willing to give that effort months of deployment before deciding whether they would proceed with EMV.

By the time it was clear that Apple Pay and other NFC methods weren’t going to deliver enough initial users to justify holding off EMV, the EMV deadline was just several months away.

That’s why the initial deployment was so low. But what about since then? The card brands set up a mechanism where every merchant deployment had to be certified.

“The challenge for many merchants has been getting their EMV-capable POS terminals certified and turned on by their merchant acquirers,” said Alex Johnson, the director of the credit advisory service at the Mercator Advisory Group. “The certification process has proven to be more complex and time consuming than many had expected and thus there is a big backlog of merchants waiting to have their terminals certified.”

PIN versus signature

That’s the bureaucracy part of this problem. The next most problematic element of the rollout has the requirement for a signature. From one perspective, it’s true to point out that a signature is many orders of magnitude less secure than PIN. It’s equally fair to point out that a signature, in the manner retailers use it today, delivers no authentication at all. When was the last time that you saw a store associate look at the signature at the back of your card? And on the rare times when it happens, those associates have had no training in what to look for. Yes, a signature is pretty much there just for show.

But like almost everything else in payments, the reality is a lot more complicated than that. Major retailers—most notably Walmart and Home Depot—have sued the card brands in an attempt to force them to allow PIN instead of signature. Although the merchants are making the security argument, the truth is that merchants pay a lower interchange fee to banks and the card brands when they can use PIN.

The powers-that-be behind EMV, however, are arguing a much more pragmatic rationale. To get to that better security place, the brands must first get consumers to use the chip. Clearly, if the chip isn’t used, no security improvements at all can happen. Their rationale is that U.S. consumers—unlike their European chip-and-PIN-using consumer counterparts—have gotten used to signing for magstripe transactions. With their eye solely on consumer acceptance, they saw an additional change to be a bad idea.

In other words, the consumer already had to shift from swiping to dipping. Why make them also switch from signing to keying in a PIN?

One big problem with that argument is that U.S. consumers had already gotten quite comfortable with entering a PIN, thanks to many years of ATM and debit card transactions.

Another problem: EMV on top of mobile payments does not mesh very well. Why insist on a signature after a payment that has already been authenticated with a scan of the shopper’s finger? And yet some processors implemented that very process. Why? It has been blamed mostly on software that didn’t let a processor know that a mobile payment had already authenticated the user.

Also, a popular mobile checkout system with one brand of Android phones—SamsungPay—doesn’t typically deliver the security benefits of mobile. The most common SamsungPay transactions are actually mimicking magstripe transactions and are processed as though they truly are magstripe.

Faster checkout strategy makes things worse

As any merchant would confirm, there’s no payment problem so bad that Visa and Mastercard can’t make it worse. When merchants and shoppers started to complain about how much longer EMV transactions seemed to be taking, they came up with a similar remedy. And that remedy is slowing down EMV consumer acceptance even more.

The problem with transaction time is perception. In a magstripe transaction, a quick swipe of the magstripe is all that’s needed. Yes, sometimes it takes a few swipes, but it’s relatively quick. EMV transactions instead force the shopper to insert their card into the reader and let it stay there while all products are scanned and accepted.

The reality is that this doesn’t make any material difference to the checkout time. If a shopper is at a supermarket and is purchasing 58 items, the vast majority of that transaction time involves scanning each product. It doesn’t make the checkout take any longer because the card is sitting in the slot—but it will feel longer to the shopper.

The card brands’ answer was to provide a faster—and slightly less secure—way to handle EMV called Quick Chip, that allows shoppers to insert and remove their card in just a couple of seconds. Let’s set aside the question of why this method wasn’t used initially. The problem is that it’s only being pushed for a small portion of retailers. It’s being used for convenience stores and a few other segments where speed is considered crucial.

What’s the problem with that? It’s going to slow down acceptance as shoppers will not only have very different experiences as they move from merchant to merchant. Some will reject the chip and insist on a swipe, others will accept the chip and insist that it be removed right away and others still will want the card left in during the full checkout. If the goal is to accelerate shopper acceptance of EMV, this is a wonderfully bad way to do it.