News Feature | June 8, 2015

EMV Liability Shift Creates Expense That Most Retailers Will Never Recoup

Christine Kern

By Christine Kern, contributing writer

EMV

New IHL research says "EMV Tax" creates unrealistic burden on retailers, mess for consumers

The pending shift of EMV card payment liability scheduled for October 1, 2015 means that if retailers are not compliant by that date, then liability for fraudulent card transactions shifts from the banks to the retailer. Now, new research from IHL Group has found that most retailers will never recoup the expense that EMV imposes and the study says there is a much better approach to protecting retailers and consumers. 

As the EMV transition has been looming, various stakeholders in the industry have been creating resources to try to help make the shift less painful for retailers and payment solutions providers.  As Integrated Solutions for Retailers reported, The Retail Solutions Providers Association (RSPA), the industry association for the point of sale (POS) technology ecosystem, has announced the creation of EMV Central, a new resource page on the RSPA website designed to support the association’s EMV education and awareness campaign. The resource page includes several files for download, including “EMV at a Glance,” and “EMV General Overview,” and “EMV FAQs for Developers.” 

But, as Greg Buzek, President of IHL Group, a Franklin, Tennessee-based retail market research firm, asserted in the release, "The single biggest problem with the EMV mandate is that it is focused on trying to solve last century's problem and completely ignores the reality that retailers are facing today."

"12 years ago when EMV was introduced into Europe it made tremendous sense.  Today, it stands in the way of real data security by stealing critical budget away from focusing on the risks that retailers face from online hackers."

A recent panel discussion on securing mobile and retail payments hosted by Verizon Enterprise Solutions at the NRF Big Show 2015 also highlighted the need to go beyond EMV technology.  Roldophe Simonetti, managing director of compliance consulting at Verizon Enterprise Solutions,  said that while EMV is effective in reducing fraud at the point of sale, “it’s securing one of the many channels we can use to process payment,” adding that EMV in combination with PCI compliance is a better way to improve data security.

What the new IHL research reveals is that the risk of fraudulent cards at the point of transaction is actually relatively small, unless the merchant is in Electronics, Fuel, Mass Merchants or companies that sell gift cards for these retailers, when compared to the other loss prevention and data security issues that retailers face. FIT also shows that over time, fraud simply moves online, as has been demonstrated in EMV implementations in Europe and Canada.

According to IHL, “the risk of breach of customer data, the retailer's real concern, is almost entirely mitigated via end-to-end encryption and tokenization of the transactions.  Basically, if the card data is never on the retailer's network in any usable manner to hackers, it cannot be exploited.” The use of EMV basically is the act of locking the front door to the house, rather than being able to secure all points of entry, as encryption and tokenization can.

"Retailers who simply focus on EMV at checkout without focusing on end-to-end encryption and tokenization in all of their sales channels are actually opening up a significant security hole," added Buzek. "Those retailers who do not put in extra security measures for online and mobile transactions for the holidays will find that their store fraud will simply move online (where EMV provides no protection), and they will still have hackers going after their data."