Susan Sunderland is bracing for a few weeks of glitches and headaches. Like millions of other U.S. businesses, the family-run jewelry chain Sunderland manages is preparing for new rules that go into effect Thursday that increase their liability for credit card fraud.
Sunderland, the vice president of operations for James & Sons Fine Jewelers in Orland Park, Illinois, says she’ll spend about $1,200 to replace seven card scanners with new units that accept more secure chip-enabled credit and debit cards. Then she’ll need to train the employees of her three-store chain on the new system.
This nationwide shift in credit card transactions is an effort to bring the United States into parity with developed countries that have already eliminated the magnetic-stripe card because it's too easy to counterfeit. Most American credit card holders have yet to receive the newer cards from their issuers and only a fraction of U.S. businesses have installed chip-reading technology. Many small businesses, including James & Sons, aren’t convinced the money they're spending on upgrades is worth the trouble.
“We’re vulnerable to credit card fraud because we’re in the luxury business,” says Sunderland. “So we’re obviously going to make the switch soon, in the next week or two. But I’d like to know what really changes with the new card readers,” she added, pointing out that card issuers have always tried to shift liability to merchants in cases of fraud.
Under new payment-processing industry rules, businesses that don’t upgrade their readers to accept chip-enabled cards will automatically be held liable for fraudulent transactions that take place by swiping the magnetic stripes of traditional cards. Under the previous rules, liability would usually (but not always) fall to the card issuers.
The industry, which has been gunning for this change in recent years, says the move is necessary to encourage wider adoption of chip-enabled card technology – and to reduce fraud. Unlike magnetic stripes, the metal chips embedded in credit cards can’t be counterfeited.
“The main reason why the U.S. hasn’t done this sooner is that the cost of fraud was less than the cost of shifting infrastructure,” says Bruce Snell, cybersecurity and privacy expert at Intel Security. “Now we’re the last of the G20 nations to adopt the card-and-PIN system.”
Most credit card companies are initially deploying cards that will use so-called chip-and-signature transactions, which means thieves can still forge signatures at the point of purchase and use stolen chip-enabled cards. The more secure chip-and-PIN system, where cardholders enter a four-digit code during the transaction, won’t be adopted by most card issuers for a while out of concern it would discourage the use of their cards. (Security conscious cardholders can check with their banks to see if their cards can be assigned PIN codes.)
But most U.S. businesses have yet to make the shift to chip-enabled readers.
“These terminals aren’t cheap,” says Matt Shulz, senior analyst at CreditCards.com. “They can cost between $200 and over $1,000. It’s a big deal for these folks. You can definitely see the point the smaller merchants have.”
Which might explain how few of these folks have made the shift. According to a report from BridgePay Network Solutions, a provider of secured transaction services, between 5 percent and 10 percent of U.S. retailers have replaced their traditional credit card scanners with ones that accept the new secure chip cards -- also known as Europay, Visa and Mastercard (EMV) cards. More than six out of 10 credit card holders have yet to receive their replacement EMV cards, as well, according to a CreditCards.com report released Wednesday.
Most of the retailers that have made the shift are big ones.
Last month, Target Corporation (NYSE:TGT) began accepting chip-enabled cards at all of its approximately 1,800 stores, costing the Minneapolis-based retailer about $100 million, according to the company. Reacting to a massive 2013 data breach of customer credit card details, Target also hired Dutch payment security company Gemalto NV (EPA:GTO) to issue new chip-and-PIN versions of their debit and credit REDcards. The retailer had recently begun issuing those store-issued cards.
Caroline Bell, owner of Café Grumpy, a Brooklyn-based six-store coffee chain, says the cost of switching to chip-enabled card readers was relatively low because her stores use Apple iPad-based registers that can be more easily converted. Bell purchased $29 EMV-compatible card readers from Square Inc., her card transaction processor. For Café Grumpy’s 10 registers, the cost of the transition to EMV card compatibility has been about $300 in new hardware. But Bell’s main concern is the added time it takes for each transaction. Unlike the traditional “swipe” of magnetic-stripe cards, chip-enabled cards are inserted into slots and take several seconds to process. “Working through Square, the transition has been seamless,” says Bell. “The one issue we’re thinking about is that those readers take a longer time to scan, which is a challenge in the morning rush.”
Snell says merchants -- especially in businesses where every second counts -- should shop around for readers and systems to see which ones offer the fastest processing time. “You don’t want to wind up in a situation where you’re waiting for minutes for a card to authenticate and authorize a transaction,” he says.
CORRECTION: The original story incorrectly cited Fiserv, a global provider of financial services technology, as the source of the estimate that between 5 and 10 percent of U.S. retailers have replaced their traditional credit card scanners with ones that accept the new secure chip cards. In fact, the source was BridgePay Network Solutions, a provider of secured transaction services.