Deadline for EMV chip cards is here – SMBs aren’t ready

Deadline for EMV chip cardsOctober has plenty of frights for retailers this year. This month marks the deadline for all U.S. merchants to use the new EMV chip card standard to process payment card transactions.

The computer-chipped cards are intended to cut down on credit card fraud. The deadline to comply was Oct. 1.

Merchants who fail to accept the new EMV cards are now liable for all fraudulent card-present transactions on their systems.

So if a thief makes an in-store purchase with a stolen credit card, and the store does not use the new chip-card method to process the transaction, then the store owner (not the bank) is required to cover the loss.

This “liability shift” has scared many U.S. businesses into changing their systems before the deadline. But not everyone has complied -- especially small businesses.

Small businesses miss the EMV deadline

Fewer than one in four (22%) of SMB retailers are ready for the EMV deadline, according to research from Software Advice.

Since this data was published in September, it’s safe to assume that today the number of SMB retailers who are ready for EMV cards is above 22%. However, it’s also safe to assume that the number is still well below 50%.

So more than half of all small retailers are not EMV compliant. Since the deadline has come and gone, they now have to shoulder the amount of any fraudulent card transactions in their stores.

This is a prime selling opportunity for IT service providers who provide card terminals, POS systems, and other retail services. These merchants may not realize that their entire business is at risk – so tell them and sell them a solution.

Related – PCI DSS for IT Providers: See how the rules apply to your business

Most SMBs need your help on EMV

Of the small businesses that do not have EMV technology, most are aware of the problem. About 67% say they either don’t have the time or it’s too expensive, as you can see in the chart below from Software Advice.


Almost 25% say EMV is unnecessary, which is surprising. Maybe they do not realize the liability they’ve taken on? Or perhaps they do not consider payment card fraud likely at their stores?

A final 10% simply don’t know about the chip-card rules. So if we do some math:

  • 35% do not have time
  • 23% say it’s unnecessary
  • 10% don’t know about EMV

Together that’s 68% of the available SMB market that needs more information about EMV cards.

As an IT service provider, you can provide this education, become a trusted advisor, and land more sales. If the client does not have time, then convince him it’s a priority. If he says it’s unnecessary, show him the liability. And if he doesn’t know about EMV – tell him.

Small business may be targeted

Deadline for EMV chip cards 2If small businesses aren’t hungry to learn more about EMV cards, then their appetite might grow in the months ahead.

Major retailers such as Wal-Mart, Target, and Costco, can already process chip cards. The improved security at large retailers is likely push criminals to other targets. Some are expect to move to online with card-not-present fraud. Others may continue with card-present fraud but move on to easier targets, such as a small businesses.

Criminals tend to follow the path of least resistance. They will not struggle to make a fraudulent purchase at a major retailer when they can go to a mom-and-pop shop that does not use EMV and make the same purchase without a hassle.

Not only do large retailers have better security than SMBs, they’re also large enough to absorb more of the cost of fraudulent transactions. A few big charge backs are not going to put Wal-Mart on the edge of collapse, but they could crush a small local business.

Once small business owners are forced to pay a few chargebacks for card-present fraud, more of them will adopt EMV technology. The only alternative will be to put the entire business at risk. Adopting chip-cards will seem like the cheaper option.

Sales opportunity continues for EMV

For IT service providers, this is a great time to find new clients and expand service. If you clearly demonstrate the risk taken by failing to adopt the EMV standard, then you will be more likely to persuade clients to upgrade.

You can also encourage clients to cover another aspect of their payment card liability: PCI DSS. While EMV cards protect the transaction, the PCI DSS regulations require merchants to secure their networks to protect cardholder data. Otherwise they risk huge penalties and fines.

Try to convince clients that they need to secure their transactions with EMV and also secure their data with PCI DSS. If they don’t want to proactively tackle the problem, then maybe they’ll come around in 6 months after they’ve had a few data breaches or fraudulent charges.

Related – PCI DSS for IT Providers: See how the rules apply to your business

Disruptions are expected

Change is never easy, and changing to EMV chip cards is no different. The cost of the technology, the cost of training staff, and even the cost of upgrading a store’s internet connection can add to the burden.

When EMV technology came to the U.K., merchants found their dial-up connections were too slow to process the transactions efficiently. The encryption used in the chip-cards and the amount of data that needed to transfer slowed transaction times dramatically.

The result: more small businesses upgraded to broadband. Retailers in the U.S. who are using dial-up will likely feel pressure to do the same.

Online credit card fraud expected to rise

The U.S. is behind many other countries in EMV adoption. One upside of the country’s delay is that we can use the trends seen in other countries that have adopted EMV to predict what will happen in the States.

Canada, for example, introduced the cards in 2008 and immediately saw declines in card-present fraud, according to data from the Canadian Banker’s Association.

EMV-chip-card-not-present-lossesHowever, the drop in card-present fraud coincided with a rise in card-not-present fraud. Criminals merely shifted tactics from one type of fraud to another.

Can we expect a similar shift in the U.S.? Probably. As adoption of EMV technology spreads, credit card fraud will likely decline in brick-and-mortar stores and increase online, but the shift may take years.


Related resources

5 New PCI DSS Rules as ‘Best Practices’ Change

Changes in PCI DSS Version 3.1: What You Need to Know

PCI Compliance: 80% of merchants fail to maintain it

PCI DSS Security: Banks don’t want you to comply

PCI DSS for IT Providers: See how the rules apply to your business

Written by Calyptix

 - October 8, 2015

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram