Updated Sept. 22, 2016
As the one-year anniversary of the EMV liability shift approaches, about 30 percent of the largest U.S. retailers aren’t fully compliant with EMV standards, according to a CreditCardForum survey.
That’s looking up from the last time we did this survey in June — at that time, about 45 percent of the largest U.S. retailers weren’t compliant.
In Sept. 2016, we looked at the Top 20 retailers (by volume of sales according to the National Retail Federation) and found that six still hadn’t completely upgraded their equipment to accept the more secure EMV chip cards. In June, that number was nine, meaning three more retailers have since come on board: H-E-B Grocery, Ahold USA (Giant and Martin’s), and Kmart (owned by Sears Holdings).
For our survey, we used retailer interviews, mystery shopping exercises and publicly available information to determine if a retailer was fully compliant. Full compliance is indicated by a YES in the chart below, while noncompliance or partial compliance is indicated by a NO:
|EMV-compliance status of Top 20 U.S. retailers by sales volume (As of Sept. 2016)|
|Retailer||100 percent EMV compliant (YES/NO)|
|The Home Depot||YES|
|Publix||NO (As of Sept. 2016, Publix is undergoing a chain-wide roll-out, but not yet compliant at all locations)|
|Apple Store (brick-and-mortar)||YES|
|Ahold USA (Giant and Martin's stores)||YES (Sept. 2016 update -- Giant and Martin's stores are now EMV compliant)|
|Sears Holdings (incl. Kmart)||YES (Sept. 2016 update -- Kmart was still in progress when we performed our survey in June. It and Sears are now both compliant)|
|H-E-B Grocery||YES (Aug. 2016 update -- H-E-B has upgraded to EMV)|
|YUM! Brands (Pizza Hut, KFC, Taco Bell)||NO|
The big question is: why haven’t all these commercial giants upgraded – especially given that the deadline (set by the card networks – Visa, MasterCard, American Express, Discover) was last October? We asked Jared Drieling, business intelligence manager with the Strawhecker Group – which recently did a survey that found just 29 percent of U.S. merchants overall are currently able to accept chip cards.
Some merchants may not see the value right now
Upgrading to EMV isn’t required by law. Instead, the card networks have set incentives for upgrading (or punishments for not, depending on how you see it): If a card used in-store is fraudulent, whichever party (merchant or card issuer) is responsible for the transaction not being EMV-compliant will have to cover the costs of that fraud. So, if the bank didn’t issue the customer an EMV chip card, it will be responsible. If the merchant didn’t upgrade its equipment to accept EMV, it will be responsible.
Merchants with a small risk of fraud therefore may not see any reason to upgrade.
“It’s really a return-on-investment decision in the beginning,” Drieling says. “If you’re in a merchant category that typically doesn’t see many fraudulent transactions, what would really be the incentive to spend $500 to $1,000 on new terminals when you can maybe eat the cost [of fraud] if you’re only seeing one fraudulent transaction a year?”
This mindset could explain why fast-food giants YUM! Brands and McDonald’s haven’t transitioned to EMV in the U.S. yet, despite the fact that they have thousands of locations serving hundreds of customers each day.
“Typically when an individual has stolen a card or has a counterfeit card, they’re not going out and picking up burgers and fries,” Drieling says.
But there’s another reason fast-food chains might delay their EMV rollouts: EMV transactions take much longer than swiped transactions. While an extra 20 or 30 seconds may not be a big deal at a clothing or electronics store, it’s a very big deal in an industry that thrives on processing as many low-cost transactions as possible.
“Now you’re adding an extra 20 seconds on each individual customer,” Drieling says. “I think that’s why we’re not seeing a lot of fast-food chains migrating.”
Mobile payments may be the answer to this slow-checkout problem, however. When merchants upgrade their terminals for EMV, those new terminals will have additional features, such as contactless-payment capabilities. These features allow payments via mobile wallets, which, Drieling notes, are secure (tokenization and encryption mean that no card information is actually stored in your phone) and speedy. While few shoppers may have seen a reason to use a mobile wallet before, the inconvenience of sticking a chip card in a slot and waiting 30 seconds for a beep might motivate them – and motivate fast-service merchants to promote Apple Pay, Android Pay, et al.
“So there’s a perfect storm brewing,” Drieling says. “… I think over the next two to three years, mobile wallets are going to become really big.”
Equipment and certification delays
Some merchants want to upgrade, but can’t. While terminal manufacturers have risen to the rush for new EMV-capable equipment, there’s another hurdle: certification. Even if a merchant has EMV terminals (and The Strawhecker Group’s survey found that about 44 percent of U.S. merchants do), before it can start asking customers to dip their chip cards, it needs to have its acquiring bank or payment processor do testing and verify that everything is working as it should be.
This certification limbo explains why many merchants may have terminals with EMV slots but have blocked them with snippets of paper and “Chip coming soon” signage.
“The acquirers are really working to speed up that queue, but that’s your bottleneck,” Drieling says.
So, if merchants knew that the October compliance deadline was coming years in advance, why did so many of the big ones wait until the last minute?
Some of the biggest retail giants did upgrade well before the deadline, Drieling notes – Target, Wal-Mart and The Home Depot were among them. Such retailers, Drieling says, often have an internal team dedicated to payments processing, the resources to upgrade and a big reason for doing so early.
“Obviously they’re well educated on EMV and knew the risk of not upgrading,” Drieling says. “You can imagine if Wal-Mart started having to eat the cost of all those fraudulent transactions.”
Other retailers may not have started the process until the October 2015 deadline was imminent. Many more waited until after the holiday season before disrupting their payment systems.
“What you saw after January 1st was just a rush,” Drieling says.
Hence, the current certification bottleneck.
The consequences of being sleeping giants
Will large retailers get burned by delaying compliance? Low-risk merchants may not be. But some merchants who were previously considered a low fraud risk may start seeing more fraudulent transactions as thieves start to see them as a window of opportunity.
With big-box and electronics stores largely EMV compliant, thieves, Drieling says, have started to jump to once lower-risk places like grocery stores – which, according to our surveys, saw the biggest leap in compliance since June. Two large grocery chains (H-E-B and Ahold USA) have since upgraded, and Publix is in the process of doing so.
“There’s a big black market for baby formula, for example,” Drieling says.
The profit margins of supermarkets are already razor thin, meaning footing the bill for fraudulent purchases “is probably starting to eat into their profitability,” Drieling says.
We’re really not that far behind
The fact that half of the largest U.S. retailers aren’t EMV compliant may look bad. However, Drieling says, the U.S. isn’t necessarily adapting more slowly than other countries that have already migrated to chip cards. Other countries took years to migrate, and they were smaller markets.
“By far, the U.S. is the most complex payments environment there is,” Drieling says. “When you think that we’re not even a year in, and about half of merchants have their hands on a terminal waiting for activation, comparatively speaking, I think we’re well ahead of the curve.”
Updated Sept. 22, 2016