Six months after the US EMV liability shift, where do we stand?
By Andrew Molloy, director of product, Ingenico Mobile Solutions
Six months into the EMV liability shift is a good time to reflect on how the transition to EMV has gone for merchants and consumers using mobile POS (mPOS) solutions.
According to Ingenico Group survey data, most consumers today have at least one chip card in their wallet, so they are ready for EMV. But not all merchants are.
Most Tier One merchants have completed their EMV migrations or are far down the path of upgrading their payment infrastructures – including fixed, wireless, and mobile point-of-sale (mPOS) devices – to start accepting chip cards. Many smaller merchants seem to be taking a wait-and-see approach on EMV, even though the impact of fraud can be more devastating for them on a relative basis.
Looking across all merchant tiers, the devices that are currently least likely to be upgraded for EMV are mPOS devices. While today this segment is largely made up of SMBs using tablet- or smartphone-based solutions (think, PayPal and Square readers), it also includes large merchants using mPOS for in-store activities such as line-busting and for out-of-store activities such as delivery, home services and pop-up stores.
Roadblocks to EMV-enabled mPOS
You might be surprised at the lag in EMV adoption among mPOS users. After all, mPOS devices should be easier to upgrade than fixed terminals. They are smaller, more portable and typically run on cloud-based software, which is easier to update than the embedded payment applications that run on most fixed terminals. So why aren't merchants upgrading? It's not necessarily the merchants who are to blame, as there are several other factors that come into play:
- EMV solutions are much more complex to develop than magstripe. Performing an EMV transaction, where there are multiple streams of data sent back and forth, is a lot more complex than performing a traditional magstripe transaction. Therefore, many of the developers, system integrators, and independent software vendors (ISVs) who build the POS applications that these merchants run on their tablets and/or smartphones have not been able to develop EMV-capable versions. This is especially challenging for the ISVs and developers whose core competency is not payments.
- EMV certifications are expensive and time consuming. Even when the ISVs and developers are able to build EMV-capable mPOS applications, they are required to integrate their application with an EMV-certified mobile card reader and integrate to their acquirer/processor of choice. After performing the technical integration, the ISV must submit its solution for certification by both the acquirer/processor and the card brands. This certification is for the end-to-end transaction and therefore this process must be repeated whenever changes are made to any of the system components (mobile app, card reader, gateway, etc.). Certification can take a few weeks or a few months and each one can cost anywhere from $10,000 to $100,000.
- Then there are the long certification queues. Thousands of ISVs applied for certification slots in advance of the Oct. 1, 2015 liability shift deadline, resulting in a large backlog of requests. Acquirers were forced to prioritize requests, and mPOS often took a backseat. The net of all this is that many ISVs have still not been able to provide a certified, EMV-capable mPOS solution to their existing merchant customers.
- Unlike magstripe readers, EMV-ready card readers are not free. Even the few ISVs with an EMV-capable solution and the necessary certifications are finding that many merchants aren't yet upgrading their mPOS solutions for EMV. A primary reason is cost – unlike magstripe readers that were often given away for free, EMV-ready mobile card readers typically come at a cost, since the technology required to read chip cards is much more advanced, and the hardware itself is more expensive to produce. More price-sensitive merchants may decide they aren't ready to make the investment in a new system. Inertia may also play a role here, as some merchants are simply comfortable with their existing mPOS solutions and don't feel compelled to upgrade just for EMV.
The future for EMV-enabled mPOS
The aforementioned backlog of certification requests is loosening up, meaning that mPOS solutions put on the back burner by acquirers/processors will finally be certified and available to merchants in the second half of 2016. In addition, some mPOS hardware and software providers are now offering new development toolkits and pre-certified solutions that help accelerate time-to-market and merchant upgrades. These solutions are also helping to foster innovation by allowing developers and ISVs to focus on building new mPOS applications with even more advanced capabilities, rather than spin their wheels trying to develop secure EMV payment acceptance for their mobile apps.
Consumers are also becoming accustomed to their new EMV cards and will start to expect to see EMV readers wherever they shop. Thanks to education efforts by card issuers and large merchants, consumers are becoming more aware of the security benefits of EMV. That means merchants who don't provide EMV payment capabilities may suffer from negative consumer perceptions, which play out in the form of lost customer loyalty and damaged brand perceptions. These factors will help expedite merchant mPOS EMV upgrades.
Consumer demand for NFC payment capabilities (such as Apple Pay) can also accelerate mPOS EMV upgrades, since some of the latest EMV-ready mPOS solutions also support NFC transactions.
Finally, we believe security concerns and potential liability from card fraud will ultimately drive merchants to leave magstripe behind. Just as water always finds the lowest point, card fraud will make its way down to the least protected merchants – those without EMV. According to Business Insider's "The US EMV Migration Report" (Nov 2015), "Fraud will move to the weakest channel. In 2014, the US generated almost half of the world's total card fraud despite only comprising one-quarter of transactions. That's because the US had the least secure payment card ecosystem." Thus, it stands to reason that once US merchants implement EMV broadly, card fraud will migrate to the remaining merchants without those protections. Unfortunately some merchants won't make the move until they personally experience the impact of fraud liability – a potentially costly event. Randy Vanderhoof, head of the EMV Migration Forum, has said, "One bad transaction resulting in a charge-back will cost more than the EMV upgrade for most small businesses.”
So now that we've made it through the first six months since the EMV liability shift deadline, it's time for Phase 2, which will include a greater focus on mPOS. Phase 1 was getting the first chip cards in the hands of consumers and having the large merchants ready with payment acceptance solutions that would accept chip card payments. It also involved training of cashiers and getting consumers used to dipping their cards instead of swiping. We can now check that box.
Merchants need to remember that while there may be an up-front expense to upgrading their mPOS system to support EMV, the ROI is there, due to reduced fraud risk, fewer chargebacks, the ability to accept multiple forms of payment, and improved customer perception and loyalty.