Despite this extension, it’s likely that many U.S. fuel stations will still not meet the new deadline, leaving themselves open to the fraud liability shift that will kick in after that date.
So, what can merchants do to protect themselves if they’re not ready in time?
The EMV state of play at U.S. fuel stations
As we explained in our recent blog post, card issuers can charge back fraudulent transactions if the merchant is unable to accept EMV cards at the pump after the implementation deadline.
According to Aite Group, as of August 2019, only 13 percent of fuel merchants had fully installed EMV card readers at the pump and only 42 percent were expecting to be fully installed by October 2020. Even with the additional six-month extension, it is clear that a large proportion of fuel merchants will not be compliant in time.
This is largely due to the expense, labor and physical infrastructure replacement that is needed. The cost alone is difficult to manage, with an estimated price tag of $6,000 per dispenser, or $55K per fuel station. With these costs, it’s easy to see why for many who own only a few stores, the effort to upgrade is probably not financially viable. For those who are implementing, there’s also a shortage of resources needed to change the equipment, impeding their ability to meet the deadline.
How much of a fraud problem is there?
There are millions of fake cards in circulation that fraudsters can use to steal products and services at merchant locations. Fraudsters seek the path of least resistance to poach and pilfer. Because most payment cards now have EMV chips and most merchant points of service around the world support EMV chip cards ─ fuel dispensers in the U.S. are the path of least resistance for fraudsters. When U.S. merchants (including in-store at convenience and grocery stores) implemented EMV, those that were last across the line became the targets of fraudsters and their fraud losses increased.
The same will be true at the automated fuel dispenser and, in fact, the problem will be greater because fraudsters do not have to go into the store and face a person who can challenge them or call the police – they can just drive off.
Adding to the problem is that fuel merchants have not had to face much in the way of chargebacks, since issuers have borne the vast majority of fraud costs. The liability shift will change this situation dramatically. Most fuel merchants are largely unaware of the volume of fraud going through their business and have poor visibility into the cost of fraud. It’s understandable that many are not prepared. Given the tight margins, justifying an expensive and resource-hungry change such as EMV implementation may not be possible. But there is also a rising cost to inaction.
What is likely to happen after the deadline… or, now what?
The deadline shift will help some merchants solidify their plans, but there will be laggards, and low-priority stores. If a fuel merchant hasn’t upgraded their pumps to enable EMV payments, they will be liable for any card fraud after the deadline. This cost is difficult to predict, but it could be significant.
EMV helps enormously with preventing fraud in card-present payments because it prevents stolen, fake or cloned cards from being used. Fuel merchants who haven’t upgraded won’t just be taking the cost hit on the fraud levels they already had, but they may also make themselves targets for fraudsters who know they can continue to successfully use cloned, stolen or fake cards there.
Developing a fraud prevention strategy
While it’s important to still work towards EMV implementation, fuel merchants also need to make sure they have a broader fraud and data theft prevention strategy in place; one that includes fraud detection, point-to-point encryption (P2PE) and tokenization.
Let’s start with recognizing and stopping fraud. We know there is going to be fraud, so fuel merchants should think like a card-not-present (CNP) or eCommerce merchant and put in place a proper fraud detection and prevention solution. This would check against known black-market databases and additional global consortium data, as well as positive profiling from other merchants and known good customer transactions. This can be done without annoying regular customers who might be frustrated by additional checks.
With alternative and mobile payments, new vulnerabilities will be exposed and it’s best to be prepared for them. The broader shift towards omni-channel payments has made an integrated approach to payments and fraud essential for many merchants.
A fraud prevention solution isn’t an interim measure though – it’s a necessary long-term one. It’s of great value to have a sophisticated fraud prevention solution as an integrated part of the payments acceptance platform. This way, fraud screening (and fraud data capture) can happen across any type of payment made at the pump, in the store, or across the various touchpoints and payment types the merchant chooses to enable. By having this solution in place, merchants can prevent the vast majority of fraud before it happens and avoid the liability altogether, whether they are EMV-enabled or not.
Guarding against data theft
The other side of the strategy is better data protection. While EMV keeps merchants from accepting a bad card, P2PE secures the captured information, protecting it from any data breach. P2PE helps with PCI compliance, guarding against fraud and data theft by preventing hackers or other third parties from reading and exploiting sensitive payments data.
We’ll be exploring the value of P2PE in an upcoming blog post. In the meantime, if you’re a fuel merchant looking to find out more about payments security and mitigating fraud at the pump, I will be leading an NPECA webinar on May 21.
Watch the on-demand webinar: Hi-Octane EMV+ with P2PE and Tokenization
In this on-demand webinar, Dan Coates discusses how adding point-to-point encryption (P2PE) and tokenization to your EMV initiative can help fully protect payments at the pump. With the October EMV deadline being pushed to next April, let’s consider these additional threat protections that will also significantly reduce your PCI compliance and add flexibility to your payment processes.