When the Chips Are Down

Surveys show significant movement in both sentiment and action among retailers for deploying EMV-compliant pumps.

When the Chips Are Down

October 2020   minute read

By: Jerry Soverinsky

Late last year, Visa published a security alert, “Cybercrime Groups Targeting Fuel Dispenser Merchants.” The headline raised few eyebrows among fuel retailers, who had grown accustomed to skimming attacks at the forecourt.

While a patchwork of low-tech measures helped retailers identify basic skimming efforts—an intact piece of red tape across the dispenser door, for instance, confirmed the integrity of the dispenser cabinet—Visa’s December 2019 alert indicated a more sophisticated and disturbing effort. Initiated far from the dispenser and sent via email to one of the retailer’s employees, the successful phishing attack allowed the attackers access to the company’s POS environment, which included its fuel dispensers. From there, the criminals looked for likely credit card data stored from mag stripe transactions and, well, you know the rest of the story: Skimming via phishing.

The incident was just one of hundreds of skimming attacks across the country that collectively contributed to more than $300 million in counterfeit fraud at outdoor fuel dispensers last year, according to major card reporting data, a loss that’s projected to reach $451 million this year.

[COVID-19] definitely impacted the supply chain and the technology that’s necessary to do this and roll it out.

It’s little wonder that card brands are requiring retailers to add EMV (chip card processing) capabilities at automated fuel dispensers (AFDs), or else face liability for the rising chargebacks.

Retailers have known about this deadline for several years. October 1, 2017, marked the original deadline for AFD terminals to be included in the global EMV liability shift applying to American Express, Discover, MasterCard and Visa transactions.

In early 2017, NACS Magazine wrote about the challenges convenience retailers faced in complying with the original deadline. The card brands, acknowledging deployment backlogs, offered an extension to October 2020.

Conexxus published its “EMV Preparedness Survey” in August 2019, detailing the awareness and readiness for retailers to upgrade their payment capabilities at their AFDs. (Look for those results in the December 2019 issue.) Six months later, it distributed a second survey to gauge preparedness, and just as retailers were responding, COVID-19 struck, interrupting many of their efforts to become EMV-compliant.

“[COVID-19] definitely impacted the supply chain and the technology that’s necessary to do this and roll it out,” said Dan Harrell, chief innovation officer with Invenco, during a NACS Convenience Matters podcast earlier this year. “It’s definitely impacting the service personnel who are available to do these installations, too.” In late March, NACS sent letters to Visa, Mastercard, American Express and Discover on behalf of its retail members to request a delay in the EMV fraud liability shift, citing complications from the coronavirus. Other groups also requested a delay, and in May, the card brands moved the liability shift date to April 16-17, 2021.

As a result of COVID-19 and the delayed deadline for the AFD liability shift, Conexxus fielded a third survey from August 19 to September 4. Results of both the spring and fall 2020 surveys indicate that there has been significant movement in both sentiment and action among retailers for deploying EMV-compliant pumps compared with last year.

And the Survey Says …

Full contact
The numbers reveal a tangible change of retailer sentiment and readiness for fuel island contact EMV (2019 vs. 2020).

Contactless
COVID-19 has impacted retailers’ intentions to deploy contactless EMV at their fuel islands. While 51% of respondents in the spring survey said they’d either implemented contactless EMV or intended to do so pre-COVID-19, the number rose to 74% after the pandemic began.

In the fall survey, nearly 81% of respondents said they’d deployed or are planning to deploy contactless EMV outside. The percentage of undecided responses held at 13% post-COVID-19, compared with 40% in the pre-pandemic responses.

Key Callouts

The survey results reveal compelling information about retailers’ appreciation of EMV-related risks. “In the 2019 survey, a lot of merchants didn’t understand the risk of not implementing EMV, they wanted to wait to see what happens,” said Linda Toth, managing director of Conexxus. “Now they realize that there’s a big risk in not upgrading. All it takes is one incident to put them out of business.”

One incident?

“One incident,” Toth said. “For a presentation at the 2019 NACS Show, we gathered fraud data from three of the four card brands and extrapolated per-store average liability for stores that are non-EMV compliant.” According to major card brand reporting as of September 2019, counterfeit fraud is projected to reach $451 million this year. “That’s huge,” Toth said. “Those are the numbers that the banks have been absorbing on our behalf, and that’s going to all switch to retailers who don’t upgrade.”

Using a 23% year-over-year increase in fraud numbers (a historical average) and after the liability shift, Toth estimates a non-compliant site faces an average of $12,000 to $13,000 in liability costs in 2021; a figure that jumps to more than $31,000 in 2022. All it takes is one incident.

To appreciate how much that figure could rise, Toth urges retailers to obtain their fraud data. “If you’re branded, reach out to your brand and find out the numbers,” Toth said. “If you’re a wholesaler or independent, reach out to your processor. And if you’re large enough to have a card rep, they can get you the data.”

Show Me the Money

Ultimately, the 2020 surveys reveal that financial and resource challenges pose an ongoing threat to compliance, especially for small retailers. “It comes down to cost,” Toth said. “The industry is struggling to pay for EMV, and how the retailers can pay for this is a big challenge.”

That applies to both replacement of the physical pump itself, which Conexxus estimates costs about $18,000 each, or doing a retrofit and replacing the payment devices at the pumps with new, EMV-capable readers, which can be more affordable. “The savings on doing a retrofit versus a pump replace can be anywhere from 20% to 60%,” said Bill Pittman, senior vice president of sales and strategy at SoundPayments, in a NACS Convenience Matters podcast earlier this year.

The pricing is per-pump, so for a small retailer with a handful of stores and several pumps per site, the total cost can reach in the hundreds of thousands of dollars—a lot of money even during the most prosperous economic times. But in the middle of a global pandemic? Well, the money is much harder to come by, and some may decide to accept the risk, an unfortunate gamble that Toth insists will not pay off.

“Chargebacks are not a matter of if, but when,” she said, adding that Conexxus has heard from “many merchants” who had stores without a fraud incident and who did not appreciate the full risk of non-compliance  until “one store got hit, and it was an astronomical cost” that would have shuttered the business if it occurred after a liability shift.

Money and Other Issues

Toth recommends that retailers consider opportunities to finance the upgrades, gaining both compliance as well as functionality that may help build your brand. “If you choose to replace your dispensers, the newer ones will have features that could help you attract new customers,” she said. Additionally, finance companies understand the mandate for retailers to become EMV-compliant, and there’s a willingness to work with retailers.

If new pumps are not an option, consider a less expensive retrofit, or even leasing. “At least one supplier offers a solution where you can lease the equipment month to month,” she said. “It makes
it a lot more affordable to get EMV.”

It’s not just money that is preventing retailers from deploying EMV at their pumps. According to the Conexxus fall survey, even for those who are committed to the change, the top obstacles to achieving 100% deployment include: waiting for certification (27%), lack of available software (30%), effort/complexity (27%) and COVID-19, financial challenges, technician availability, among other reasons (34%). (Respondents could choose multiple reasons.)

COVID-19 as Catalyst

Both the spring and fall 2020 surveys indicate that the COVID-19 pandemic proved to be a catalyst for owners/operators deciding to deploy contactless payments on the forecourt. For retailers who are still undecided about implementing it, 60% cited additional upgrades as a reason holding them back, 40% cited cost and 30% cited other issues, including low demand and concerns about investment returns.

No matter the sentiment, though, both NACS and Conexxus hope that retailers appreciate the significance of upgrading AFDs and take action. Conexxus will present an education session on EMV during this year’s NACS Crack the Code Experience. “Waiting to upgrade could cost you [tens of thousands of dollars] per site over the next [several] years,” Toth said. “I can’t stress enough … can you afford to wait, and can you afford the financial impact?”

Jerry Soverinsky

Jerry Soverinsky

Jerry Soverinsky is a Chicago-based freelance writer and NACS Magazine contributing writer. He can be reached at [email protected].

Share:
Print: