05.12.16

As Problems and Delays Plague Transition to New Chip Credit Card Readers, Durbin Calls on FTC to Protect Small Businesses, Consumers

WASHINGTON—U.S. Senator Dick Durbin (D-IL) sent a letter to Chairwoman Edith Ramirez of the Federal Trade Commission (FTC) requesting guidance to protect consumers from credit and debit card fraud and help businesses navigate the transition to new credit card readers that work with EMV (Europay MasterCard Visa) chip technology.

 

I am concerned that problems and delays in the EMV certification process are imposing costly burdens on small- and medium-sized businesses and leaving consumers’ card transactions vulnerable to fraud,” wrote Durbin. “I urge the FTC to examine how flaws and delays in the certification process can be addressed so that businesses and consumers can be better protected from these harms.” 

 

Durbin has repeatedly raised concerns about the practices of major credit card companies, including their effort to transition the U.S. payments system to EMV technology which is widely used in the rest of the world.  This effort has been plagued by delays, costs and inadequate security measures.  In March, Durbin called on the Chairman of EMVCo—an organization that controls the specifications governing credit and debit card chip technology—to explain whether the deployment of this technology in the United States is adequately preserving competition and protecting consumers. You can read EMVCo’s response to Durbin’s letter HERE.

 

Durbin again pressed EMVCo in a new letter today, saying, “It appears that EMVCo is run by the big card networks for the big card networks. It is time for other stakeholders besides giant card networks to have a meaningful voice in EMVCo’s decision-making process. I urge you to begin incorporating other stakeholders into EMVCo’s governance to accomplish this goal.” 

Full text of Durbin’s letter to the Chair of the Federal Trade Commission below and HERE:

 

May 11, 2016

 

The Honorable Edith Ramirez

Chairwoman

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

 

Dear Chairwoman Ramirez:

 

I write to obtain information from the Federal Trade Commission (FTC) regarding the process of EMV (Europay MasterCard Visa) payment system certification.  I am concerned that problems and delays in the certification process are imposing costly burdens on small- and medium-sized businesses and leaving consumers’ card transactions vulnerable to fraud.  I urge the FTC to examine how flaws and delays in the certification process can be addressed so that businesses and consumers can be better protected from these harms. 

 

It has now been over seven months since payment card networks implemented their October 2015 shift to EMV technology in the United States.  As part of this shift, card networks and their card-issuing banks added EMV chips to consumers’ credit and debit cards and announced that any merchant that did not use a card’s chip for conducting transactions would bear the cost if a fraudulent transaction occurred with the card.  Many small- and medium-sized businesses have spent significant amounts of money upgrading their checkout counter terminals and software systems to accept EMV chip cards, but so far have been unable to actually use those systems because of lengthy delays in getting the hardware and software certified for use.  For example, I recently heard from a grocery chain with stores in Illinois and several other states that has spent an estimated $385,000 purchasing 770 upgraded card readers at a price of $500 each, but that has been unable to use the equipment due to repeated delays in obtaining certification.  As a result, customers are forced to continue using fraud-prone magnetic stripe technology for their card transactions while the chip readers remain idle.

 

The EMV certification process is opaque and confusing, with each card network requiring its payment processors and equipment providers to test and certify a merchant’s hardware and software for compliance with network-specific requirements that are largely derived from EMVCo specifications.  The certification process can last for months, yet some of the technical requirements were not even made available until shortly before the October 2015 shift to EMV technology.  Payment processors and other providers have been slow to conduct certifications for small- and medium-sized merchants; so far only a fraction of merchants who have sought certifications have been able to obtain them, and the merchants who have been stuck in the certification queue are at increased risk of being victimized by fraud because of their inability to use their chip readers.  This fraud creates significant inconvenience for consumers, who must replace their cards, and significant costs for merchants, who are now being held liable by card networks for fraudulent transactions in addition to the costs they incurred to upgrade their technology (not to mention the hefty swipe fees that merchants are also charged on each transaction supposedly to cover fraud costs in the payments system).

 

In short, the delays and problems caused by the EMV certification process require prompt attention and oversight.  Accordingly, I ask that you please respond to the following questions within 30 days: 

 

1.      Has the FTC examined, or is it planning to examine, the EMV certification process to determine if the process is functioning effectively to advance the goal of preventing fraud in the electronic payments system? 

 

2.      Does the FTC have information about how many merchants have been unable to obtain EMV certification because of delays?  If so, please provide that information.

 

3.      Has the FTC sought information from any of the following entities regarding their role in the EMV certification process? 

a.       EMVCo

b.      card networks

c.       card-issuing financial institutions

d.      merchant acquirers

e.       payment processors

f.       equipment providers

g.      the PCI Security Standards Council

h.      merchants

If so, have the entities been forthcoming in providing information about their role and responsibilities in the process, including their responsibilities in determining liability for fraud that occurs?

 

4.      Has the FTC examined whether businesses and consumers have been adequately informed about the EMV certification process and the roles that each participant in the process plays, so that businesses and consumers can better ensure that problems in the certification process do not leave businesses and consumers at greater risk of fraud? 

 

5.      Has the FTC examined, or is it planning to examine, the amount of resources that payment card networks, financial institutions, payment processors, and other equipment providers have made available to help certify merchants’ hardware and software for EMV compliance?

 

6.      What steps will FTC take to address any flaws identified in the EMV certification process?

 

Thank you for your attention to this matter.  I look forward to your response. 

 

Sincerely,

 

RICHARD J. DURBIN

United States Senator            

 

-30-