It’s been less than a year since the massive data breach at Target brought “EMV adoption” into my parents’ vocabulary. Now, in the wake of an even more massive data breach at Home Depot - sometimes called “Big Orange” - the carrot (incentive) for US merchants to adopt EMV technology just got bigger. Here’s why:
- First and most obvious, there may be many millions more fraudulent cards now in circulation, upping the risk of exposure.
- Second, consumers and financial markets do not look kindly on merchants that sustain data breaches. Target provides a textbook example; after its data breach, the Target brand was hurt, sales dove, market capitalization took a big hit and, eventually, the CEO lost his job.
- Third, come October 1, 2015, liability for fraudulent transactions will shift to merchants if they don’t support EMV.
More money, more doing
Absorbing the fraud liability from a data breach could easily devastate any retailer. Even without this added expense, Forbes did some analysis of the financial impact of the Target and Home Depot data breaches and reported:
"Target (TGT) announced in August that its 2013 data breach cost them $148 million, roughly 11 cents per share…. Home Depot could be looking at a similarly-sized (sic.) bill:
"Based on Target’s 11 cent per share cost ($148 million less $38 million in insurance coverage) [Stifel Nicolaus Managing Director David] Schick believes a breach would cut roughly 7 cents from Home Depot’s 2014 earnings per share.
"Schick added, 'Perhaps more importantly, TGT experienced meaningfully weaker sales (-2% to -6%) following the breach announcement despite significant promotional activity (before sales improved after the holiday season) though there were many negative factors at work relative to TGT revenue at holiday.' A sales decline at Home Depot could have a five to 10 cent impact on earnings per share, said Schick. Yet as consumers become more accustomed to breaches of this scale there is a 'diminishing impact' so he would err on the low end of that range."
Fraud liability to shift
Today, merchants and financial institutions shoulder the liability for fraudulent purchases made with stolen account information. The rules of who holds liability are complex, but there is an upcoming dramatic shift in responsibility that dramatically reshapes the landscape.
A recent article in Bank Systems & Technology succinctly sums up the liability shift. It says, “Beginning in October 2015, the canvas will be different - merchants and the financial institutions that have made investments in the most secure EMV options will be protected from financial fraud liability for card-present fraud losses for both counterfeit, lost, stolen and non-receipt fraud.”
Put another way, MasterCard said in 2012 that after October 1, 2015, “This [the liability shift] means that the party, either the issuer or merchant, who does not support EMV, assumes liability for counterfeit card transactions.”
So although I don’t like the color orange – it’s the color of the Clemson Tigers, archrivals of the South Carolina Gamecocks, my alma mater – I do like this Big Orange carrot for EMV adoption. A lot.
Next, what to do about all the card-not-present merchants where EMV terminals don’t exist? That’s a future blog. Your comments and social shares are welcome below.