Like thousands of other business owners across America, Bob Webster is facing a critical deadline.
The Charleston-based Palmetto Moon gift and novelty chain owner is scrambling to install new, upgraded credit-card terminals by Thursday.
That’s the date for merchants to switch to equipment that reads new computer chips embedded in credit cards. Pushed by MasterCard and Visa, the chips are meant to thwart credit-card hackers who gain access to personal information more easily via the vulnerable, magnetic strips on cards now.
The chips are encrypted with account information with a new code for each transaction, which requires a different reader than the conventional swipe machines most shoppers are accustomed to using.
European businesses have been using the chips for years, and the U.S. is now playing catchup after a series of server hacks in recent years at some major retailers, including Target.
The Oct. 1 target date is important because, while the switch-over isn’t required, the liability for fraud shifts from banks to merchants and credit-card issuers that haven’t upgraded. The retail industry is calling it the “liability shift.”
“We have them, and we are ready to install them,” Webster, from Palmetto Moon, said. “We don’t want that liability.”
His controller, Brian England, said they should be in all 10 stores in the chain by the first full week of October.
“We are in the process of getting them set up,” England said. “We will have them in some stores by the middle of (this) week.”
At the same time, banks that haven’t updated their cards will still bear responsibility, said Doug Johnson, a senior vice president of payments and security policy at the American Bankers Association.
“Essentially, whoever has the lower level of security will be the one who will be responsible for the unauthorized transaction,” Johnson said.
“It cuts both ways,” he added. “If we don’t deploy the chip cards, we maintain the liability that we have currently.”
Customers at all retailers across the nation do not have to worry about the new readers.
“As the industry works through this transition, consumers will continue to be protected, carrying zero liability for fraud,” said Meghan Cieslak of the Washington, D.C.-based Electronic Transactions Association.
The chip readers work by dipping a credit card into the devices, which come in a variety of shapes and sizes. Many stores, such as Palmetto Moon, will continue to carry the swipe machines as well as the new readers.
“There are still some banks that haven’t issued the EMV cards to customers,” England said, referring to “EuroPay, MasterCard and Visa,” the companies that created the standard.
The changeover does not affect cardholders, but it will take a little longer at checkout than the old swipe versions for new machines to read the encrypted information. The cards have to be inserted and left for a few seconds until the integrated circuit on the chip is read.
“That’s going to cause a little bit of backup during the holidays,” England said.
It might be a year or more before everyone has the new machines, according to the National Retail Federation.
And only about one in six of the 1.2 billion credit and debit cards issued by banks and other lenders in the U.S. has been replaced by the new smart cards, according to the Electronic Transactions Association.
Paying for the upgraded equipment falls squarely on retailers. Total cost: about $8 billion, according to Cieslak.
The new card readers generally cost between $150 to $600 each, depending on how sophisticated merchants want them, she said.
At Palmetto Moon, England said the retailer bought 30, so it will have three at each store. A different model will be deployed later, he said.
Cieslak estimates 35 percent of retailers will have the machines in place by Thursday and 65 percent by the end of the year.
Many merchants have the equipment, but can’t get it tested and certified to use by the deadline, said Liz Garner with the Minnesota-based Merchant Advisory Group.
“The backlog is the availability of the equipment and testing and certifying it,” she said. “A majority of our members have said EMV rollout is a 19-month process.”
For merchants who don’t have the machines or can’t get them certified and up and running by Thursday, they will be stuck with the cost of fraud, said Mallory Duncan, the National Retail Federation’s senior vice president and general counsel.
The new machines can already be found in some stores. Gap, Banana Republic and sister stores sport them at checkout. Other national chains such as Wal-Mart, Target and Home Depot are expected to meet the switch-over deadline.
“They’ve known about this since 2011, so they’ve had a while to get ready,” Cieslak said. “Where we are seeing the big gap is the small merchant. Of stores with only 20 employees or fewer, we are expecting only 4 percent to be ready.”
She said some smaller shops are more fraud-prone than others. “An artisanal cheese shop might have a low fraud rate, but it is important for them to start the process (to get the new readers) because that is where everything is going,” Cieslak said.
Merchants who don’t have the machines yet can guard against fraud by requesting identification and verifying the last four digits of the credit-card account number, she added.
The Electronic Transactions Association expects the new readers to decrease card fraud at checkout by 90 percent over the next few years.
One area where the new chip cards won’t help is online shopping since people don’t have chip card readers at home. Cieslak and others in the retail industry believe that’s the next fertile ground for hackers since there is less security and a lower impediment to stealing cardholders information or using stolen credit cards by computer.
“If someone stole your number online, it would be difficult for them to use it at a merchant but not online,” she said. “The EMV protects you at the point of sale.”
The electronic transactions industry is working on new technologies to deter online fraud.
They include tokenization, which turns account information into a code that can’t be broken, and other forms of encryption.
They “hold great promise,” Cieslak said.
In the meantime, online customers should remain vigilant and keep a close watch on credit-card activity, she said.
Because of the ability of fraudsters to use stolen credit-card information online easily, the National Retail Federation calls the EMV system “a half-baked solution.”
It wants a personal identification number system required with every card in addition to the chip-embedded measure.
“They locked the front door and left the back door open,” said Duncan of the trade group. “We know a significant amount of fraud that takes place in stores will now move online. ... We think they need to put out chip-and-pin cards, not chip-and-signature cards. ... The merchants should not bear the bulk of the burden for flaws in a 50-year-old system.”
The New York Times contributed to this report.
Reach Warren L. Wise at (843) 937-5524 or twitter.com/warrenlancewise.