Stop by any Xpress Stop convenience store in Kennebec County, and you will see the result of the credit card industry’s effort to give itself, consumers and merchants a greater level of security from fraud.

In the place of the credit card machines that read only magnetic stripes are machines into which you can dip your chip card, if you have one, for a transaction that’s expected to be far more secure.

“It’s a confusing thing,” said John Babb, president of J&S Oil Xpress Stop, “and it’s still a changing thing as well.”

Because credit and debit cards are where the money is, that’s also where a steady and increasing amount of crime is taking place. In the last few years, data breaches at national retailers such as Target, Nieman Marcus and Home Depot have put encoded financial data on the magnetic stripes of millions of customers’ cards in jeopardy.

At a far more localized level, skimmers have been used to steal the information encoded on magnetic stripes of customers at restaurants, ATMs and gas pumps. The data is used to make purchases online or produce counterfeit cards. Credit and debit card holders are generally not liable for fraudulent charges, but banks, credit card issuers and the targeted merchants are generally on the hook for lost money or merchandise.

The new machines employ EMV chip card technology. EMV stands for Europay, MasterCard and Visa, the companies that created the standards for so-called chip cards and the terminals that read them.

Advertisement

Credit and debit cards now share information via the magnetic stripe on the back of the card. The information encoded in the stripe doesn’t change, so any card reader has access to the same data transaction after transaction. And if the data on the stripe is stolen, it can be copied over and over again.

With chips, each time the card is used, a unique and momentary transaction code is created; it can’t be duplicated, so it’s expected that extracting sensitive consumer data will be much harder.

To satisfy the calls for more secure transactions, the technology is in place on much of the rest of the planet, including Canada, where Babb traveled recently.

“The process is cumbersome,” he said. “You have to wait for the machine to read the card and then you have to remember to take the card when you are done.”

To satisfy demands for more secure transactions, the U.S. card industry promoted converting to the chip system and set a series of deadlines for conversion. The first was October 2015, for point of sale machines in stores.

The conversion is rolling out unevenly, for two reasons – not all consumers have chip cards yet and not all chip card terminals are hooked up and ready to go.

Advertisement

Large banks started sending out chip credit and debit cards midway through 2015. Regional banks have rolled out the technology a little more slowly.

Craig Garofalo, senior vice president and chief operations officer at Kennebec Savings Bank, said credit card customers at his bank started getting the chip cards in December, and debit card holders are getting them now. Credit and debit card transactions use different networks to approve transactions, Garofalo said, hence the different schedules.

“It was very confusing leading up to October,” he said. Early questions came from customers who traveled abroad and were finding that their magnetic stripe cards weren’t always accepted. The next round of questions, he said, came at the time of the industry-imposed deadline on Oct.1.

“In our customer communications, we told them this will be more secure for them,” he said.

THE BIG STRUGGLE

Not all customers have been paying attention.

Advertisement

Sam Clark, who lives in Manchester, said he hasn’t heard a lot about the change and he’s not sure whether he has a card with a chip. He’s well aware that banks will block suspected fraudulent transactions, and he tries to be careful about how he uses his card, particularly online.

“I have mixed emotions about this,” Clark said. “I say yes, from the security standpoint, it makes sense. But it’s always going to be a battle with the people who will try to take your money.”

Allison Seaboyer, from Biddeford, was shopping recently in Hallowell. She said of the cards she carries, more don’t have the chip than do. Banks have reissued cards to her in the past after apparent data hacks – they don’t always say why – but so far she has never lost any money as the result of a hack or a fraudulent transaction.

If Seaboyer were to stop at the Xpress Stop on U.S. Route 201 in Farmingdale, she wouldn’t be able to use her chip card yet, but it’s not because Babb doesn’t want to comply.

He has installed the chip card readers at the eight convenience stores his company operates across central Maine at $500 a pop, but the software that supports the machines isn’t ready to handle the processing yet.

“Our software provider has been promising a solution for eight months, but we don’t have it yet,” he said. That’s an additional cost, maybe several thousand dollars. If he opts to change software providers, it could cost tens of thousands of dollars.

Advertisement

Babb also faces the expense of changing out the card readers at the gas pumps, but the industry deadline for that is still more than a year away. Even so, with five pumps serving 10 fill-up spots at each of eight gas stations, plus the software upgrade to process the transaction, the bill jumps considerably.

The cost of this conversion is being borne entirely on the merchants’ shoulders.

In Hallowell, Scrummy Afters Candy Shoppe co-owner Kim Davis talked about the shop’s transition to the chip card technology.

“We are in the process now,” she said. “It’s not easy to figure out what the charges are and which system is the best.”

She expects to have her new system up and running by March 1.

For small merchants such as Davis, the task of finding a processor can be daunting.

Advertisement

“We advise our members to do their homework,” said Curtis Picard, executive director of the Retail Association of Maine. “We tell them to look at the machine and the processor and understand how long the contract is that they are being asked to sign. If your machine goes down and you can’t reach anyone to fix it, you are in deep water, particularly on a holiday weekend.”

The association has a solution for members, working with its counterpart, the New York State Retail Council.

“What carried the most weight, aside from the good rates, is we know these people and if we have any problem, I can call the head of the council and we can get it worked out,” he said.

THE BIG QUESTION

The shift that happened in October, at its core, was a liability shift, Garofalo said.

Before that date, consumers were protected from loss if their cards were stolen or cloned and used. After that date, consumers are still protected.

Advertisement

During this period of transition, the liability shifts from the card issuers and banks to merchants who are not in compliance with the new industry-mandated technology upgrades.

It’s a significant incentive to reach compliance. In 2014, credit and debit card fraud resulted in losses totaling $16.3 billion, according to CardHub. Card issuers incurred about 60 percent of those losses, generally at the point of sale. The other 40 percent, incurred by merchants, were through transactions where the card isn’t present, as is typical of online, call center or mail order transactions.

But it can be a significant hammer for small businesses. Magstripe readers for smart phones have been available free or for nominal fees, depending on the provider. The chip card readers, some of which were not immediately available in October – right in the middle of the holiday shopping season – cost anywhere from $30 to $140, although rebates may bring prices down.

Babb, still waiting for software upgrades to reach compliance, is subject to the hammer as well. While he is in limbo, he’s waiting to see whether fraud will gain a foothold and affect his sales. If a transaction is flagged as fraud, he’ll be out the cost of merchandise. A carton of cigarettes at $50 added to a tank of gas and a couple other things, and the loss in a single transaction can add up fast.

“And if you don’t catch them, they will be back,” he said.

Babb isn’t even sure that the new system will deliver on its security promise.

Advertisement

Two options are available in chip technology: chip and signature or chip and PIN. The system being implemented here is the chip and signature option. But the more secure option is the chip and PIN, which requires a personal identification number to complete a sale.

“It would have been great to have chip and PIN,” Picard said. “I have two chip cards. Anyone could steal them and fake my signature. But if I had a PIN, the card wouldn’t be able to be used. That would be a nice step going forward. As it is, we are going only 90 percent of the way.”

Neither option, however, will stop someone from using a stolen card online.

Despite the gray area that Babb and other small retailers now find themselves in, there’s no going back.

“Credit and debit cards are so integrated in society that the card issuers and processors can tell retailers to upgrade or lose the ability to take their cards, or take the chance on liability,” Babb said, “because you are not going to say you are not taking the card.”

 


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.