Gray estimates that across the U.S., merchants will need to either replace or upgrade an estimated 13 million POS systems to be ready for EMV card transactions. "That is a big expense that we are going to have to pass down to the consumer," Taylor said.
In addition, card-issuing banks will need to spend tens of millions to upgrade their networks and internal systems if they want to be ready for PIN debit and PIN credit transactions.
2. Security ROI still iffy
It's not clear if the investments will yield the kind of security benefit that many assume it will.
That's because the EMV standard can be implemented in a variety of ways. A majority of EMV implementations around the world require cardholders to enter a PIN as an authentication measure when conducting a transaction. These kinds of Chip-and-PIN EMV implementations are believed to yield the strongest security benefits.
But EMV can also be implemented in less secure ways. For example, EMV can be implemented simply as a chip card without a PIN, or as a chip card requiring either a signature or a PIN to authenticate the cardholder. Such smartcard implementations still offer more security than magnetic stripe cards, but they are less secure than chip-and-PIN formats.
MasterCard and Visa have left it largely to the card-issuing banks in the U.S. to decide which route they want to take.
But without a mandatory PIN requirement, any move to EMV standards in the U.S. is half-baked at best.
"It is not the enhanced security system that retailers have long-called for," says Brain Dodge, senior vice president of communications at the Retail Industry Leaders Association (RILA). "There is an enormous cost with moving systems to EMV. From the retailers' perspective, the added protection we are getting (from smartcards) is not enough to justify the expense," without a mandatory PIN requirement, Dodge said.
3. Not just a PIN issue
EMV implementation plans in the U.S. also permit the use of a magnetic stripe on the back of the card. This further weakens any benefits that might be gained from having a smartcard in the first place, said James Huguelet, an independent consultant who specializes in retail security.
In addition, EMV implementation plans do not require encryption of cardholder information on all transactions, which is another major weakness, Huguelet said.
For instance, EMV technology would have done little to prevent data thieves from harvesting credit and debit card data from Target's POS systems because the data was grabbed before it could be encrypted.
Even if all such issues were to be magically solved, EMV alone does nothing to make online and mobile payment methods more secure, Huguelet said. EMV cards are fundamentally designed to make so-called card present transactions more secure. The technology makes it harder to clone cards and use them to make fraudulent transactions. However, they are of less use in card-not-present situations such as online or mobile transactions.