Maybe you've noticed: At many stores, both big and small, you still have to swipe the magnetic stripe on your new chip-enabled credit card, rather than insert or dip it into a chip-reader.
Edgar Dworsky, founder of the website ConsumerWorld.org, wondered why he's rarely asked to dip his smart cards, despite an Oct. 1 "deadline" for retailers to adopt the new standard. So he decided to survey the marketplace last week.
He checked 48 national and regional chains and found that only one in four had payment terminals able to process a purchase using the chip security feature in the EMV cards (an acronym derived from Europay, MasterCard and Visa, the three companies that originally developed the standard).
"Virtually all — except for Radio Shack — have installed checkout terminals with the card slots for these chip cards, but most of them did not work. They had not turned on the system yet," Dworsky told NBC News.
Big-name national and regional retailers that cannot accept chip cards at some or all of their stores include: Bed Bath & Beyond, CVS, Costco, Foot Locker, Kmart, Kohl's, Kroger, Marshalls, Michaels, PetSmart, Safeway, Sears, Sports Authority, Staples, Stop & Shop, T.J. Maxx, Toys R Us and Whole Foods.
"It seems crazy that all of this money is being spent to send out replacement cards and to install all the new payment terminals at these big-name stores, but nothing has really changed - the security is no better," Dworsky commented. "Plus, it's really frustrating and confusing for shoppers who see the new terminals and don't know whether to swipe or dip their credit card."
EMV cards were developed to make credit card transactions more secure. The smart chip cards have two important advantages over traditional magnetic-strip cards. First, it's harder for fraudsters to make a fake physical card. Secondly, even if the bad guys get a hold of the transactional code, it's worthless because it works only one time.
NBC News contacted many of these retailers to find out why they had not yet made the switch.
CVS said it started accepting EMV cards at some stores at the beginning of December and expects to be able to use them chainwide by the end of the year.
Sears did not provide a reason for the delay. In an email, Howard Riefs, director of corporate communications, wrote: "We are continuously working to further enhance the security of our systems, including our card readers. While we don't give specifics on those steps to improve their effectiveness, the security of customer and member information is of paramount importance to us."
Bed Bath & Beyond said it is on track to begin processing chip transactions in the first half of 2016. In an email, spokesperson Jessica Joyce said the company will also be adding protections "that go above and beyond the chip-and-sign process" and include "end-to-end security" for its customers.
It should be noted: Because of the massive data breach during the 2013 holiday shopping season, Target was the first national retailer to adopt chip card checkout technology. Target added an extra level of security to its new credit and debit REDcards. While most new chip cards in the U.S. only require a signature to complete the transaction, Target's new REDcards require a PIN.
Why the holdup?
Making the switch to chip technology is a costly and complex process that requires retailers to do more than install new card readers. They must also integrate new software, have their upgraded payment system certified and train employees.
"It's a massive undertaking," said Jason Oxman, CEO of the Electronic Transactions Association, which represents the companies that process credit and debit card payments. "We've made a lot of great progress. We have literally hundreds of millions of cards in the market and hundreds of thousands of merchants have upgraded their infrastructure. But we still have a lot of work to do and it will continue in 2016."
It takes the average retailer about 19 months to get the new chip card payment system up and running, according to Mallory Duncan, senior vice president and general counsel at the National Retail Federation. Many stores did not have time to do that before the start of the holiday shopping season, so they decided to delay implementation, he said.
"Most sane individuals are not going to be ripping out terminals, installing new ones and testing them out at the busiest time of the year," Duncan said.
Duncan blamed the card processing networks, such as Visa and MasterCard, for providing the technical specifications to retailers late and delaying the certifications needed to turn on the new systems.
"For our mid-size and larger members, there's a huge adoption of the equipment, but they're sitting there, madder than wet hens, that they can't get certifiers or that they've been thrown new specifications, essentially at the last minute, to comply with," Duncan said.
Randy Vanderhoof, executive director of the Smart Card Alliance, told NBC News that developing specs for handling debit cards took longer than expected and that they were provided to merchants later than anticipated. The Smart Card Alliance represents all the major players in the switch to smart cards: card issuers, payment brands (American Express, Discover, MasterCard and Visa), payment processors and merchants.
"We heard from merchants that they were ready to go with their chip card readers for credit, but since they weren't fully implemented yet on the debit side, they decided they didn't want to offer a mix of chip credit cards and swipe debit cards and chose to delay the implementation of the activation for all cards until they had both of them working," Vanderhoof said.
Actually, it's really going rather well.
The Smart Card Alliance was formed in 2012, when the commitment was made to switch from the outdated and easy-to-counterfeit magnetic stripe credit and debit cards to a smart card with an embedded chip. Chip cards are difficult to counterfeit if lost or stolen, or the account information is compromised. It cannot prevent all card-related fraud, such as using stolen card information for online transactions.
In his position as executive director, Vanderhoof has a unique perspective on the transition.
"I think we've done very well with what we had to work with, but we would like to have seen more progress being made by the time we hit this holiday shopping season," he said. "Even so, we're still satisfied that progress is being made and it will only be a matter of a few more months before we really get to the point where we want to be."
Chip cards are not required by law, but since Oct. 1, stores that can't process them could lose money. The reason: The credit card companies changed their rules about fraud liability. Now, if a customer hands the clerk an EMV card but the transaction cannot be processed using the chip, the merchant will bear any loss due to fraud, not the credit card company.
While Vanderhoof said he believes that October deadline was "overly optimistic," both Visa and MasterCard said they believe things are going very well.
"We're moving very, very quickly as compared to international statistics," said Carolyn Balfany EMV expert at MasterCard. "Historically, it's taken some time even past the liability shift being implemented for the merchants' locations to be enabled and the cards to be issued. On both fronts, the U.S. is doing a very nice job."
Current statistics show:
"We've seen really steady progress and great momentum, particularly during the summer and heading into the fall," said Stephanie Ericksen, vice president of risk products at VISA. "It does take time, but the progress we've seen so far is just really encouraging."
Canada, Brazil and Australia are the three most recent countries to move to chip technology. Ericksen said it took four to five years until 90 percent of their payments were made with a working chip card.
A recent report by Javelin Strategy & Security predicted that universal adoption of chip technology - 85 percent of merchants accepting them - will take until 2019.
"The large merchants who haven't done so already will make the switch after the holidays are done. They're just biding their time," said Al Pascual, director of fraud and security at Javelin Strategy & Research. "The small retailers and restaurants will be the holdouts and we'll start to see that play out over the next year or two."