U.S. Markets closed

7 merchant tips to understanding EMV fraud liability shift

Sienna Kossman

 

If you're a merchant who still can't process chip card payments, you could shoulder consumer fraud costs if an incident occurs and you're not "EMV-ready." The deadline for the fraud liability shift for brick-and-mortar merchants was Oct. 1, 2015.

If that sentence made you panic, confused or mad, you've got company. The nationwide adoption of EMV chip cards and processing technology is not a small undertaking for anyone involved -- merchants and cardholders alike.

"It's a significant change in a pattern of life that we've had for a long time with mag stripe cards," said Gregg Smith, North American sales manager for Cardtek, an international payment processing company.

Fret no more. Whether you are a frazzled business owner or just an inquisitive consumer, CreditCards.com has outlined exactly what October 2016's EMV fraud liability shift meant for all parties involved:

1. The liability shift changes who may shoulder fraud chargeback costs.
After Oct. 1, 2015, in-store counterfeit fraud liability shifted to the party -- either the card issuing financial institution or the merchant -- that has not yet adopted chip technology.

"The liability shift protects the entity who offers the greater level of security by holding the other entity with less secure systems responsible for fraud," said Carolyn Balfany, safety and security expert at Mastercard. "For example, if fraud occurs when a chip card is inserted into a terminal that hasn't been upgraded, the merchant is responsible for the fraud."

Prior to this shift, credit card issuers were primarily responsible for covering fraud affecting consumer accounts, reimbursing cardholders for lost funds as a result of counterfeit (or other) fraud. As of Oct. 1, 2015, financial institutions will still cover cardholders' accounts as before, but in some cases the institutions may be able to seek reimbursement from the merchant or merchant acquirer (a bank or company that processes payments on behalf of a merchant) if the retailer was not prepared to accept EMV payment technology.

"Whoever has the lowest level of security essentially is now responsible for that unauthorized transaction," said Doug Johnson, president of American Bankers Association.

However, the change doesn't necessarily mean merchants will be bearing the brunt of fraud charges. There are still a greater number of situations in which the card issuer would continue to shoulder fraud chargeback costs just as they do now. "If both parties have upgraded security, then the environment remains precisely as it is now. The bank would reimburse the customer just as they do now," Johnson added

It's important to note that the liability shift only pertains to counterfeit fraud tied to EMV chip cards, as they will still have magnetic stripes that could be hijacked. The liability shift will not apply to large scale data breaches or consumer payment card data stolen prior to October 1.

"There is a lot of counterfeit card data out there from past data breaches and what not that could show up at a merchant store at any time, but the merchants will only be liable is if fraud came from a counterfeited mag stripe card that originated from a card issued with a chip on it," explained Randy Vanderhoof, executive director of the Smart Card Alliance.

Here are some more examples of who may handle fraud costs based on the situation, post-Oct. 1, 2015:

2. The shift is intended to help parties deal with counterfeit fraud more equally.
The EMV fraud liability shift was implemented by major U.S. payment card networks (nine to be exact: Accel, American Express, China UnionPay, Discover, Mastercard, NYCE Payments Network, SHAZAM Network, STAR Network and Visa) to combat counterfeit fraud.

Since the U.S. is the only country in which counterfeit card fraud is consistently growing, the shift was put in place to encourage faster adoption of EMV payment technology, according to Stephanie Ericksen, vice president of Risk Products for Visa.

"The way that the liability shift works is to set a structure in place to incentivize the protection of chip," she said. "Merchants get protection against liability as soon as they get a terminal and enable chip acceptance, and vice versa for issuers."

Counterfeit card fraud costs the U.S. $7.86 billion in 2015, according to The Nilson Report. In particular, card issuers lost $4.91 billion and merchants lost $2.95 billion to counterfeit card fraud last year.

Some retailers, such as Home Depot and Walmart, are fighting back against the idea that the current EMV adoption plan and fraud liability shift rules are the best way to fight high fraud rates. In May Walmart filed an anti-trust lawsuit against Visa, claiming the national move to chip-and-signature EMV payments is not as secure as chip-and-PIN. In June Home Depot filed a similar suit expressing concerns that networks and card issuers – not just merchants – can do more to secure consumer payment information.

“At ATMs where you are taking out the banks money, they insist you use a PIN, no one goes to an ATM and signs for cash,” said Mallory Duncan, senior vice president and general counsel at the National Retail Federation. “The banks insist on it because it’s secure, and that’s the same thing we were insisting for our stores around the country, inside and out.”

Although there may be hesitation from all parties involved to make the switch to EMV payment technology, security experts believe merchant migration is a crucial step in combating the fraud that typically occurs at in-store payment terminals.

"We are trying to reduce the opportunities fraudsters will have to take advantage of vulnerabilities in our system as a whole," said Seth Ruden, senior fraud consultant at ACI Worldwide, a global banking and payment processing company. "Unfortunately, we can only do that by changing who has what kind of terminals and the liability must shift so we can push all merchants in the same direction and toward the same future."

3. Stolen/lost card fraud liability may depend on the card and network.
If chip cards can be dipped and signed for, but not easily counterfeited, wouldn't it be easy for fraudsters to just steal the chip cards themselves?

Potentially, but the liability shift details how stolen card fraud will be handled if criminals are willing to take such chances. For the most part, issuers will handle fraud resulting from a lost or stolen card situation just as they do now.

"There's no lost and stolen liability shift for Visa," Ericksen explained. "The issuer would still be liable for lost and stolen fraud, just like today." Accel, China UnionPay, NYCE and STAR Network are also not changing existing lost and stolen fraud liability policies.

However, a few major networks have one exception.

If the card used to commit fraud is a Mastercard, American Express or Discover card, the chargeback liability still remains with the issuer unless the card is a PIN credit or debit card and the accepting merchant was unable to process the card as a chip card and had to swipe the mag stripe instead. If the merchant had been able to process the card's chip, the PIN feature may have stopped the fraud but because the merchant wasn't prepared, they are the liable party.

Even in that instance, cardholders will not be held responsible for unauthorized transactions if they have used "reasonable care in protecting the card from loss or theft" and "promptly contacted their financial institution when they knew that their Mastercard was lost or stolen," according to Balfany.

Merchants who are prepared to accept EMV cards won't have to worry about these situational differences -- or any resulting fraud chargeback costs.

"So as long as a merchant has the ability to process that kind of card, they will never be liable for a lost and stolen card, regardless of the card type," Vanderhoof added.

4. The liability shift does not apply to card-not-present fraud.
Merchants who make sales online instead of in-store don't have to worry about today's liability shift because it doesn't affect them. 

For starters, EMV chip technology does not work online, as card chips need to be physically read by a payment terminal during the card-dipping process in order to produce the unique transaction code. Chip card holders making online payments will continue to type in card numbers as usual and if card-not-present fraud occurs, it would be handled just like before the October 2015 liability shift, typically by the card issuers based on their existing fraud liability guidelines.

“The one thing that merchants are going to have to struggle with, as long as we have cards that are chip and signature, we will see a shift to online fraud,” said NRF’s Duncan. “Merchants will have to put more roadblocks in the way of transactions in an effort to keep down the fraud occurring online.”

Upgrading to chip cards and point-of-sale terminals will help address card-present fraud, and the liability shift pertains only to that scenario. Tackling fraud that occurs in other areas will be an ongoing project. The migration to EMV is expected to help reduce fraud, but it's not the be-all-end-all answer to payment fraud in the U.S.

"The card-not-present channel has its own set of controls and we are working on a solution for those independently and with different elements than the card-present problem," Ruden said. "In the next year we should see some new schemes materialize that will add controls in the card-not-present space. And that will provide us with another layer of control just like the chip cards are doing."

5. All brick-and-mortar merchants are affected by the EMV shift, except gas stations.
Even if you only handle a couple of in-store payments a week and the rest is done online, you are still liable for the in-store payments -- unless you own a gas station.

Visa-network ATMs have until October 1, 2017, as did all self-service gas stations, until