Through the Paying It Safe blog and many other sources, you have probably been reading or hearing about the big implementation of EMV or smart-chip payment cards in the United States and how these cards will bolster credit card security for card-present sales. There's an important deadline coming up in October, and sources such as Aite Group say that many merchants aren't ready today and likely won't be ready by October for that deadline.
Just what is this deadline, and how important is it?
Come October, there will be a shift of liability for card fraud in certain circumstances. How important this shift is to you depends on many factors, and we'll try to outline some of them here. Let's start with a look back at the origin for this EMV milestone in the U.S.
With the U.S. being the last major geographic region to adopt EMV to combat card-present fraud, the major card brands felt they needed to prod the switch to smart cards and give merchants as well as issuers a reason to get behind EMV. Thus in 2011, the card brand companies issued decrees that they would shift the liability for chargebacks and fraudulent transactions from the card issuers to the merchants who choose not to or are not prepared to accept EMV-enabled transactions by the arbitrary deadline of October 2015. (Note that gasoline merchants have a 2017 deadline.)
While the words "deadline" and "liability" sound ominous, the fact is that this milestone in the EMV adoption cycle affects some merchants much less than others. In fact, it even begs the question, "Who is mostly at risk with this liability shift?"
To clarify many of the questions on the minds of merchants, issuers, acquirers and processors, the EMV Migration Forum recently issued a report titled "Understanding the 2015 U.S. Fraud Liability Shifts." The report explains who is liable for what, and when, under these fraud liability shifts. There's a lot of detail in this report so we highly recommend reading it for yourself. We'll simply highlight a few points here.
The first thing to note is that the liability shifts only apply to certain networks under specific circumstances.
- Counterfeit fraud liability shift applies to: Accel, American Express, China UnionPay, Discover, MasterCard, NYCE Payments Network, SHAZAM Network, STAR Network and Visa.
- Lost or stolen fraud liability shift applies to American Express, Discover and MasterCard.
Beginning in October 2015 for the 9 payment networks noted immediately above, when a merchant accepts a magnetic stripe card that was counterfeited with track data copied from an EMV chip card, and the card is subsequently swiped at a POS device/application that is not EMV chip-enabled, and the transaction is successfully processed, the acquirer/merchant may be liable for the chargeback resulting from the fraud. The above counterfeit card liability shift only pertains to transactions where the magnetic stripe was read and does not apply to contactless transactions.
As for a merchant accepting a lost or stolen chip-enabled card, the liability shift takes place under the following circumstances:
Beginning in October 2015 for American Express, Discover and MasterCard, the acquirer/merchant may also be liable for a chargeback resulting from fraud if:
1. A PIN-preferring (either online or offline PIN) chip card that has been stolen (not a copy or counterfeit) is presented at a magnetic stripe-only POS device/application, and the stolen chip card is processed as a magnetic stripe transaction OR
2. A PIN-preferring (either online or offline PIN) chip card that has been stolen (not a copy or counterfeit) is presented at a chip-enabled merchant POS device/application that does not support either online or offline PIN, and the stolen chip card is processed as a signature chip transaction
The report notes that there is no expected change to Accel, China Union Pay, NYCE, STAR Network or Visa liability for lost or stolen card fraud, and accordingly, this liability remains with the issuer. Nevertheless, the lost or stolen scenarios might have very little consequence to merchants in the U.S. because many card issuers are not distributing "PIN-preferring" cards. Afraid of causing too much confusion for their customers, issuers are tending to put out "signature-preferring" cards instead.
There are other circumstances outlined in the report so we urge you to read it to see if those conditions apply to your business. This should help you make the judgment as to whether or not your business is at serious risk of having to accept liability for fraudulent card-present transactions this fall.