The Green Sheet Online Edition
December 28, 2015 • Issue 15:12:02
EMV liability shift: Who's liable for what - and when?
The EMV (short for Europay, MasterCard and Visa) liability shift is currently top-of-mind for anyone in financial services or retail. But confusion persists about what the liability shift really means and who's liable for what – and when.
First, some background on EMV. We talk with a lot of retailers (particularly small and medium-sized ones) who don't really understand why we are moving to EMV in the first place. In a nutshell: credit card fraud.
Credit card fraud is an epidemic in the United States. Our country has been hit particularly hard because we have relied on magnetic stripe technology rather than the more secure EMV. The United States is the last developed country in the world to move to EMV. Over time, as other countries have standardized on EMV, credit card fraud increasingly has migrated to the United States. Criminals sought the weak link, and it was here.
EMV is a global payment standard that relies on the microprocessor chip embedded in cards as opposed to the less secure mag stripe cards that store data on a band of magnetic material on the card, which can easily be retrieved.
Aite Group LLC reported that Americans lose $8.6 billion to credit card fraud annually, and this number is expected to reach $10 billion in 2015, according to the Nilson Report. Having EMV in place, and using it to process the majority of card-present transactions in the United States, should help reduce that number over time.
Why EMV is effective
According to Aite, counterfeit fraud has fallen 56 percent in the U.K. since the country rolled out EMV cards in 2005. In Australia, counterfeit fraud is down 38 percent; in Canada it's down 49 percent.
EMV helps because it:
- Authenticates card data: Unlike mag stripe cards, every time an EMV chip card is used at an EMV-enabled payment terminal or on a mobile POS (mPOS) device, the microprocessor chip creates a one-time unique transaction code that cannot be used again.
- Reduces fraud: Counterfeit mag stripe cards created from EMV chip cards or transaction data will not work at EMV-enabled payment terminals or mPOS devices.
- Complements payment security: EMV complements the payment security ecosystem and provides an added layer of protection when used with other payment security standards such as point-to-point encryption and technologies such as tokenization.
So what is the liability shift?
To drive the EMV migration in the United States, the card brands set a liability shift deadline of October 2015 for merchants to upgrade their payment infrastructure. (The exact date of the deadline differed by card brand.)
Before October 2015, the chargeback liability from credit card fraud always fell on the card issuer. Now, this liability shifts to the merchant in certain scenarios. It's important to note that this shift is dependent on two important components. First is the use of EMV cards; second is the use of EMV chip-enabled payment solutions (mobile and smart terminals). Where the liability falls depends on both the type of card used by the customer and the capabilities of the terminal used by the merchant (EMV-enabled or mag stripe).
Determining the type of liability shift
Many people don't realize there are two types of liability shifts. To determine which applies to a given situation, one must first define the type of fraud at hand – is it counterfeit card fraud or stolen card fraud?
Next, follow the general premise that the party supporting the superior technology for each fraud type will prevail in a chargeback. For issuers, that technology is represented by the EMV chip cards; for merchants, it's EMV-ready terminals. In case of a technology tie, the fraud liability remains as it is today: with the issuer.
Liability shift for counterfeit cards
This scenario applies to Visa Inc., MasterCard Worldwide, American Express Co. and Discover Financial Services. In this scenario a counterfeit credit card is in play in a fraudulent transaction. Post October 2015, if a merchant accepts a counterfeit mag stripe card (created from an EMV chip card or transaction data) at a payment terminal or mPOS device that is not EMV-ready, the merchant will be liable for the chargeback resulting from the fraud.
The counterfeit card created from an EMV card or transaction data can only be processed at a mag stripe-only terminal. If the merchant's payment solution is ready to accept EMV transactions, this counterfeit card will not be processed, thus, saving the merchant from the liability.
Here are some other instances that show the liability shift in case of counterfeit cards:
The only caveat here is in the case of a fallback transaction – which is a transaction that is initiated between a chip card and a chip terminal, but chip technology is not used (due to card reader error, damaged EMV chip, etc.) and the transaction is completed via mag stripe. Since fallback transactions are initiated as an EMV transaction but end up as mag stripe, the liability remains with the card issuer.
Liability shift for stolen cards
This scenario applies to MasterCard, AmEx and Discover and occurs when a stolen EMV chip card is in play in a fraudulent transaction. Post October 2015, if a merchant accepts a stolen EMV chip card that requires a PIN using a payment terminal or mPOS device that does not support EMV with PIN entry, the merchant will be liable for the chargeback resulting from the fraud.
This liability shift does not include No CVM (Cardholder Verification Method) transactions that meet the No CVM requirements of the card brand or network. No CVM transactions are typically low-dollar transactions with merchants in low-risk categories such as fast food, convenience and grocery stores. In this situation, the issuer-set transaction threshold allows for the payment to go through without the need for a PIN or signature.
Here are some other instances that show the liability shift in case of stolen cards:
The only caveat to this scenario is in case of a PIN bypass. In a chip and PIN transaction, a cardholder can bypass the PIN and process the transaction without it being entered, only if the merchant's terminal provides the cardholder the option. In this scenario, PIN bypass indicators are sent in the authorization request to the issuer. If the issuer chooses to approve the transaction, the issuer accepts the liability on that transaction.
Risks of not migrating to EMV
So far I've explained how liability of a fraudulent card transaction shifts to the merchant in certain scenarios. Following are the risks merchants face if they are not ready to accept EMV transactions post the deadline:
- Financial impact: With credit card fraud rampant in the United States, the total volume of chargebacks from fraudulent transactions could result in heavy costs for merchants post October 2015.
The best way for merchants to protect themselves against any potential chargebacks and penalty fees resulting from credit card fraud and data breaches is to make sure their businesses are equipped with EMV-ready payment solutions.
- Brand Image: According to a Ponemon Institute survey, data breaches are in the top three types of incidents that affect a merchant's reputation. Merchants face the risk of harming their brand reputation in event of a credit card fraud or a data breach.
High frequency of these events have made customers across the United States wary of where they use their credit cards and form a negative brand perception of merchants who use outdated payment technology.
In 2013, Target Corp. (one of the biggest retail chains in the country) was a victim of a data breach via which credit card information of over 40 million accounts was compromised. The aftermath of the breach saw layoffs and executive changes within Target, which added fuel to the bad publicity the company was already receiving at that time. And a 46 percent drop in Target's profits by the fourth quarter of 2013 was attributed to the breach. In 2014, the slew of data breaches continued with many brands such as Neiman Marcus, UPS, P.F. Chang's, and others being hacked.
By upgrading their payment infrastructures to support EMV, merchants not only protect themselves from fraudulent transaction liability, but they also safeguard their brand image in the eyes of the consumer.
Allen Friedman is Vice President of Payment Solutions at Ingenico Group, North America where he is responsible for Ingenico Group's EMV Payment Solutions and the EMV implementation strategy in the United States. Prior to joining Ingenico Group, Allen worked for Vital Processing Services (now TSYS Acquiring Solutions) in Tempe, Arizona, beginning in 1999 and during his fifteen-year tenure held a variety of management positions in technical support, solutions implementation, and product management. In addition, Allen has been a member and active participant in the EMV Migration Forum since its founding, and he continues to serve on several committees and working groups. Also, he is an active contributing member of the Smart Card Alliance Payments Council. For more information, contact him at email@example.com or visit www.ingenico.us.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.