Confused on EMV Card Liability? Guide for Small Business
As the US gets serious about cutting down on credit card fraud, you’ve likely found no shortage of information about how the switch to EMV credit cards will affect your business. Reviewing more specific information about the liability switch you may encounter, as well as cases of potential fraudulent situations could help you get more comfortable with security chip credit card technology.
EMV Credit Card Compliance
At the moment, there is no law in place mandating the switch to EMV credit cards, so it is a voluntary change on the part of card issuers and merchants. That said, each credit card brand is providing incentives to switch by changing liability for card present (aka the card is physically in your possession) credit card fraud. While it’s always wise to check on the brand website for any brand of card you accept (Visa, MasterCard, Discover, American Express) for their up-to-the-minute guidelines, the current deadline for compliance is October 1, 2015, with a two-year extension granted to automated fuel dispensers.
What does the deadline mean? Basically, it’s a shift of liability to whichever party utilizes the least secure type of credit card technology. Let’s look at four cases to see the liability shift in action:
Counterfeit EMV Credit Card Presented to a Magnetic Strip Card Reader
In this situation, the card issuer has done everything it can do to protect the cardholder’s information by providing EMV credit cards. If someone were to skim the information from the EMV card’s magnetic strip to make a counterfeit card, the card present fraud would be allowed to occur because the merchant lacks the capability to stop it. This means that once the cardholder reports the fraudulent activity to the card issuer, the issuer would go after the merchant for the full amount of the loss.
Counterfeit Magnetic Strip Credit Card Presented to EMV Credit Card Reader
Here we have the exact opposite. While the merchant has done what’s necessary to upgrade the credit card software and hardware, it doesn’t make a difference because the customer didn’t receive a security chip credit card from the card issuer. Once the consumer reports the fraudulent activity to the card issuer, the card issuer, not the merchant, would have to take the loss.
In a situation where neither the card issuer nor the merchant utilized EMV credit card technology, the liability would most likely shift to the card issuer; however, it’s a good idea to check with the card brand itself to ensure you have the correct understanding of their liability policy.
Unfortunately, with it getting harder to commit card present fraud, many fraudsters may turn to the Internet to continue their criminal activity. Let’s look at two quick examples of how EMV credit cards used online could impact your business:
Credit Cards Used Online After a Data Breach
This is one area that will be a massive change for merchants. When a data breach of your point of sale system occurs, hackers are able to get the information for EMV credit cards and magnetic strip cards alike. If you did your part to upgrade to the new technology, any EMV card information would be worthless to hackers, as they cannot use those transaction codes to make online purchases.
If, however, you hadn’t upgraded your point of sale system when the data breach occurred, that means that your system exclusively stores the less secure magnetic strip credit card information that’s a veritable goldmine for hackers. When the credit card information stolen from your non-EMV card readers are used to make fraudulent purchases in-store and online, your business will be responsible for a much higher percentage of the losses than it was under the old system. Again, always check with the credit card brands you accept for payment for exact liability figures.
Counterfeit EMV Credit Cards Used for Online Purchases
Currently, the switch to security chip credit cards will do little to curb fraudulent online purchases. As an online merchant, your liability will remain the same, but now is an excellent time to revisit the way you authenticate cardholder identity during transactions. As fraudsters grow more sophisticated, using address verification or simply asking for the security code on the back of the credit card may no longer be sufficent.
Gonsalves, Antone. Shift to EMV Cards Expected to Increase Online Fraud. CSO. February 8, 2014.
Holmes, Tamara E. Data Breaches Turn Spotlight on EMV Cards. CreditCards.com. February 7, 2014.
Verifone. EMV Key Dates Chart. February 12, 2013.