As of October 1, 2015, liability for credit card fraud at merchant points of sale (POS) in the US has shifted. Prior to that date, banks and financial institutions that issued the credit card used in a transaction would shoulder the entire liability for fraud in that transaction (aside from a token $50 liability on the consumer’s part, which was most often waived). But starting on October 1, the liability for fraud may shift to the merchant or operator of the POS equipment if the POS is not EMV-ready. In general, the liability for transaction fraud will rest with the party with the least EMV compliant technology – and will rest with the financial institution if both the POS and the card issuer are equally compliant.
What is EMV and why is liability shifting?
EMV stands for Europay, MasterCard and Visa, a global standard for credit cards that is intended to make purchases more secure. As the volume of credit card fraud has been growing worldwide, the EMV standard has been advertised as a way to rein in the use of fake credit cards at POS. EMV compliance has been increasing much faster outside the US for the last few years, and it is just being rolled out in the US in 2015. The standard involves the use of a chip on the credit card to generate a unique transaction ID. While older credit cards have a magnetic strip that can be easily copied onto a fake card, the chips on the EMV cards are much more difficult to duplicate. Moreover, if an attacker were to capture a transaction ID from a valid EMV card, that ID could not be reused in a later transaction.
With the new EMV standard, customers will no longer swipe their card, but will insert the card into a special EMV reader (this is called ‘dipping’ instead of swiping). These new card readers might accommodate both the old magnetic cards and the new chip based cards and can cost up to a few hundred dollars each. The total cost to migrate to the EMV standard in the US is expected to be close to $7 billion for replacing the POS devices and $1.4 billion for the credit and debit cards themselves.
How does the EMV transaction work?
A few seconds after the customer inserts the card into the reader, the card chip will generate the unique transaction ID and validate the payment. There are a few options of how the transaction can be validated once the transaction ID is issued. Outside the US, many merchants are set up for EMV with chip-and-PIN validation: while the card is in the reader, the customer must enter the valid PIN associated with the card in order for the transaction to be completed. To avoid delays and inconveniences associated with forgotten PINs, US merchants are mainly adopting an alternative validation: the chip-and-signature approach. With this version, the customer inserts the credit card in the reader, waits for the transaction ID to be generated, then signs the receipt, just as for the older magnetic card transactions. While the chip-and-signature is somewhat less secure than the chip-and-PIN approach, both are acceptable to shift back the liability for credit fraud from the merchant’s side, back to the financial institution issuing the card.
A third alternative allows for even faster transactions, using near field communications (NFC). With this approach, the card does not need to be dipped (inserted into the reader), but only tapped on a special reader. NFC cards can work with PINs or with a signature. Merchants that accept the Apple Pay are using the same NFC technology with an iPhone instead of a credit card.
Which credit card issuers are involved and what is the timeline?
Although American Express and Discover and not part of the EMV standard name, they are also shifting the liability to the POS owner on the same October 1, 2015 deadline. On the other hand, POS at automated fuel dispensers have until October 2017 to complete the transition to the new standard. Also, the transition from magnetic strip debit cards to EMV chip debit cards is somewhat slower, expected to shift liability to ATM operators on October 1, 2016 for MasterCard and on October 1, 2017 for Visa.
In the meantime, although we are past the October deadline, not all POS have been converted to the EMV standard. This might confuse some of the customers, because some merchants will still require cards to be swiped, while others might ask the customer to dip the card and sign. A smaller number of merchants might opt to ask the customer to enter a PIN, which is likely to cause the most problems, as many credit card users do not recall their PIN.
A 2015 survey found that 90 percent of card issuers have already started to issue EMV chip cards, or are planning to do so by the end of 2015. Still, only about 40 percent of the terminals in the US will be EMV compliant by the end of 2015 and only about a quarter of all the 71 million debit cards issued in the US will be EMV ready by the end of 2015. By the end of 2016, three quarters of the debit cards will be EMV ready, and most of them will be EMV ready by the end of 2017. As merchants consider whether to upgrade, they need to balance the costs associated with the upgrade against the potential for increased liability for fraud.
What happens to liability for transactions online or on the phone?
The liability shift does not apply to card-not-present fraud. Merchants processing credit cards online or over the phone do not need to be concerned about the liability shift.
Since the EMV upgrade is not a legal requirement, many business owners will weigh in the costs and the benefits of adopting the EMV equipment. Some of the elements of this tradeoff might be surprising. Depending on the payment processing company, some debit card transactions using EMV chips might be processed as credit card transactions (and might incur higher processing fees). Even with a credit card present, a merchant can also elect to enter the card information manually, rather than using a POS. This will be completed as a card-not-present transaction, where the merchant will not be liable for not having an EMV compliant POS, but the fees for card-not-present transactions are often considerably higher than for card-present transactions. Hence, a merchant might elect to pay higher transaction fees rather than update the POS or face the higher liability for failing to update the POS.
Finally, the EMV technology is also available from mobile payment processors, albeit at somewhat higher prices. Square offers free readers for the magnetic stripe cards, but charges $30 for a chip reader and $50 for an NFC reader. A June 2015 Entrepreneur magazine article claims that Square will also provide free EMV readers to select customers.
What should a merchant do if they have not upgraded yet?
As we indicated in this article, there is no legal requirement for upgrading to the EMV standard. In deciding whether to upgrade, merchants should consider their client base and their appetite for risk. A business with a stable client base (a medical practice with long term clients) might be less inclined to fear credit card fraud from their customers, and might opt to save the costs of the upgrade, or at least to delay upgrading. Another business with more transient customers might find it more prudent to upgrade to avoid being hit with liability for transactions carried out with non-EMV compliant credit card readers. The longer a business waits to upgrade, the more transactions it carries via non-EMV compliant equipment, the more likely it is to be liable for some fraudulent transactions.
Bogdan Hoanca is a Professor of Management Information Systems at the University of Alaska Anchorage, and the Director of Graduate Programs in the College of Business and Public Policy, in charge of admissions to the MBA program, the only business accredited MBA program in Anchorage. His research involves information security and the societal impact of technology. He has published 12 journal articles, 12 book chapters, more than 35 conference papers and is the holder of three US patents (with a fourth one pending).